assurance report on internal controls€¦ · control environment 8 7. accountants’ assurance...

Assurance Report on Internal ControlsXPS Administration Limited (AAF 01/06 and ISAE 3402) for the period 1 January 2018 to 31 December 2018

December 2019

Contents

1. Executive Summary 1

2. Corporate Philosophy 2

3. Directors’ Report 4

4. Structure of the XPS Pensions Group 5

5. XPS Administration Business Structure 6

6. Control Environment 8

7. Accountants’ Assurance Report 11

8. Control Procedures and Reporting Accountants’ Tests 16

Appendix 1 – Reporting Accountants Engagement Letter 73

1

1. Executive SummaryThis report has been produced in accordance with the principles established in ‘Assurance Reports on Internal Controls of service organisations made available to third parties’ issued as AAF01/06 by the Institute of Chartered Accountants in England and Wales (‘AAF01/06’) and the International Standard on Assurance Reporting 3402 (‘ISAE 3402’) issued by the International Auditing and Assurance Standards Board (‘IAASB’). XPS Pensions Group has adopted dual reporting under both AAF01/06 and ISAE 3402.

XPS Pensions Group is a UK specialist in pensions actuarial, consulting and administration.

XPS Administration has around 600+ staff in 12 offices around the UK providing services to over 400 trust-based schemes covering some 870,000 members. It has become a leading provider of quality led pensions administration service in the marketplace.

This assurance report describes the control environment within which the administration business operated for the former Xafinity Consulting Limited offices in Belfast, Leeds and Reading, from 1 January 2018 to 31 December 2018.

XPS Administration provides client and member focused solutions for occupational pension schemes. Administration is our core business and we put the member first by focusing on accuracy and the member experience. The high quality, robustness and consistency of our administration services is widely recognised in the market and in July 2019, for the fifth time in six years, we were ranked first in Professional Pensions’ survey of Third Party Administrators. This service provides independent confirmation that we continue to provide high quality services to our existing clients, as we invest in our people, our technology and our process to support our future growth and development.

We continuously strive to find ways of improving the level of service delivered to our clients. Our strategy has been to focus on ensuring the delivery of high quality administration services, combined with a commercial proposition that represents value for money. Pensions Administration has become an increasingly complex occupation and whilst we have invested significantly in our technology and IT infrastructure, it is our belief that it is the quality of our people and the impact they have on the quality of interactions with pension scheme members which represents our key differentiator.

In support of our requirement to manage a quality controlled administration business, we operate within a robust governance structure which ensures the clear flow of information and the decision making process. This enable us to react swiftly to regulatory change and stay at the forefront of developments in the industry.

David Watkins Managing Director XPS Administration

13 December 2019

2

2. Corporate Philosophy

Mission and Corporate ValuesXPS Pensions Group are a UK-focused specialist in pensions actuarial, investment consulting and administration, providing a range of services and solutions to over 1200 pension scheme clients. We also operate a defined contribution master trust, the National Pension Trust, and provide administration to SSAS’s and SIPP’s.

> XPS Pensions Group employs 1,100+ people who work from 15 offices around the UK.

> We work with pension scheme trustees, sponsoring employers and pension scheme members, with schemes ranging in size from less than £20m in assets to multi-billion pound pension funds.

> We charge fixed fees for ongoing administration and advisory services combined with time-based fees for consulting advice and one-off projects. We work with clients on the basis of open-ended engagement letters. Many of the services we provide are essential, non-discretionary requirements for UK pension schemes, required on a repeating basis to a statutory timetable. As such, much of our revenue is independent of the economic cycle.

> 92% of our revenues are recurring and we have a loyal base of clients who have worked with us over many years.

> As the only UK pensions specialist listed on the FTSE we have the flexibility to not only think differently but to act differently.

> Our structure means that we make long term, transparent investment decisions that are for the good of our clients and their pension scheme members.

> Solely focused on the UK pensions market, we remain agile; able to react and innovate at pace with a perfect balance of scale and expertise. With no competing priorities or distractions it’s true to say that we are passionate about pensions. It’s all we do, nothing else.

> As the need to secure financial security in later life becomes increasingly important, XPS Pensions Group are changing the way that we think about pensions and the way that they are structured, managed, administered and delivered. We will constantly challenge the pensions industry to improve.

> Better schemes, information, technology and decisions. Better service expectations and ultimately, better outcomes for trustees, businesses and members.

> We are committed to challenge the expectations of our industry, competitor, clients and especially ourselves.

> Our clients trust us because we always put them first. We are reliable, we get things done, we simplify the complexity of the UK pensions market and we always do what we say we will.

> We are committed to help increase understanding, share knowledge, reduce risk, protect members, build long lasting relationships and reduce cost. We believe there is a better way.

Use of TechnologyXPS Pensions Group is at the forefront of pensions administration in the development of both technology and process. Client and scheme members can access up to date information and functionality over the web using our software. We integrate technology with business process though Electronic Data Management (EDM) and workflow technology, delivering cost effective services to clients.

3

Quality and ImprovementThe continuous monitoring, review and improvement of processes is fundamental to XPS Pensions Group and the administration business and is carried out in a structured controlled manner. Within the Pensions Administration area we have a governance structure, made up from a number of committees representing all areas of the administration business, who are responsible for delivering and managing technical development and training to our staff and top class administration to our clients.

XPS Administration is certified to the ISO 9001:2015 standard for the Belfast, Leeds and Reading offices (within the scope of this report) and we are working towards ISO27001:2013 for these offices by the end of Q1 2020.

Our CultureOur culture is important to us and the delivery of a quality service. Our refreshed values are below and they are embedded in everything we do. Our values and behaviour is aligned with the expectations of our people, clients and scheme members.

XPS Administration is certified to the ISO 9001:2015 standard for the Belfast, Leeds and Reading offices (within the scope of this report) and we are working towards ISO27001:2013 for these offices by the end of Q1 2020

Our Culture

Our culture is important to us and the delivery of a quality service. Our refreshed values are below and they are embedded in everything we do. Our values and behaviour is aligned with the expectations of our people, clients and scheme members.

1. Directors Report

As Directors we are responsible for the identification of control objectives relating to customers’ assets and related transactions in the provision of pensions administration and associated Information Technology Services and the design, implementation and operation of the control procedures of XPS Pensions Group to provide reasonable assurance that the control objectives are achieved.

In carrying out those responsibilities we have regard not only to the interests of customers but also to those of the owners of the business and the general effectiveness and efficiency of the relevant operations.

We have evaluated the effectiveness of the XPS Pensions Group’s control procedures having regard to the Institute of Chartered Accountants in England and Wales Technical release AAF01/06 and the criteria for Pensions administration and associated Information Technology Services set out therein.

All objectives as described in the Technical Release were relevant, with the following exceptions:

• 3.4 Scheme Documents (deeds, policies, contracts, booklets etc) are complete, up to date and securely held – XPS does not hold original documents on behalf of clients.

• 5.1 Contributions are received in accordance with scheme rules and relevant legislation – Responsibility for ensuring contributions are received in accordance with scheme rules and relevant legislation rests with trustees and employers

• 7.5 Data Transmissions between the service organisation and it counterparties are complete, accurate, timely and secure – Uniform encryption to all data transmissions sent by XPS Pensions Group is implemented. XPS Pensions Group requests all clients encrypt data they send to us and will agree a method of encryption, where required, on a client by client basis. If a client sends unencrypted data, XPS Pensions Group cannot confirm its compliance to the data being complete, accurate, timely and secure and therefore dis-applies this control.

As such we confirm that:

XPS Administration is certified to the ISO 9001:2015 standard for the Belfast, Leeds and Reading offices (within the scope of this report) and we are working towards ISO27001:2013 for these offices by the end of Q1 2020

Our Culture

Our culture is important to us and the delivery of a quality service. Our refreshed values are below and they are embedded in everything we do. Our values and behaviour is aligned with the expectations of our people, clients and scheme members.

1. Directors Report

As Directors we are responsible for the identification of control objectives relating to customers’ assets and related transactions in the provision of pensions administration and associated Information Technology Services and the design, implementation and operation of the control procedures of XPS Pensions Group to provide reasonable assurance that the control objectives are achieved.


We have evaluated the effectiveness of the XPS Pensions Group’s control procedures having regard to the Institute of Chartered Accountants in England and Wales Technical release AAF01/06 and the criteria for Pensions administration and associated Information Technology Services set out therein.


• 3.4 Scheme Documents (deeds, policies, contracts, booklets etc) are complete, up to date and securely held – XPS does not hold original documents on behalf of clients.

• 5.1 Contributions are received in accordance with scheme rules and relevant legislation – Responsibility for ensuring contributions are received in accordance with scheme rules and relevant legislation rests with trustees and employers

• 7.5 Data Transmissions between the service organisation and it counterparties are complete, accurate, timely and secure – Uniform encryption to all data transmissions sent by XPS Pensions Group is implemented. XPS Pensions Group requests all clients encrypt data they send to us and will agree a method of encryption, where required, on a client by client basis. If a client sends unencrypted data, XPS Pensions Group cannot confirm its compliance to the data being complete, accurate, timely and secure and therefore dis-applies this control.

As such we confirm that:

4

3. Directors’ ReportAs Directors we are responsible for the identification of control objectives relating to customers’ assets and related transactions in the provision of pensions administration and associated Information Technology Services and the design, implementation and operation of the control procedures of XPS Pensions Group to provide reasonable assurance that the control objectives are achieved.



> 3.4 Scheme Documents (deeds, policies, contracts, booklets etc) are complete, up to date and securely held – XPS does not hold original documents on behalf of clients.

> 5.1 Contributions are received in accordance with scheme rules and relevant legislation – Responsibility for ensuring contributions are received in accordance with scheme rules and relevant legislation rests with trustees and employers

> 7.5 Data Transmissions between the service organisation and its counterparties are complete, accurate, timely and secure – Uniform encryption to all data transmissions sent by XPS Pensions Group is implemented. XPS Pensions Group requests all clients encrypt data they send to us and will agree a method of encryption, where required, on a client by client basis. If a client sends unencrypted data, XPS Pensions Group cannot confirm its compliance to the data being complete, accurate, timely and secure and therefore dis-applies this control.

We have evaluated the effectiveness of XPS Pension Group’s control procedures having regard to the Institute of Chartered Accountants in England and Wales Technical Release AAF 01/06 and the criteria for pensions administration set out therein.

We set out in this report a description of the relevant control procedures together with the related control objectives which operated during the period 01 January 2018 to 31 December 2018 and confirm that, except for the matters noted in the reporting Accountants’ Assurance report (and which have been responded to in the summary of exceptions):

> The report describes fairly the control procedures that relate to the control objectives referred to above which were in place;

> The control procedures described are suitably designed such that there is reasonable assurance that the specified control objectives would be achieved if the described control procedures were complied with satisfactorily; and

> The control procedures described were operating with sufficient effectiveness to provide reasonable assurance that the related control objectives were achieved during the specified period.

David Watkins Managing Director

13 December 2019 Signed on behalf of the XPS Administration Limited Board of Directors

5

4. Structure of the XPS Pensions Group The XPS Pensions Group is the largest pure pension consultancy and the only listed pension specialist in the UK market. We work with the trustees and sponsoring employers of UK pension schemes to deliver better outcomes for ourclients. Our teams of actuaries pensions specialists, investment consultants and administrators are dedicated to delivering excellence in customer service, clear advice and improved use of technology to facilitate effective decision-making by our clients and their pension scheme members.

Xafinity and some former Punter Southall businesses merged forming the XPS Pensions Group revenues increased from £66m in 2018 to £110m in 2019, and continue to be widely recognised in the market for their high quality, robustness and consistency. XPS Administration now provides administration services to over 400 pension schemes with assets of over £72bn. Our client schemes range from 20 to 75,000 members, and in total we serve some 870,000 members.

The XPS Pensions Group comprises ‘sister’ subsidiaries, as shown in the following diagram, whose services complement and mutually benefit the rest of the Group.

Provides advise and support to pension scheme trustees and sponsoring employers across all areas of UK pension scheme management, including actuarial advice and long-term financial planning for schemes, through to member communications, advice on member option exercises and scheme benefit design.

Services including pensions administration, payroll services, pension scheme accounting, scam identification, de-risking projects and technical consultancy for a wide range of trust-based company pension schemes, including defined benefit (DB), defined contribution (DC), career average revalued earnings (CARE) and hybrid schemes.

Clear, independent advice to pension scheme trustees to enable them to make the optimum investment decisions for their scheme’s assets. Using financial modelling of different mixes of asset classes, we help clients to choose the right portfolio for their needs, to maximise returns and/or minimise their level of risk.

Specialist pensions advice and analysis during corporate events including helping clients who are buying, selling, restructuring or refinancing a business. We work for vendors, purchasers and other corporate entities, including private equity firms and hedge funds as well as pension scheme trustees.

We also provide:

> The National Pension Trust (NPT), a defined contribution master trust for employers offering full ‘Freedom and Choice’ capability, and

> SIPP and SSAS solutions to financial advisers under the Xafinity brand.

6

5. XPS Administration Business Structure XPS Administration provides client focused administration solutions for occupational pension schemes. Our administration business provides a full range of pension administration services from 12 offices around the UK within a structured quality controlled environment.

Our team of pensions administration staff provide services to a wide range of trust based pension schemes including: defined benefit, defined contribution, career average revalued earnings (CARE), hybrid and master trust schemes.

We seek to provide the highest levels of quality, and continuously strive to find ways of improving the level of service delivered to our clients. In July 2019 we were ranked first in Professional Pensions’ survey of Third Party Administrators for the fifth time in six years.

We use an individual scheme-based approach to administration, with one client team responsible for all aspects of our administration service. This ensures we focus on the needs of our clients and their scheme members, and that the quality controls we apply remain relevant and robust.

In support of our requirement to manage a quality controlled administration business we operate within a governance structure which ensures a clear flow of information throughout decision making processes. This enables us to react swiftly to regulatory change and stay at the forefront of developments in the industry.

For the purposes of this report the control environment, control objectives and control procedures are applied in a consistent manner in all significant respects across XPS Pensions Group’s Pensions Administration offices located in Belfast, Leeds and Reading and the supporting Information Technology (IT) functions at our IT provider’s sites.

6

RATED TOPfor fifth time in 6 years

7

XPS Administration – Governance

Operations Manager Group

• Information exchange• Delegated decision

making• Consistent approach

to delivery• Idea sharing & debate• Continuous

improvement initiatives

• Feedback to AOC

Admin Services Group

• Review & develop quality control framework

• Technical and process analysis of legislative change

• Maintains standard letters and process guidance

• Technical training framework

• Providing support to administration teams via the resolution of specific queries

• Issuing of technical guides, training and awareness

Business Services Group

• Development and support for business applications

• Management of new business transition projects

• Project support for client teams

• Management of internal business change projects

• Production of management reporting information

• Business interface with IT infrastructure

CMT / ACS (Admin Consulting & Secretarial)

• Manage the commercial relationships with clients

• Interact with DB / DC Growth groups

• Ensure Client Management Team (‘CMT’) framework is applied for Full Service Contracts

• Work with the client teams to deliver shared objectives

• Provide consultancy advice where appropriate

• Liaise / work with Admin Services Group (ASG)

Risk Management Committee (RMC)• Oversees risk management framework,

including strategic risk• Sets audit framework, both internal

and external audits• Oversees legal & regulatory framework• Monitors compliance with legislation,

regulation and internal policies• Works with AOC & EXCO to ensure

risks / issues raised and addressed

Administration Operations Committee (AOC)• Responsible for the delivery of high quality

services• Constant oversight / intervention in relation

to all aspects of delivery to clients• Monitors resourcing levels and capacity

planning• Escalation of key business risks / issues to

EXCO & RMC• Staff development – via training & Study

Sub-Committee• Operational efficiency initiatives – via Efficiency

Sub-Committee• Monitors the delivery of agreed SLAs and

agrees intervention actions• Oversees continued compliance with legislation

and regulation

XPS Administration Executive Committee (Admin EXCO)• Sets business direction• Key decision making• Delivery of strategy, sets & monitors budgets,

& KPIs• Approvals – resourcing decisions, all budget

spending, changes to T&Cs• Enforces continued compliance with legislation

and regulation• Agrees policy & considers response to risk

& compliance issues Information Security Steering Committee (ISSC)• Oversight of the ISO accreditation

– audit, review, decision making

XPS Administration Executive Board • To replace Group Practice meetings• Oversight• Business governance• Strategic review / direction• Business development / Investment

decisions

8

The Directors of XPS Pensions Group are committed to deploying a strong control environment throughout the company. This control environment for pension administration services is achieved through the following measures.

6.1 Risk ManagementAn effective Risk Management culture has been embedded throughout the organisation with strong leadership and direction from Executive Management to ensure the reputations of clients and the company remain secure.

A risk management structure has been implemented across the administration business with the Administration Risk Management Committee, chaired by the Managing Director of XPS Administration. The Committee oversees the overall business risk strategy and reports to the XPS Executive Board. This Committee has implemented a risk management framework and risk policy to be used throughout the administration business. These, combined with an effective oversight and governance structure, ensure that the risks the organisation faces are identified in a timely manner and are effectively managed.

The committee members have been drawn from departments across the administration business and meet regularly having responsibility for the following areas relating to administration:

> Risk management and reporting> Internal and external audits> Internal control framework> Fraud prevention> Business continuity and disaster recovery> Compliance with legislation> Complaints and errors> Data protection and Information Security> Training and development> Contractual agreements

6.2 Business ContinuityBusiness Continuity Management (BCM) is integral to the risk management strategy of XPS Administration. The primary objective of our BCM is to ensure that critical business functions and processes are prioritised and can be recovered within predetermined timeframes in response to a major operation disruption. This ensures the continuity of our core services and safeguards the interests of all our stakeholders. Our BCM is aligned to ISO22301 and industry good practice.

We have a Business Recovery Plan (BRP) that prioritises the recovery of critical processes and details the strategies and resources required to do so. This plan is updated annually or sooner to reflect business change.

6.3 Information SecurityInformation Security is fundamental to the risk management strategy of the organisation and we take the protection of our information assets and those of our clients very seriously.

XPS Pensions Group adopts a proactive approach to IT/ Information Security. The Director of IT is responsible for managing IT/Information security and has appointed an Information Security Manager to assist with the management of information security risks across the Group. Our Data Protection Manager is responsible for monitoring data confidentiality and ensuring compliance with the GDPR.

The Administration Risk Management Committee (RMC) has responsibility to the XPS Administration Board to ensure the Information Security framework is in place and working effectively. It is supported by the Information Security Steering Committee (ISSC).

The ISSC is responsible for monitoring Information Security performance on behalf of key stakeholders, and for ensuring that all IT systems and data handling are secured in line with current legislation, industry best practices and ISO27001 standards as applicable.

XPS Administration has deployed its own Information Security Management System (ISMS) based on ISO27001:2013. This is supported by a comprehensive suite of Information Security policies, which provide staff with formal guidance on how we protect our information, along with an Annual Information Security and Data Protection Awareness training programme. The policies and the controls documented within the suite are mandatory for all staff. These policies are reviewed and updated at least annually. XPS Administration in Belfast, Leeds and Reading are working towards full certification to ISO 27001 during 2020.

6. Control Environment

9

Information Security policies require that users must employ a complex password to access the Group’s systems and that they are forced to change their passwords at least every 60 days.

To ensure our service remains highly available and to enhance our business continuity capability, all systems and services are hosted at a Data Centre in London with a secondary/disaster recovery site outside of London. One of the main benefits is an improved application infrastructure platform that for some systems provides an enhanced level of availability, minimising any downtime and loss of data in the unlikely event of a major disaster.

6.4 IT StrategyThe effective use of IT is central to XPS Pensions Group’s approach to pension administration. The Director of IT is responsible for ensuring that XPS Pensions Group has a robust IT strategy sufficient to deliver a high quality service to our clients. Our aim is to be an industry leader in the use of technology.

XPS Pensions Group uses the Microsoft Office suite of programmes to support its operations. We use market leading technologies and we continue to explore new technological innovations to enhance the services we provide and to keep ourselves at the forefront of technological innovation within the pension administration industry.

Our third party IT providers are responsible for managing and maintaining the Groups IT Infrastructure, including implementation of initiatives to strengthen the overall core IT infrastructure to support the business functions, further enhance security and increase overall business flexibility and responsiveness and work directly with the Director of IT.

6.5 Third Party ManagementXPS operates a Third Party Management Policy which ensures that all Information, systems and processing facilities, are appropriately protected during interactions with third parties ensuring Confidentiality, Availability and Integrity requirements are maintained. The risks of engaging with third parties are formally assessed, documented and communicated with security requirements being included within formal agreements as required, ensuring protection is provided throughout the third party management lifecycle.

Our policies ensure that all suppliers with physical or logical access to information classified as Private and Confidential are effectively managed.

Our processes ensure the following:

> Third parties are reviewed prior to any access to information being granted. Access is only granted

if they can demonstrate they comply with the information security standards required by the XPS Pensions Group.

> Confidential information is protected when accessed, handled by, or transmitted to third parties.

> There is a standardised approach to identifying, communicating and managing risk introduced by third parties.

> Information Security incidents associated with third party access are identified and managed effectively. Third Party Management procedures and policies are under review as part of the merger.

We have been reviewing our Third Party Management strategy across the XPS Pensions Group during 2019, to ensure that our third party suppliers comply with the standards required by the XPS Pensions Group and our clients.

6.6 Training and Development ProgrammeXPS Pensions Group Staff recruitment is conducted in accordance with clear formal policies and guidance on equal opportunities and diversity in the workplace. We have a defined policy on staff development, underpinned by competency based benchmarking. In support of this structure XPS Pensions Group maintains a dedicated and properly resourced training function which provides business needs training, including customer care, management skills and information technology support. Pensions Administration staff are encouraged to obtain professional and 6.6 Training and Development Programme XPS Pensions Group Staff recruitment is conducted in accordance with clear formal policies and guidance on equal opportunities and diversity in the workplace. We have a defined policy on staff development, underpinned by competency based benchmarking. In support of this structure XPS Pensions Group maintains a dedicated and properly resourced training function which provides business needs training, including customer care, management skills and information technology support. Pensions Administration staff are encouraged to obtain professional and

6.7 ComplianceOur Administration Services Group (ASG) is a central team that assesses the impact of legislative change to identify any issues which impact on our clients and administration processes. Any new compliance requirements and process changes are communicated to all admin staff via regular technical updates’ and face-to-face discussions

10

with Administration Managers. ASG also maintains a comprehensive intranet site which is accessible to all administrators providing a reference source for technical materials as well as procedural guidance, standard letter templates and checklists. All of this ensures compliant processes and a consistent quality of administration.

Staff within XPS Administration are also supported at a group level by XPS Pensions Group Compliance and XPS Group Legal teams where required.

6.8 Information and CommunicationWhere our contractual obligations with our clients require it, we report on our performance against agreed standards through an administration report which is prepared for each trustee meeting.

The report includes details and commentary on various aspects of the running of their scheme, including the following:

> Financials, including contributions received and income and expenditure

> Trustee discretion exercised during the period> Updated membership statistics> Service level reports> Complaints and compliments> Details of data breaches> Compliance with legislation> Developments / changes within XPS

This report has been specifically designed to assist with the trustee governance requirements in accordance with legislation and the Pensions Regulator’s guidance.

6.9 Fraud PreventionThe XPS Pensions Group risk assessment includes an internal assessment of fraud risk. XPS Pensions Group employs a variety of accounting and internal control systems that are designed to prevent and detect fraud and error.

6.10 ControlsControl objectives processes and control procedures for Pensions Administration.

XPS’s control objectives have been designed to provide assurance for the security, accuracy, completeness, timeliness and clarity of XPS’s pension administration processes. The control objectives fall under the following headings:

1. Accepting clients

2. Authorising and processing transactions

3. Maintaining financial and other records

4. Safeguarding assets

5. Monitoring compliance

6. Reporting to clients

7. Information technology

The processes and control procedures have been designed to show how XPS Administration achieves each of the control objectives.

11

7. Accountants’ Assurance Report

The Directors XPS Administration Limited Phoenix House 1 Station Hill Reading Berkshire RG1 1NB

13 December 2019

Dear Directors

AAF01/06 and ISAE 3402 Type II Reporting Accountants’ Assurance ReportIn accordance with our engagement letter dated 8 January 2019 (our “Engagement Letter”), we have examined the accompanying description at pages 16 to 72 of the controls in place at the service organisation called XPS Administration Limited (“XPS”) and carried out procedures to enable us to form an independent opinion on whether XPS’s management has fairly described the pension administration services throughout the specified period 1 January 2018 to 31 December 2018 (the “Description”), and on the design and operation of controls related to the control objectives stated in the Description. Our opinion is set out below and should be read and considered in conjunction with this report in full.

Use of reportThis report is made solely for the use of the directors, as a body, of XPS, and solely for the purpose of reporting on the internal controls of XPS, in accordance with the terms of our engagement letter dated 8 January 2019 and attached as Appendix 1 (together with Additional Terms of Business appended thereon).

Our work has been undertaken so that we might report to the directors those matters that we have agreed to state to them in this report and for no other purpose. Our report must not be recited or referred to in whole or in part in any other document nor made available, copied or recited to any other party, in any circumstances, without our express prior written permission.

We permit the disclosure of this report, in full only, by the directors at their discretion to customers of XPS using XPS’ pension administration services (‘customers’), and to the auditors of such customers, to enable customers and their auditors to verify that a report by reporting accountants has been commissioned by the directors of XPS and issued in connection with the internal controls of XPS, and without assuming or accepting any responsibility or liability to customers or their auditors on our part.

To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the directors as a body and XPS for our work, for this report or for the conclusions we have formed.

Service organisation’s responsibilitiesXPS is responsible for: preparing the Description and the accompanying statement set out on page 4, including the completeness, accuracy, and method of presentation of the Description and the statement; providing the services covered by the Description; specifying the criteria including the control objectives and stating them in the Description; identifying the risks that threaten the achievement of the control objectives; and designed and operating effectively to achieve the related control objectives stated in the Description.

The control objectives stated in the Description include the internal control objectives developed for service organisations as set out in the Institute of Chartered Accountants in England and Wales Technical Release AAF 01/06 “Assurance Reports on Internal Controls of Service Organisations Made Available to Third Parties” “ICAEW Technical Release AAF 01/06”.

KPMG LLPAudit15 Canada SquareLondon E14 5GLUnited Kingdom

12

Reporting accountants’ responsibilitiesOur responsibility is to express an opinion on the fairness of the presentation of the Description and on the suitability of the design and operating effectiveness of the controls to achieve the related control objectives stated in that Description.

Framework appliedWe conducted our engagement in accordance with International Standard on Assurance Engagements 3000 (Revised) (ISAE 3000) “Assurance Engagements Other than Audits or Reviews of Historical Financial Information” and ICAEW Technical Release AAF 01/06 and having regard to International Standard on Assurance Engagements 3402 (ISAE 3402) “Assurance Reports on Controls at a Service Organization”. Those standards require that we obtain sufficient, appropriate evidence on which to base our conclusion.

Our Independence and Quality ControlWe comply with the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants and we apply International Standard on Quality Control (UK and Ireland) 1 “Quality Control for Firms that Perform Audits and Reviews of Historical Financial Information, and Other Assurance and Related Services Engagements”. Accordingly, we maintain a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements and professional standards (including independence, and other requirements founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behaviour) as well as applicable legal and regulatory requirements.

Scope of workOur work involved planning and performing procedures to obtain evidence about the presentation of the Description of the service organisation activities or system and the design and operation of those controls.

Our procedures included assessing the risks that the Description is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives stated in the Description. Our procedures also included testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the related control objectives stated in the description were achieved. An assurance engagement of this type also includes evaluating the overall presentation of the Description and the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organisation.

We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

Inherent limitationsXPS’ Description is prepared to meet the common needs of a broad range of customers and their auditors and may not, therefore, include every aspect of the service organisation activities that each individual customer may consider important in its own particular environment. Also, because of their nature, controls at a service organisation may not prevent or detect and correct all errors or omissions in processing or reporting transactions or identification of the function performed by the service organisation or system.

Our opinion is based on historical information and the projection to future periods of any evaluation of the fairness of the presentation of the description, or opinions about the suitability of the design or operating effectiveness of the controls would be inappropriate.

The relative effectiveness and significance of specific controls at XPS, and their effect on assessments of control risk at customers’ organisations are dependent on their interaction with the controls and other factors present at individual customer organisations. We have performed no procedures to evaluate the effectiveness of controls at individual customer organisations.

13

OpinionBasis for Qualified Opinion

XPS Administration has stated in its Description of controls that management is responsible for implementing and managing access control mechanisms to help ensure that user access requests to the company’s network (provision/modification/revocation of access) are submitted and approved by a business representative to the Outsourced IT Provider’s service desk to help ensure that access to the pension administration systems are restricted to the appropriate personnel. During the specified period, we noted a number of exceptions related to the lack of evidence of submission and approval of network access requests by a business representative to the Outsourced IT Provider’s service desk. These exceptions have resulted in the non-achievement of the control objective 7.2 that states that “Logical access to computer systems, programs, master data, transactional data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques”.

Basis for Limitation of scope

XPS Administration has stated in its Description of controls that there were no instances of Development and Implementation of new IT systems including data migrations or modification throughout the period from 1 January 2018 to 31 December 2018. As a result, there is a limitation of scope relating to the following criteria:

7.8 Development and Implementation of new systems, applications and changes to existing systems, applications and software, are authorised, tested, approved and implemented

7.9 Data migration or modification is authorised, tested and once performed, reconciled back to the source data

Whilst these criteria have been disclosed, the related controls have not been in operation within the controls system for the period of 1 January 2018 to 31 December 2018. For this reason, during the specified period, we have not performed any procedures to determine the fairness of presentation, suitability of design and operating effectiveness of these controls. Our opinion does not therefore extend to the aforementioned criteria and related controls.

Qualified opinionOur opinion, in all material respects, has been formed on the basis of the criteria including specified control objectives described in the directors’ statement on page 4. In our opinion, except for the matters described in the Basis for Qualified Opinion and the Basis for Limitation of Scope paragraphs:

(a) the Description on pages 16 to 72 fairly presents the pension administration activities that were designed and implemented throughout the period from 1 January 2018 to 31 December 2018;

(b) the controls related to the control objectives stated in the Description on pages 16 to 72 were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls operated effectively throughout the period from 1 January 2018 to 31 December 2018; and

(c) the controls that we tested were operating with sufficient effectiveness to provide reasonable assurance that the related control objectives stated in the Description were achieved throughout the period 1 January 2018 to 31 December 2018.

Description of test of controlsThe specific controls tested and the nature, timing and results of those tests are listed on pages 16 to 72.

Subservice organisationsXPS use pensions administration services of Equiniti Paymaster. XPS’s management description includes the relevant Equiniti Paymaster control system that was designed and implemented throughout the specified period and the aspects of the controls that may be relevant to a user organisation’s internal control, as it relates to an audit of financial statements. The control objectives were specified by the management of XPS.

Yours faithfully

KPMG LLP Chartered Accountants

14

Equiniti Pension Solutions is the trading name of Paymaster (1836) Limited. Registered Office: Sutherland House, Russell Way, Crawley, West Sussex, RH10 1UH. Registered in England and Wales No. 3249700. Paymaster (1836) Limited is authorised and regulated by the UK Financial Conduct Authority. Paymaster (1836) Limited is part of the Equiniti Group.

EP_LH_16_doc_11_14

McGrath 9th December 2019

To whom it may Concern

Management Assertion by Equiniti (as outsource provider to XPS Administration)

The accompanying description has been prepared for XPS Administration who have used the Services of Equiniti in relation to their operations and their auditors who have a sufficient understanding to consider the description, along with other information including information about controls operated by XPS Administration themselves, when assessing the risks of material misstatements of XPS Administration controls.

Equiniti confirm that:

A. The accompanying description on pages 16 to 72 fairly represents payroll and accounting servicesthrough the period 1 January 2018 to 31 December 2018. The criteria used in making the assertionwere that the accompanying description:

1. Presents how the system was designed and implemented, including:• The types of services provided, including, as appropriate, classes of transactions processed;• The procedures by which those transactions were initiated, recorded, processed, corrected as

necessary and transferred to reports prepared for XPS Administration.• The related accounting records, supporting information and specific accounts that were used

to initiate, record, process and report transactions; this includes the correction of incorrectinformation and how information was transferred to the reports prepared by XPSAdministration;

• How the system dealt with significant events and conditions, other than transactions;• The process used to prepare reports for XPS Administration ;• Relevant control objectives and controls designed to achieve those objectives; by user

entities, and which, if necessary to achieve control objectives stated in the accompanyingdescription, are identified in the description along with the specific control objectives thatcannot be achieved by themselves along;

• Other aspects of our control environment, risk assessment process, information system(including the related business processes) and communication, control activities andmonitoring controls that were relevant to processing and reporting XPS Administrationtransactions.

Sutherland House Crawley West Sussex RH10 1UH

15

Equiniti Pension Solutions is the trading name of Paymaster (1836) Limited. Registered Office: Sutherland House, Russell Way, Crawley, West Sussex, RH10 1UH. Registered in England and Wales No. 3249700. Paymaster (1836) Limited is authorised and regulated by the UK Financial Conduct Authority. Paymaster (1836) Limited is part of the Equiniti Group.

EP_LH_16_doc_11_14

2. Includes relevant details of changes to the service organisation’s system during the period 1

January 2018 to 31 December 2018. 3. Does not omit or distort information relevant to the scope of the systems being described, whilst

acknowledging that the description is prepared to meet common needs of XPS Administration and their auditors and may not, therefore, include every aspect of the system that XPS Administration may consider important on its own particular environment.

B. The controls related to the control objectives stated in the accompanying description were

suitably designed and operated effectively throughout the period 1 January 2018 to 31 December 2018.

The Criteria used in making his assertion were that:

1. The risks that threatened achievement of the control objectives stated in the description were identified;

2. The identified controls would, if operated as described, provide reasonable assurance that those risks did not prevent the stated control objectives from being achieved; and

3. The controls were consistently applied as designed, including that manual controls were applied by individuals who have the appropriate competence and authority, throughout the period 1 January 2018 to 31 December 2018.

Signed on behalf of Equiniti (as outsourced provider to XPS Administration)

Service Delivery Director

16

8. Control Procedures and Reporting Accountants’ Tests

1. Accepting Clients

1.1 Accounts are set up and administered in accordance with client agreements and applicable regulations.

Control activity and descriptionTesting performed by KPMG LLP and results

1.1.1 Process An Implementation Team is set up to manage the take on of a new Client. The team is sponsored by a representative from Senior Management and is managed by a dedicated Project Manager. A Project Board is established to oversee the implementation. The Implementation Team is made up from representatives from various pension services areas (consulting, administration, actuarial) depending on the services to be delivered to the Client, ensuring there is the required knowledge to undertake the project tasks. The project is structured into a number of individual work streams, each with specific deliverables and objectives. The project is managed according to a formal Project Plan. The Implementation Project Manager tracks the milestones to verify that they are completed on time and to a standard agreed with the Client and provides regular progress reports to the Project Board and Client.

Control At least monthly (or as specifically agreed with the Client) the Project Board monitors the progress of the approved Project Plan. Any issues relating to progress are discussed with the Implementation Project Manager and the Client Meeting minutes, including any agreed actions, are taken and distributed to all meeting participants and retained on file by the Implementation Project Manager.

For a selection of new clients, inspected Project Board minutes for evidence of monthly monitoring or monitoring in accordance with a frequency agreed with the client of progress of plan and recording of actions required.

No exceptions noted.

1.1.2 Process During the implementation process the Implementation Project Manager uses the New Scheme Implementation document, which includes the Project Initiation Document (PID), Project Plan and Control Sheets, to obtain sign off from the business that the Scheme has been fully Implemented. By signing the New Scheme implementation documentation and the Project Initiation Document have a complete understanding of the Scheme and can deliver services according to the Client Agreement and Regulatory and Legislative requirements.

Control Acceptance of Client set up details and any additional actions required after the go-live date are approved by the Administration Manager/s by signing off the New Scheme Implementation documentation. The signed document is retained by the Implementation Project Manager in the Scheme Implementation File.

For a selection of new clients, inspected the Implementation Control Sheet for evidence of sign off by the Administration Manager.


17

1.1.3 Process Acceptance of Client set up details and any additional actions required after the go-live date are approved by the Administration Manager/s by signing off the New Scheme Implementation documentation. The signed document is retained by the Implementation Project Manager in the Scheme Implementation File. (Control 1.1.3)

Control The Administration Team Leader/Manager discusses and agrees Performance/Competency/Gaps/Objectives with staff at their quarterly review meetings. This is to confirm that staff have the qualifications, skills and competencies required to administer the scheme. The Team Members’ Objectives and Personal Development Action Plan is uploaded to the HR intranet by the Team Leader/Manager conducting the review as evidence of completion. Copies of the Objectives and Personal Development Action Plan are retained within the Intranet as evidence of review.

For a selection of staff and quarters, inspected the Objectives and Personal Development Action plan for evidence of completion by the Team Leader/Manager.


1.1.4 Process Any actions relating to the implementation that remain outstanding at the commencement of the administration services are monitored and resolved by the Project Manager.

Controls The Implementation Project Manager monitors and resolves any additional actions required after go live that were identified in control 1.1.2. Resolution of these actions is recorded in the Scheme Implementation File.

For a selection of new clients, inspected the Scheme Implementation File for evidence of resolution of any additional actions required after the go live date.


1.2 Complete and authorised client agreements are operative prior to initiating administration activity


1.2.1 Process Client Agreements are prepared for all new Clients setting out scope and terms of services, including service levels, prior to the commencement of administration services. This includes any delegation of Trustee discretions previously agreed with the Trustee.

Control Client agreements documenting all discretionary powers to be exercised by XPS Administration on behalf of the Trustees and terms of services, including service levels, are signed off by a member of the XPS Administration board, and by an authorised client representative.

Enquired of management whether any instances of Client Agreements being prepared, in advance of administration services commencing, occurred during the period and were informed that no instances had occurred. Since there were no instances, the operating effectiveness of the control could not be tested.

1.2.2 Process Amendments to Client Agreements after administration services commence are negotiated through a formal Change Management Process, with each amendment signed off by a XPS Administration Director and an authorised Client Representative.

Control Where a Client agreement is not in place when administration services commence, a Letter Of Appointment is signed by a XPS Administration Director and an authorised Client Representative.

For a selection of new clients, where a Client agreement was not in place when administration services commenced, inspected the Letter of Appointment for sign off by an XPS Administration Director and authorised client representative.


18

1.2.3 Process Any amendments to the Client Agreement once administration services have commenced are managed through a formal Change Management Process. Client Agreements, letters of Appointment and amendments to Client Agreements are all approved by XPS Administration and an authorised Client Representative.

Control Amendments to Client Agreements after administration services commence are negotiated through a formal Change Management Process, with each amendment signed off by a XPS Administration Director and an authorised Client Representative.

Enquired of management whether any instances of amendments to Client Agreements occurred during the period and were informed that no instances had occurred. Since there were no instances, the operating effectiveness of the control could not be tested.

1.3 Pension schemes taken on are properly established in the system in accordance with the scheme rules and individual elections


1.3.1 Process As part of the Implementation Project, Scheme data is audited, with any queries being raised with the previous Scheme Administrator and/or the Trustees. The data is analysed using a data migration tool, which generates reports that identify any gaps or errors in the data received.

Control Prior to commencement of administration services, the Systems Support Analyst reconciles Scheme data provided by the previous Administrator to Compendia and raises any exceptions regarding missing or incorrect data with the previous Administrator or with the Trustees. Reports generated by the data audit, along with correspondence to resolve any data gaps or errors, are held centrally on the Scheme Implementation File and includes sign off on the Validation Control Sheet.

For a selection of new clients, inspected that reconciliations of Scheme data provided by the previous administrator against Compendia were performed by a Systems Support Analyst and that any exceptions were raised with the Trustees. Inspected reports generated by the data audit as well as correspondence resolving data gaps and errors.


1.3.2 Process As part of the Implementation Project, Scheme data is audited, with any queries being raised with the previous Scheme Administrator and/or the Trustees. The data is analysed using a data migration tool, which generates reports that identify any gaps or errors in the data received.

Control Scheme data reconciliations and correspondence relating to the follow up of any gaps or errors identified are verified by the Implementation Project Manager and evidenced by sign off on the Implementation Control Sheet. Copies of the reconciliation are retained on the Scheme Implementation File. A Data Quality Report, which carries out checks across the data looking for gaps and inconsistencies, is prepared by the Project Team and issued to the Scheme Trustees/Company.

Enquired of management of any instances of Scheme data gaps or errors during the period and were informed that no instances had occurred. Since there were no instances, the operating effectiveness of the control could not be tested.

19

1.3.3 Process For DB Schemes, automated benefit calculations are tested before being released into the live environment. This is done by Comparing the previous year’s benefit statement results, as provided by the Client and/or the previous Administrator and preparing worked calculation examples based on pro formas signed off by the Scheme Actuary as being correct, loading the calculations into Compendia, running them and comparing the results against the worked examples and the previous year’s benefit statement results

Control The Systems Support Analyst and Pensions Technical Analyst verify that, where the Actuary is in-house, pro formas are approved by the Scheme Actuary and this is recorded by email. If requested by the Client, where Actuarial services are carried out by a third party, either the Scheme Representative or Trustees are asked to review and sign off the pro formas. Copies of the signed off pro formas are retained on the Scheme Implementation File.

Enquired of management whether any instances of pro forma benefit calculations requiring approval by the Scheme Actuary occurred during the period and were informed that no instances had occurred. Since there were no instances, the operating effectiveness of the control could not be tested.

1.3.4 Process For DB Schemes, automated benefit calculations are tested before being released into the live environment. This is done by Comparing the previous year’s benefit statement results, as provided by the Client and/or the previous Administrator and preparing worked calculation examples based on pro formas signed off by the Scheme Actuary as being correct, loading the calculations into Compendia, running them and comparing the results against the worked examples and the previous year’s benefit statement results.

Control The Systems Support Analyst and Pensions Technical Analyst validates DB calculation routines in Compendia against signed off benefit calculation pro formas to verify their accuracy. Once verified, the Project Manager or Pensions Technical Analyst signs off the benefit calculation specification document. Copies of the benefit calculation specification document are retained on the Scheme Implementation File.

Enquired of management whether any instances of automatic benefit calculations occurred during the period and were informed that no instances had occurred. Since there were no instances, the operating effectiveness of the control could not be tested.

1.3.5 Process For DC schemes, member investment options are established in Compendia to match what was recorded in the previous administrator’s system.

Control Prior to commencement of the Administration services, the Systems Support Analyst reconciles the scheme investment instruction data provided by the previous Administrator to Compendia and investigates any exceptions regarding mismatched or missing data with the previous Administrator or with the Trustees. Reports generated from the reconciliation, along with correspondence to resolve any data gaps or errors, are held on the Scheme Implementation File. Unit fund holding totals on Compendia are also reconciled to unit fund holding totals confirmed by the Investment Manager. Any differences are communicated to the Trustees for their view on a resolution and copies of any correspondence are retained on the Scheme Implementation File.

Enquired of management whether any instances of new DC Schemes occurred during the period and were informed that no instances had occurred. Since there were no instances, the operating effectiveness of the control could not be tested.

20

1.3.6 Process For DC Schemes Member lifestyle investment options are established in Compendia to match the rules and what was recorded in the previous Administrator’s system.

Control Prior to a Scheme going live, the Systems Support Analyst verifies Member lifestyle options in Compendia against the lifestyle options held by the previous Administrator. In addition the Systems Support Analyst runs a monthly lifestyle task on a test database to validate that lifestyle switches are made in accordance with the Client’s lifestyle investment matrix. Once complete, the Systems Support Analyst confirms, in writing, to the Project Manager and the Administration Team that the lifestyle task has been run in accordance with the rules and against what was carried out by the previous administrator. Confirmation is retained, along with the follow up of any resulting queries and their resolution on the Scheme Implementation File.

Enquired of management whether any instances of new DC Schemes occurred during the period and were informed that no instances had occurred. Since there were no instances, the operating effectiveness of the control could not be tested.

2. Authorising and Processing Transactions

2.1 Contributions to defined contribution plans, defined benefit schemes, or both, and transfers of members’ funds between investment options are processed accurately and in a timely manner.


2.1.1 Process The DC Investment Cycle Processing Checklist is used as a guide to control the DC contribution process along with the investment cycle workflow in Compendia.

Control On a monthly basis the DC Administration Team uses the DC Investment Cycle Processing Checklist and the investment cycle workflow as a guide to contribution processing. Each applicable step on the Checklist is updated as each stage of the investment cycle workflow is completed. Both the DC Investment Cycle Processing Checklist and the investment cycle workflow are checked by a Senior Member of the DC Administration Team. The DC Investment Cycle Processing Checklist is signed off and an audit trail retained within the investment cycle workflow as evidence of authorisation. The completed Checklist is held on the Monthly Investment File.

For a selection of clients and months, inspected the DC Investment Cycle Processing Checklists for evidence of sign off by a senior member of the DC Administration Team and audit trail from the workflow system for evidence of authorisation.


2.1.2 Process Data confirming Employer/Employee contributions, AVCs, etc. to the Scheme are received electronically from the Employer in a pre-agreed format and loaded onto Compendia. Member level contribution data is then validated by Compendia and any changes to Member information or fixed cash contributions are flagged for additional follow up with the Client.

Control On a monthly basis the DC Administration Team investigate any differences to Member contribution receipts or Member information highlighted by the validation report from Compendia. Once resolved, a clear validation report is printed and retained along with follow up details of any exceptions in the Monthly Investment File.

For a selection of clients and months, inspected the clear validation report and evidence of resolution of exceptions in the Monthly Investment File by a member of the DC Administration team.


21

2.1.3 Process Successful processing of contribution data is confirmed by reconciliation of a report of control totals from Compendia against control totals contained in the contributions file received from the Employer. On a monthly basis the DC Administration Team runs a control report of contribution totals from Compendia and reconciles it to the contribution control totals in the contribution file received from the Employer ensuring that they match, taking into account any amendments agreed with the Client.

Control On a monthly basis the DC Administration Team reconciles Employee/Employer totals from Compendia to the contribution file received from the Employer.

Once reconciled the DC Administration Team signs off the Monthly Control Sheet as evidence of the successful upload. Copies of the Control Sheet and all reconciled control reports are retained on the Monthly Investment File.

For a selection of clients and months, inspected the reconciliation of totals from Compendia to the contribution file and the Monthly Control Sheet for evidence of reconciliation of contributions and sign off by the DC Administration Team.


2.1.4 Process The DC Administration Team monitor the receipt of contributions and associated contribution data against agreed dates recorded on the Investment Tracker; Where contributions and contribution data has not been received by the agreed date, the DC Administration Team contacts the Client to arrange for them to be sent to the Scheme bank account. A copy of this correspondence is held on the Monthly Investment File.

Control On a monthly basis the DC Administration Team monitor receipt of contributions and associated contribution data against agreed dates on the Investment Tracker. Where contributions and contribution data have not been received by the agreed date, the DC Administration Team contacts the Client to arrange for them to be sent to the Scheme bank account. The updated Investment Tracker is retained in soft copy and any Client correspondence is retained on the Monthly Investment File.

For a selection of clients and months, inspected the Investment Tracker in the Monthly Investment File, for evidence of monitoring of receipt of contributions and associated contributions data, against dates agreed; Where contributions were not received by the agreed date, inspected evidence of contact between the DC Administration team and the Client to arrange for them to be sent to the Scheme bank account.


2.1.5 Process Compendia generates summary investment instructions based on the contributions received and investment instructions held on behalf of each member. Accuracy of contributions received in the Scheme bank accounts are confirmed by the DC Administration Team.

Control On a monthly basis the DC Administration Team verify that the total contributions to be invested on the summary investment instruction agree to the total amount of contributions received in the Scheme bank account. Any differences are investigated with reference to the contribution data referred to above and resolved. Once reconciled the DC Investment Cycle Processing Checklist is signed off by the DC Administration Team, copies of which are retained.

For a selection of clients and months, inspected the DC Investment Cycle Processing Checklist for evidence of sign off by the DC Administration Team.


22

2.1.6 Process Compendia generates summary investment instructions based on the contributions received and investment instructions held on behalf of each member. Accuracy of contributions received in the Scheme bank accounts are confirmed by the DC Administration Team.

Control The total investment contribution is reviewed for accuracy by another Member of the DC Team. The DC Investment Cycle Processing Checklist is signed off as evidence of review.

For a selection of clients and months, inspected the DC Investment Cycle Processing Checklist for evidence of sign off by another member of the DC Administration Team.


2.1.7 Process Bank movements are updated daily from bank statements to the Client Cash Management System (CCM). The DC Administration Team verifies that there are sufficient funds in the Scheme bank account for investment. A DC Investment Cycle Processing Checklist is used to control the process.

Control On a monthly basis the DC Administration Team monitor CCM to verify that the required investment amount has been received from the client. Where the investment amount has not been received, a Team member contacts the Client to arrange payment. Confirmation of the contribution payment receipt is recorded on the DC Investment Cycle Processing Checklist and any related correspondence is retained on the Monthly Investment File.

For a selection of clients and months, inspected the DC Investment Cycle Processing Checklist and the Monthly Investment file for evidence of confirmation of contribution receipt by a member of the DC Administration team.


2.1.8 Process The DC Administration Team transmits monthly summary investment instructions, along with the correct funds to be invested directly to Investment Managers as per the operating procedures agreed with each Client. The DC Investment Tracker is updated with an investment SLA based on receipt of contributions and contributions data. Progress is monitored against this SLA and the DC Investment Cycle Processing Checklist is signed off by the Team Member processing the investment when the process is complete and by another Team Member after they have verified the timeliness of the investment. The completed DC Investment Cycle Processing Checklist is held on the Monthly Investment File. (Control 2.1.8) This process is monitored at Client level on the DC Investment Cycle Processing Checklist. Timeliness of the investment is also monitored on the Investment Tracker with a Monthly report issued to a Senior Manager. Some Clients submit the monthly contributions directly to the Investment Manger. In these instances XPS Administration run the DC Investment process on Compendia and pass the information to the Investment Manager for them to purchase the units.

Control On a monthly basis, an independent Member of the DC Administration Team verifies that contributions to be invested have been sent by the Client and received into the Trustees Bank Account by 22nd of the month and update the DC Tracker with the information. Any missing contributions are pursued with the Client. Late contributions are notified to the Manager who escalates, as necessary, to the Director of Administration for consideration under the reporting guidelines laid down by the Regulator. Once the contributions have been verified, the DC Investment Cycle Processing Checklist is signed off, a copy of which is retained on the Monthly Investment File. For Clients who submit the monthly contributions directly to the Investment Manager, XPS Administration run the DC Investment Process on Compendia and pass the information to the Investment Manager to purchase the units.

For a selection of clients and months, inspected the DC Investment Cycle Processing Checklist for evidence of sign off by an independent member of the DC Administration Team.


23

2.1.9 Process Administration Team obtains confirmation of investment prices and total units purchased either from a contract note provided by the Investment Manager, the Investment Manager’s website or the Altus Investment Gateway (AIG). The DC Administration Team update Compendia with unit prices provided by the Investment Manager or AIG, and update the control accounts in Compendia with the total number of units purchased in each fund. Compendia calculates and updates each of the Member’s records with the units purchased. These actions are recorded on the DC Investment Cycle Processing Checklist by the Team Member processing the investment.

Control Progress of monthly investments for all DC Clients is monitored by the DC Administration Team using the Investment Tracker. Any investments that fail to meet the Client’s SLA are reported immediately to the Client. The DC Administration Team prepares and sends to the Client a loss assessment, if appropriate, which ensures that no member is disadvantaged as a result of a late investment. A Monthly Report is prepared and presented at the Manager’s meeting at least quarterly as evidence that investments have been made within the timescales agreed in the SLA.

For a selection of clients and months inspected the Investment Tracker for evidence of update by the DC Administration Team and any investments not meeting Client SLA’s being reported to the Client. For a selection of quarters inspected the reports presented at the Managers meeting.


2.1.10 Process Administration Team obtains confirmation of investment prices and total units purchased either from a contract note provided by the Investment Manager, the Investment Manager’s website or the Altus Investment Gateway (AIG). The DC Administration Team update Compendia with unit prices provided by the Investment Manager or AIG, and update the control accounts in Compendia with the total number of units purchased in each fund. Compendia calculates and updates each of the Member’s records with the units purchased. These actions are recorded on the DC Investment Cycle Processing Checklist by the Team Member processing the investment.

Control The DC Administration Team verifies the total amount invested as indicated on the contract note or as per the Investment Manager’s website or AIG against the investment instructions. Any discrepancy is immediately raised with the Investment Manager for investigation and resolution. The DC Investment Cycle Processing Checklist is signed off as evidence of review.

For a selection of investments, inspected the DC Investment Cycle Processing Checklist for sign off by the DC Administration team as evidence of review of the total amount invested.


2.1.11 Process At least annually the DC Administration Team launch a lifestyle workflow that automatically identifies any Member’s due for lifestyle switches and calculates their lifestyle trades. The DC Administration Team sends the lifestyle investment instructions and lifestyle investment amounts to the Investment Manager. In addition to the automated work flow, a DC Lifestyling Processing Checklist is used to control the process. Additional monitoring occurs to ensure that lifestyle switches across all Schemes are updated within the required timescales as defined in the SLA.

Control On a monthly basis, an independent Member of the DC Administration Team verifies unit prices and unit totals of the investments recorded into Compendia against the contract note, the Investment Manager’s Website or via AIG. Any discrepancy is immediately raised with the Investment Manager for investigation and resolution with a full audit trail retained on the monthly Lifestyling file. The DC Investment Cycle Processing Checklist is signed by the administrator and reviewed and signed off by a senior administrator or above and the workflow is authorised in Compendia as evidence of verification. An audit trail is retained in Compendia as evidence of authorisation.

For a selection of clients and months inspected DC Investment Cycle Processing Checklist for evidence of sign off by a second member of the DC Administration Team and audit trail within Compendia for evidence of authorisation.


24

2.1.12 Process At least annually the DC Administration Team launch a lifestyle workflow that automatically identifies any Member’s due for lifestyle switches and calculates their lifestyle trades. The DC Administration Team sends the lifestyle investment instructions and lifestyle investment amounts to the Investment Manager. In addition to the automated work flow, a DC Lifestyling Processing Checklist is used to control the process. Additional monitoring occurs to ensure that lifestyle switches across all Schemes are updated within the required timescales as defined in the SLA.

Control On a monthly basis an Independent Member of the DC Administration Team verifies that lifestyle switch instructions have been sent to the Investment Manager and match against lifestyle details on Compendia and that they are received within the required timescales. The DC Lifestyling Processing Checklist is signed off and the lifestyle workflow is authorised on Compendia as evidence of verification. The completed DC Lifestyling Processing Checklist is retained in the Monthly Investment Files or if applicable the Lifestyling File. An audit trail is retained in Compendia as further evidence of authorisation.

For a selection of clients and months, inspected the DC Lifestyling Processing Checklist for evidence of sign off and the workflow authorisation in Compendia as evidence of verification by a second member of the DC administration team.


2.1.13 Process Each month the DC Investment Cycle Processing Checklist, the Investment File and the Investment Tracker are reviewed by a Manager/ Team Leader or Senior Administrator to verify that the investment has been performed correctly and within SLA.

As a final check, unit movements for all DC Schemes are analysed to verify that the unit holding on Compendia matches the Investment Manager fund Valuation. (Control 3.3.2)

Control A review of the progress of the monthly lifestyle process, is carried out on a monthly basis or as otherwise agreed with the Client, and is monitored by the DC Administration Team using the Investment Tracker. A Monthly Report is presented at the Managers meeting, held at least quarterly, as evidence that investments have been made within the timescales agreed in the SLA. Any Investment that fails to meet the Client SLA is reported immediately to the Client. The Administration Team prepares and sends the Client a Loss assessment, if appropriate, which will ensure that no member is disadvantaged as a result of a late investment.

For a selection of clients and months or respective frequency agreed with the client, inspected Investment Tracker for evidence of update by DC Administration Team and minutes of the Managers meeting.

For the same selection of clients it was confirmed that all investments had met Client SLA’s and no reporting was required.


25

2.1.14 -2.1.16

Process For Defined Benefit (DB) schemes Monthly Cash Flow reconciliation is performed. Each reconciliation includes:

> a review of receipts received during the period of reconciliation> a review of payments made during the period of reconciliation> a forecast of expected payments and receipts in the coming

reconciliation period> the expected balance at the end of the coming reconciliation

period

On a monthly basis or other frequency agreed with the Client, a Pensions Administrator prepares a Cash Flow reconciliation to validate that Client money has been dealt with correctly during the month. The Cash Flow Forecast Report is populated with the opening cash balance, transactions and the closing balance from the DREAM accounting system via CCM. Where discrepancies arise on the DREAM accounting system/CCM they are investigated and resolved with Pension Accounts and the Client if necessary. Cash Flows are also reported to Clients as required. (Control 2.1.14 to 2.1.16)

Receipt of DB Contributions

The Client is responsible for ensuring that the DB Contributions are paid into the Trustees Bank Account in line with the Schedule of Contributions or at the latest, for contributions deducted from members pay, by 22nd of each month if paid electronically (19th of month if paid manually). The administration team uses a tracking document to monitor receipt of contributions. Any missing contributions are pursued with the Client and if payment is not forthcoming escalated to the Director of Administration Group Practice for consideration under the reporting guidelines laid down by the regulator.

Control 2.1.14 On a Monthly basis, or other frequency agreed with the Client, a Pensions Administrator reconciles Cash Movements against CCM or SAGE from the Pension Accounts Team. Any discrepancies are followed up with the Pension Accounts Team and Client, if necessary. The Cash Flow reconciliation is signed off by the Pensions Administrator as evidence of completion.

For a selection of clients and months, inspected Cash Flow reconciliation for evidence of sign off by the Pensions Administrator.


Control 2.1.15 On a Monthly basis or other frequency agreed with the Client, a Senior Administrator or above reviews the Cash Flow reconciliation for accuracy. The Cash Flow reconciliation is signed off as evidence of review and retained on file.

For a selection of clients and months, inspected the Cash Flow reconciliation for evidence of sign off as reviewed by a Senior Pensions Administrator or above.


Control 2.1.16 On a Monthly basis or other frequency as agreed with the Client, a Pensions Administrator prepares a Cash Flow Forecast, detailing the cash requirement for the following month and signs the forecast as prepared. A Senior Administrator independently reviews the forecast for accuracy and signs as reviewed.

For a selection of clients and months, inspected the Cash Flow Forecast for evidence of sign off as completed by a Pensions Administrator and as reviewed by a Senior Administrator.


26

2.1.17 Process Individual DC transactions are initiated on receipt of appropriate authorised instructions from the Member, or the Scheme Trustees. Workflows and/or checklists are prepared for individual DC transactions based on the type of transaction required. These are used to confirm that the process has been followed and authorised at the points and signed off as complete within the SLA guidelines.

Control An Independent Administrator verifies checklists and/or workflows related to individual DC transactions against the Client or Member request to confirm that all required workflow steps are included to complete the transaction. An Administrator signs off the Checklist and/or authorises the workflow in Compendia or XBoss which is retained in the system as evidence of authorisation and completion.

For a selection of clients, inspected checklists and workflows for evidence of sign off by a second member of the Administration Team and audit trail in Compendia/XBoss for evidence of authorisation.


2.1.18 Process For an individual DC trade involving the purchase or sale of units, the Administrator follows the workflow built into Compendia or XBoss. The Administrator launches the workflow for the appropriate task. The workflow enforces the parameters entered to be authorised. Compendia or XBoss calculates the number of units bought and sold. The workflow is then authorised by a second Administrator.

Compendia/XBoss produces an Investment Reconciliation Summary Report that confirms the number of units bought or sold. This is then used to populate the instruction.

Control An independent Member of the Administration Team verifies investment or disinvestment instructions in Compendia/XBoss against Client or Member instructions. The workflow is reviewed and authorised in Compendia/XBoss as evidence of verification and completion. An audit trail is retained within Compendia/XBoss.

For a selection of investment or disinvestment instructions, inspected workflow audit trail in Compendia/XBoss for evidence of authorisation, verification and completion by an independent member of the Administration Team.


2.1.19 Process The Administration Team complete instructions detailing the number of units to be bought or sold obtained from the Investment Reconciliation Summary Report. The instruction is authorised in accordance with the Schemes Investment Mandate from a list of authorised signatories agreed with the Scheme Trustees.

If the transaction relates to a unit purchase (i.e. buy or switch instruction), the Administration Team arrange for cash to be transferred to the Investment Manager. See section 4.2 regarding payment safeguarding and authorisation.

Control The instruction is authorised, in accordance with the Scheme’s Investment Mandate, from a list of authorised signatories agreed with the Scheme Trustees prior to sending to the Investment Manager. If the signature on the authorised Mandate does not match with that held by the Investment Manager, the trade is rejected and returned, for re-submission with the correct signatories.

For a selection of instructions, inspected the investment instruction for evidence of sign off by an authorised signatory.


27

2.1.20 -2.1.21

Process The Administration Team transmits an instruction to buy or sell units to the Investment Manager. Once the instruction is executed, the Investment Manager processes the unit transaction and sends details to the Administration Team. The Administration Team checks that the confirmation received from the Investment Manager reconciles to instructions submitted. The Administration Team update Compendia/XBoss.

Control 2.1.20 On receipt of the contract note the Administration Team update the workflow with details of the trade and then finalise the workflow on Compendia. A second Administrator verifies that details of the trade are correctly recorded in the workflow, and authorises the workflow in Compendia/XBoss as evidence of verification and completion. An audit trail is retained within Compendia/XBoss.

For a selection of instructions, inspected audit trail in Compendia/XBoss for evidence of update by an Administrator and authorisation, verification and completion by a second Administrator.


Control 2.1.21 For unit switches the Administration Team updates the workflow with the details and finalise the workflow on Compendia/XBoss. A second Administrator verifies that the details are correctly recorded in the workflow, then authorises the workflow in Compendia/XBoss as evidence of verification and completion. An audit trail is retained within Compendia/Xboss.

For a selection of unit switches, inspected audit trail in Compendia/XBoss for evidence of update by an Administrator and authorisation, verification and completion by a second Administrator.


2.2 Benefits payable and transfer values are calculated in accordance with scheme rules and legislations and are paid on a timely basis.


2.2.1 -2.2.2

Process XPS Administration is informed of an event leading to a benefit payment by the Client’s payroll, HR function, the Member or an authorised third party. This may be via an automated monthly interface file produced directly from the Client’s systems, or by hard copy notification. Notification of normal retirement is generated automatically by Compendia. On a daily basis a Pensions Administrator creates a case for the benefit payment in a Work Monitoring System. Each case is allocated a Service Level Agreement date (SLA) based on the case type created, which has been hard coded into WMS. Benefits calculated are checked for accuracy and completeness against the source documentation (i.e. hard copy of benefit payment details or scanned in equivalent) prior to initiating payment processing. The Administration Team use either an automated workflow built into Compendia and/or a Control Sheet to manage benefits payable transactions. Both automated workflows and Control Sheets include all process steps required to calculate a benefit in compliance with applicable Legislation and Scheme Rules.

Control 2.2.1 Pro formas are verified to confirm they have been signed off by a Scheme Actuary or Scheme Representative and accurately implemented into Compendia. See control 1.3.3 and 1.3.4.

For all manual benefit calculations, a second Pensions Administrator reviews the calculation against either the pro forma or the Scheme Rules to verify that the calculation has been done correctly and signs the calculation as evidence of this review.

For a selection of clients, inspected manual calculations for evidence of sign off by a second Pensions Administrator.


28

The Pensions Administrator completes the appropriate process steps within the workflow and/or Control Sheet. Benefit calculations are supported by pro formas signed off by the Scheme Actuary or Scheme Representative (see Control 1.3.3 and 1.3.4) and are either automated in Compendia, or performed manually. Where a calculation is performed manually a Pensions Administrator follows the calculation process described in either the pro forma or with direct reference to the Scheme Rules and any Rule Amendments. Benefit calculations are checked by a competent Pensions Administrator and authorised where required to ensure accuracy. (Control 2.2.1) Each benefit payments workflow includes an authorisation step either in Compendia or on the Control Sheet, which is completed by a Senior Administrator, before the work can be completed. (Control 2.2.2) Once the workflow or Control Sheet is complete a payment is generated in the Client Cash Management (CCM) system. All individual payments (e.g. transfers out, leaver payments, pension commencement lump sums) are checked and authorised before being released. See section 4.2 for details regarding payment authorisation.

Control 2.2.2 A second Pensions Administrator validates that all of the workflow steps and associated processes, (for example benefit calculations, member authorisation to proceed etc.) have been performed correctly. They complete the authorisation workflow step in Compendia or sign off the Control Sheet. Where authorisation is part of a workflow, an audit trail is retained within Compendia as evidence of authorisation.

For a selection of clients, inspected either the workflow audit trail or the Control Sheet for evidence of sign off by a second Pensions Administrator.


2.2.3 Process

Discretionary payment of Benefits

Discretionary benefit payments require Trustee approval prior to executing the payment. For certain payments i.e. pension commencement lump sums, a ‘blanket’ approval exists allowing payment to proceed without Trustee approval for each case.

Control Where Trustee approval is required, the Senior Pensions Administrator verifies that a copy of Trustee approval has been obtained, printed and filed, prior to signing off the workflow and/or Control Sheet. Where authorisation is part of a workflow, an audit trail is retained within Compendia as evidence of authorisation.

For a selection of clients with Trustee approvals, inspected the workflow or the Control Sheet for evidence of sign off by a Senior Pensions Administrator.


2.2.4 -2.2.5

Process

Payment of Benefits

One off payments and first pensioner payments are initiated and authorised by Pensions Administration through the Payroll Administration System. A pension record is created on the Payroll Administration System for one off or subsequent regular pension payments. See section 3.1. The Payroll Operations Team or the Pensions Administration Team run a Payroll Reconciliation Report prior to payroll run which is reviewed by the pensions Administration Team. A Pensions administrator reviews movements identified on the Payroll Reconciliation Report eg. New Pensioners, pensioner amendments, pensions ceasing, to make sure they are consistent with their understanding of the scheme and also with movements processed by the pensions Administration Team during the month. Any discrepancies are resolved with the pensions Administration Team and or Payroll Operations Team.

For a selection of clients and months, inspected the Payroll Reconciliation Report and audit trail in Compendia/XBoss for evidence of authorisation by a Payroll Team member.


29

Control 2.2.4 The Pensions Administrator reviews the payroll Reconciliation Report against payment details held on Compendia or XBoss to confirm all payment additions, deletions and modifications are included in the upcoming payroll payment run. Any inconsistencies are investigated with the Pensions Administration Team or Payroll Operations Team for correction. Once confirmed, the Payroll Reconciliation Report is electronically or manually authorised by a Pensions Administrator. Any correspondence relating to the resolution of discrepancies is retained within the reconciliation file. An audit trail is retained on the Monthly Payroll File or Compendia/XBoss as evidence of authorisation.

Control 2.2.5 A second Pensions Administrator reviews the Payroll Reconciliation Report and verifies that any amendments on the payroll are substantiated with the supporting documentation. The Payroll Reconciliation Report or Checklist is signed off by a second Pensions Administrator, a copy of which is retained on file or authorised via the workflow.

For a selection of clients and months, inspected the Payroll Reconciliation Report or Checklist for evidence of sign off by a second Pensions Administrator.


2.2.6 -2.2.7

Process

Prior to the scheme payroll run, the Payroll Production Team compare the current month Payroll Control Total Report against the previous month’s Control Total Report. A Monthly Compare Report, which identifies changes to the payroll over the month (i.e. due to new pensioners, pensioners who have died, etc.), is also run to confirm that all differences can be explained. Differences are recorded on the Reconciliation Sheet and the Payroll Operations Team checks the reconciliation accuracy. For some very large payrolls, a tolerance check is applied to payments from month to month, with any payments in excess of the tolerance being subject to verification or amendment.

Control 2.2.6

On a monthly basis, the Payroll Production Team reconciles all differences between the previous month’s payroll and the current month’s payroll. Copies of the current to previous month payroll reconciliation and respective Compare Report are retained by the Payroll Production Team.

For a selection of clients and months, inspected the Compare report for evidence of reconciliation of differences between previous and current month’s payroll by the Payroll Production team.


Control 2.2.7 On a monthly basis an Independent review of payroll reconciliations is performed by the Payroll Production Team to verify that all differences have been explained against a Compare Report. Reconciliation sheets are signed and retained by the Payroll Operations Team as evidence of review. Electronic copies of all Compare Reports and Reconciliation Sheets are retained by the Payroll Production Team.

For a selection of clients and months, inspected payroll reconciliations for evidence of sign off by the Payroll Operations Team and all differences explained against a Compare report.


30

2.2.8 Process

The payroll BACS file is sent to the bank through CSeries for them to process payments of the payroll to individual pensioners. A confirmation report is produced when the file is successfully sent and the Payroll production Team check the payment services website to verify that the number of files processed agrees with the amount sent. A summary report of all BACS files sent that day is run and compared to the BacstelIP summary report to verify that all BACS files have been accepted.

Control

Once the Scheme Payroll has been processed, the Payroll Production Team reviews for accuracy the total amount on the Confirmation Report against the number of files recorded on the Payment Services website. Once complete, the BACS submission checklist is signed and retained by the payroll Production Team. On a daily basis, the Payroll Production Team compares BACS Summary Report from the Administration System to the BacstelIP summary report to verify the completeness of the schedules BACS files and that no duplicate BACS files have been run. Once verified, the reports are signed and retained by the Payroll Production Team.

For a selection of clients and days, inspected evidence of comparison between BACS Summary Report and the BacstellIP summary report to verify completeness and that no duplicate BACs files had been run.

For a selection of clients and months, inspected the BACS submission checklist for evidence of review for accuracy by the Payroll team and for sign off by the Payroll Operations Team.


2.2.9 Process

Pension Increases

Pension increases are calculated and applied based on the Scheme Rules and applicable Regulatory and Legislative practice, or as notified, in writing, by the Scheme Trustees. The process is conducted within timescales laid down in the Client Agreement and in line with the Scheme Rules and applicable Legislation. The Pension Increase Control Sheet is updated as evidence of the control and signed off by the Administrator and checked and signed by a Senior Administrator or above.

Control

The Pensions Administration Team verifies with the Trustees any discretionary components of the pension increase ensuring confirmation is received from an authorised Client representative. A copy of the Trustee approval is retained on file as evidence of verification. The Pensions Administrator updates and signs off the Pension Increase Control Sheet with a Senior Administrator or above completing a final signoff.

For a selection of clients and months, inspected the Trustee approval and that the Pension Increase Control Sheet was signed off by both a BACs and a Senior Administrator or above.


2.2.10 Process

Pension Increases

Pension increases are agreed with the Client and are tested either manually or via the Compendia workflow based on a selection of Member records prior to being applied. The Payroll Administrator and Pensions Administrator complete the appropriate process steps indicated in the workflow or Pension Increase Control Sheet and sign off accordingly once it is complete.

Control

Tests of Pension Increases are verified against the agreed Client instruction by the Pensions Administrator to confirm accuracy. Once confirmed, either the Pensions Administrator or the Payroll Administrator finalise the workflow or sign off the Pension Increase Control Sheet. Copies of the Control Sheet are retained on file, and where a workflow is used, an audit trail is retained within the system as evidence of authorisation.

For a selection of clients and months, inspected for evidence that the increases were agreed to Client instruction and inspected the Pension Increase Control Sheet for evidence of authorisation by the Pensions Administrator or the Payroll Administrator.


31

2.2.11 Process

Once approved, the Pension Increase is applied to all applicable members and notifications sent out.

Control

The Payroll/ Administration Team perform a sample check of written notifications to verify that all applicable members have been notified of the Pension Increase within the required timescale agreed with the Client. The Pension Increase Control sheet is signed off and retained, or the workflow is finalised. Where a workflow is used, an audit trail is retained within the system as evidence of authorisation.

For a selection of clients and months, inspected evidence that there was a sample check of written notifications and inspected the Pension Increase Control Sheet for evidence of sign off and audit trail for evidence of authorisation by Payroll Administration Team. Where a workflow is used inspected the audit trail for evidence of authorisation.


2.2.12 Process

For Payrolls not run by Equiniti Pension Solutions, a file is prepared and checked prior to sending over to the Client or alternative payroll provider for Implementation to the Payroll database.

Control

The Pensions Administrator prepares a file which is checked by a Senior Administrator or above. The file is encrypted and sent across to the Client or payroll provider for implementation to the payroll.

For a selection of clients and months, inspected payroll file for completion by a Pensions Administrator and review by a Senior Administrator or above and evidence of the encrypted file sent to the Client or payroll provider.


2.2.13 Process

Where XPS Administration are contracted to send increase notifications. They are prepared, checked and sent out in accordance with the Client agreement.

Control

Where required by the Client, the Pensions Administrator prepares the Increase notifications Prior to sending out the notifications they are checked by a Senior Administrator or above.

For a selection of clients and months, inspected Increase notifications for evidence of preparation by a Pensions Administrator and checking by a Senior Administrator or above.


3. Maintaining financial and other records

3.1 Member records consist of up to date and accurate information and are updated and reconciled regularly


3.1.1 -3.1.2

Process For Clients with electronic data interfaces, Member data is kept up to date through periodic data loads including Payroll data (such as salaries, contributions), and Human Resources information (typically showing, changes to personal details, leavers and joiners). The data loads are provided to XPS Administration by the Client in a pre agreed format. On receipt of a data file a Pensions Administrator follows the workflow steps to load the data onto Compendia. Compendia automatically produces error and warning reports and all errors are resolved prior to data being loaded. The data files and Interface Reports are retained centrally by the Administration Team, along with details of any enquiries arising from the data load and their resolution. (Control 3.1.1 and 3.1.2) For some Clients, Member data updates, including new joiners, leavers and DC investment options, are processed on a case by case basis. (see Control 3.1.6)

32

Control 3.1.1 On a monthly basis a Pensions Administrator reviews the Compendia error and warning report which identifies unexpected differences or incorrect data between the Member data on the Client data file and Compendia. Discrepancies are investigated, resolved and updated via the workflow. An audit trail of any amendments is maintained within Compendia.

Control 3.1.2 A second Pensions Administrator verifies that any discrepancies identified on the errors and warnings report have been resolved. Once verified, the workflow is authorised electronically by the second Pensions Administrator. An audit trail is maintained within the PAS showing this authorisation. The reports are retained within the PAS.

For a selection of clients and months, inspected audit trail from Compendia for evidence of investigation and resolution of differences by a Pensions Administrator.


Enquired of management whether any instances of electronic authorisation by a second Pensions administrator occurred during the period and were informed that no instances had occurred. Since there were no instances, the operating effectiveness of the control could not be tested.

3.1.3 Process At least annually a Pensions Administrator reconciles the total number of Members in each of the Scheme Membership categories (e.g. active, deferred) to the previous report. This is done by running Membership reports from Compendia, and taking into account any Membership movements in the period (Control 3.1.3). The Membership reconciliation is included in the administration report presented to the client. (See section 5.2)

Control At least annually a Pensions Administrator reconciles the Scheme Membership reports from Compendia back to the totals from the previous reconciliation, taking into account any Membership movements in the period. Any discrepancies are investigated and resolved. Once complete, a second Pensions Administrator reviews the reconciliation for accuracy. Both Pensions Administrators sign off the Annual Update Control Sheet and a copy is retained on file.

For a selection of clients, inspected the Annual Update Control Sheet for evidence of sign off as completion and review by both Pensions Administrators.


3.1.4 Process On an annual basis the Pensions Administration Team complete an Annual Scheme Renewal. As part of this process scheme contributions, where applicable, at Member level are validated to ensure that they have been deducted and paid in accordance with the Scheme Rules.

Control On an annual basis, the Pensions Administration Team validates salary and contributions data (where applicable) from the Client against historic data and correspondence to verify that the correct amounts have been paid on behalf the Member. Any inconsistencies are investigated and agreed with the Client. A copy of the Validation Report is saved electronically and any correspondence with the Employer is retained on the Scheme Renewal File.

For a selection of clients, inspected a copy of the annual Validation Report for evidence of validation of salary and contributions and evidence of investigation of differences with the Client.


33

3.1.5 Process The renewal process includes a reconciliation of the Scheme Membership and Member data against renewal data provided by the Client using membership reports generated from Compendia and taking into account Membership movements in the year.

Control On an annual basis, a Pensions Administrator reconciles Membership totals on Compendia against renewal data provided by the Client. Any differences are investigated and resolved. The Annual Update Control Sheet is signed off by the Pensions Administrator and saved on the Scheme Renewal File. Reconciliation Reports and supporting documentation of any differences are retained electronically.

For a selection of clients, inspected the annual reconciliation, investigation of differences and Annual Update Control Sheets for evidence of sign off by Pensions Administrator.


3.1.6 Process Personal Details Updates

Personal details are updated on receipt of e-mail, postal correspondence or telephone calls from Scheme Members or their suitably authorised representatives. All updates received by Pensions Administration are updated onto Compendia and any details relating to pensioners are passed to the payroll provider for update to the payroll system. All telephone calls from members and member pensioners are verified by checking at least two items of personal information, in order to verify their identity. (Control 3.1.6) When notified of a member address change there is no requirement to complete the record of telephone call form. The address is changed on the system providing there is sufficient evidence in the communication to verify the member. The system generates a letter to the old and new address to help combat fraud.

Control A Pension/Payroll Administrator verifies the authenticity of member details prior to making changes to Member data. Verification of details is recorded on a record of telephone call form, letter or by completing a workflow as evidence of authenticity verification. Where a workflow is used, an audit trail is retained in Compendia as evidence of authorisation. When notified of a change of address the Pensions Administrator will check to ensure that there is sufficient evidence to verify the member and change the address on Compendia. The system generates a letter to both the old and new address which are sent out. In the event of the address being changed in error the member has been made aware of the change and is asked to contact the department for verification. Any information in relation to the change is retained in the member file.

For a selection of changes to member data, inspected either the record of telephone call form, letter, email or workflow audit trail for evidence of authenticity verification. Also inspected the letters sent to the member, including to the old and new address, in the case of change of address to ensure the member is aware of the change and to identify if any changes occurred in error.


3.1.7 Process XPS Administration and Equiniti Pension Solutions are informed of a change to the Member’s personal data by the Client’s payroll or HR function or the Member directly. On a daily basis a Pension / Payroll Administrator creates a case in a Work Monitoring System. For the processing of member personal updates, accuracy and completeness checks are performed against the source documentation (i.e. hard copy of Member data change request or scanned in equivalent) prior to completion of the workflow.

Control A second Pensions/Payroll Administrator validates that all of the workflow steps and associated processes related to update of personal Member details have been performed correctly. They then either complete the authorisation workflow step or sign off the Control Sheet. Where a workflow is used, an audit trail is retained within the system as evidence of authorisation.

For a selection of changes to member data, inspected either the Control Sheet or workflow audit trail for evidence of sign off/authorisation by a second Pensions/ Payroll Administrator.


34

3.1.8 -3.1.9

Process Member Investment Option Updates

Member investment options for new Members, or changes to existing Member’s investment choices are updated either on receipt of an electronic Investment Instruction File from the Employer or on receipt of a written instruction from the Member. On receipt of an Investment Instruction File from the Employer the Administration Team prepare a data input file to update the Member records with investment choices. The Administration Team load the data input file to Compendia and update the Member records. (Control 3.1.8) On receipt of a written instruction from the Member a Pensions Administrator sets up the investment instruction via a workflow in Compendia which provides evidence of completion. (Control 3.1.9)

Control 3.1.8 Where electronic interfaces exist, the Administration Team perform sample checks against the data input file received from the Employer to verify the member’s investment choices are updated accurately on Compendia. Once this is complete this is passed to a Senior Pensions Administrator or above to spot check the inputs and sign off the Interface Control Sheet as evidence of review. This is retained on the contributions file.

For a selection of member investment options, where electronic interfaces exist, inspected the Interface Control Sheet for evidence of sample checks from member investment choices to Compendia and for evidence of spot checks and sign off by a Senior Pensions Administrator.


Control 3.1.9 A second Pensions Administrator verifies that details of the member record on Compendia match the written instruction and authorises the workflow in Compendia as evidence of review.

For a selection of written instructions, inspected the workflow audit trail for evidence of authorisation and review by a second Pensions Administrator.


3.1.10 -3.1.11

Process New Pensioners and Dependants Updates

When setting up a new pensioner or dependant, a Pensions Administrator completes a New Pensioner/Dependant Form. (Control 3.1.10) The New Pensioner/Dependant Form is issued to the Payroll Administration Team to create a Member record on the Pensioner Payroll. The new Pensioner/Dependant record on the Payroll Administration System is then verified to confirm it has been set up in accordance with the details recorded on the form. (Control 3.1.11)

Control 3.1.10 Details on the workflow or New Pensioner/Dependant form are reviewed and verified for accuracy by a second Administrator and an individual from the XPS Administration authorisations levels document. The new Pensioner/Dependant form is signed off by both reviewers prior to set up on the Payroll Administration System.

For a selection of new pensioners, inspected the new Pensioner/Dependent forms for evidence of sign off by a second Administrator and an individual from the XPS Administration authorisations levels document.


Control 3.1.11 Details on the new Pensioner/Dependant form are verified by a Second Administrator, against the member details on the Pension Administration System and member benefit choices provided by the member. The amount of pension per annum dictates the seniority of the second person required to sign off the pension with increasing amounts of pension corresponding to increasing seniority of grade.

For a selection of new pensioners/dependents, inspected new Pensioner/ Dependant forms for evidence of sign off by a Second Administrator with the relevant seniority.


35

3.2 Contributions and benefit payments are completely and accurately recorded in the proper period


3.2.1 Process Contributions

The Pension Accounts Administration Team downloads bank statements on a daily basis. Bank accounts are uploaded into CCM, which generates a report of items that need to be allocated, including contributions. Where possible, the Pension Administration Team allocates contributions and other items on CCM. Other items such as bank charges are allocated via CCM to a specific Scheme and ledger account by Pension Accounts Administrators. For more complex items, the Pension Accountants performs the allocation directly on Dream, the CCM system interfaces directly with the DREAM ledger system to automatically post contribution receipts and payments on a twice daily basis. Contributions are posted to the DREAM ledger via a direct interface between CCM and DREAM. For receipts of cheques, including contributions, the Pensions Administrators record the receipts on CCM using the same allocation process as described above. The cheques are passed to the Pension Accounts Administrators who bank them daily. After banking, the total cheques banked for each account are transferred from the cheques received account in DREAM to the cash book in DREAM. (Control 3.2.1, 3.2.2)

Control Twice daily, the Production Support Team reviews an exceptions report which identifies any discrepancies between payments made via CCM and payments updated in the accounting ledgers in DREAM. Any discrepancies are notified to the Pension Accounts Controller for follow up and resolution prior to the end of day. Copies of emails from the Production Support team along with evidence of follow up on previous discrepancies are retained on file. The pension Accounts Administrator reviews a pension control account in DREAM to verify that complete groups of files for each payroll group processed have been posted into DREAM. Any non-zero balances are investigated and any missing files are identified, obtained and uploaded into DREAM prior to the end of day. Once complete, the pension Accounts Administrator records the successful upload of CSV files to DREAM in the processing log and signs off the log to confirm that they have been completed.

For a selection of days, inspected exceptions report and email notification to Pension Accounts Controller for evidence of timely resolution of errors. Also for a selection of days inspected the investigation and upload of non-zero balances and the processing log for evidence of completion and sign off.


36

3.2.2 Process Payments processed using the Pensioner/Deferred database are uploaded daily to DREAM via a CSV file. The Pension Accounts Administrator reviews the pension control account in DREAM to verify that complete groups of files for each payroll group processed have been posted into DREAM. Any non-zero balances are investigated and any missing files are identified, obtained and uploaded into DREAM prior to the end of day. Once complete, the Pension Accounts Administrator records the successful upload of CSV files to DREAM in the processing log, and signs off the log to confirm that they have done so. Payments entered into CCM are reviewed for accuracy and authorised by a second member of staff. A senior member of staff then reviews the authorised payment and releases the payment in CCM. For payments in excess of £100,000 a secondary releaser will be required. Once released, the payment is posted automatically from CCM into the DREAM accounting system.

Control Twice a day, the Pension Accounts Team check for receipt of e-mail confirmation that the interface between CCM and DREAM has been run. Copies of the confirmatory e-mails are retained by the Pension Accounts Controller as evidence that the interface has been done.

For a selection of days, inspected the receipt of the email confirmation and evidence that it had been retained.


3.2.3 -3.2.4

Process Payments are authorised by a second member of staff. (Control 3.2.3) See controls in section 4.2. Where CCM is not used the Pensions Administrator draws a manual cheque and initials the cheque book stub as evidence of the individual drawing the payment. The file and cheque are passed to a second member of the team for review and signoff of the file and cheque. A form is passed to the Pension Accounts Team detailing the payment which is added to the Accounting System by a member of the Accounts Team. (Control 3.2.4)

Control 3.2.3 Payments are authorised by a second member of staff. See controls in section 4.2

This has been tested as part of control 4.2.

Control 3.2.4 Where CCM is not used the Pensions Administrator draws a manual cheque and initials the cheque book stub as evidence of the individual drawing the payment. The file and cheque are passed to a second member of the team, with cheque signing authority, for review and signoff of the file and cheque. The Pension Accounts Team enter the data detailing the payment to the accounting system and check and sign off as evidence of review.

Enquired of management whether any instances of any manual cheques being drawn occurred during the period and were informed that no instances had occurred. Since there were no instances, the operating effectiveness of the control could not be tested.

3.2.5 Process Bank reconciliations are performed at least monthly during which contributions and payments are checked for accuracy between DREAM or SAGE the alternative Accounting Systems where DREAM is not used, and the scheme bank accounts.

Control At least monthly, Scheme bank statements are reconciled to DREAM or SAGE, to verify that cash book entries have been accurately recorded in the Cash book. Any discrepancies are investigated and resolved. The reconciliation is signed by both a Pension Accounts Administrator/Technician and the Pensions Accountant. The reconciliation, along with correspondence relating to queries and their resolution, are retained on the Scheme Accounts File.

For a selection of clients and months, inspected the reconciliation for evidence of sign off by both the Pension Accounts Administrator/Technician and the Pensions Accountant and resolution of discrepancies and retention on the Scheme Accounts file.


37

3.3 Investment transactions, balances and related income are completely and accurately recorded in the proper period


3.3.1 Process Timeliness and Accuracy of Complete DC Process

On a daily basis the Administrator checks the bank balance and receipts received electronically from Pension Accounts. This ensures that all monies have been correctly recorded and paid out. On a monthly basis, the DC Team in each office obtains a ledger via CCM/SAGE and reconciles it to the bank account, completing the Receipts and Payments Checklist.

Control Daily downloads of receipts are updated by Pension Accounts into CCM and remain unallocated until processed by a member of the DC Administration Team. On a monthly basis all entries are reviewed by a Senior Administrator or above, with any discrepancies investigated and resolved. The Administrator completes the Receipts and Payments Checklist, signing as complete which is then reviewed and signed for completeness and accuracy by a Senior Administrator or above and retained on file as evidence of review. Where CCM is not used the Accounts Administrator checks the bank statements on a monthly basis to ensure all receipts have been picked up and allocated correctly. The Pensions Administrator completes either the Receipts and Payments Checklist or the Bank

Reconciliation Checklist showing all transactions to and from the bank account. This is reviewed by a Senior Administrator for accuracy and retained on file as evidence of review.

For a selection of clients and months, inspected Receipts and Payments Checklist for evidence of preparation by an Administrator and sign off as authorisation by a Senior Administrator or above.


3.3.2 Process On a Monthly basis, the Administration Team extracts information from Compendia via an access database or using the Compendia Control Accounts, to compare the unit holdings per Fund and per Scheme against the valuation of the holding obtained from the Investment Manager. Once completed this reconciliation is signed off by a Senior Administrator or above and updated on the DC Investment Tracker.

Control On a monthly basis, as part of the Contribution Process, unit holding information is extracted from Compendia via a securely linked access database or from Control Account information held within Compendia. The results of this are reconciled by the Administration Team against the Investment Manager Holdings with any differences identified being fully investigated, documented and if necessary ringfenced until a cause for the difference is identified and can be resolved. Copies of any correspondence are retained on file as evidence. The Unit Reconciliation is reviewed by a Senior Administrator or above and a copy retained either on the file or electronically on the system. Completion and review of the unit reconciliation is reported in the monthly Managers Report where any issues are highlighted. The DC Investment Tracker is updated and reviewed at the Managers Meetings and documented on the Minutes to confirm review.

For a selection of clients and months, inspected Unit Reconciliation for sign off by a Senior Administrator or above and inspected copies of correspondence and meeting minutes for confirmation of review of DC Tracker.


38

3.3.3 Process Investment transactions, balances and related income are posted to the nominal ledger by journals from investment Manager Reports. Investment cash is reconciled taking into account purchases, sales, investment income and charges; investment cost to cost and market value to market value reconciliations are performed as required for all Investment Managers; change in market value is reconciled to Investment Manager reports of realised and unrealised gains and losses.

Control See 6.2.1

This has been tested as part of control 6.2.1.

4. Safeguarding assets

4.1 Member and scheme data is appropriately stored to ensure security and protection from unauthorised use


Process Access to XPS Administration / Equiniti Pension Solutions premises are restricted to authorised personnel. Additional restrictions are in place in respect of access to IT areas. Access to XPS Administration networks and administration databases is restricted to authorised individuals, who gain access with unique logins and self select passwords that are compliant with industry standards. Segregation of duties rules for Pensions Administrators are enforced by security profiles built into Compendia. Profiles are assigned to Pensions Administrators based on their roles and responsibilities. Pensions Administrator access to administration databases is reviewed on a regular basis, and inactive accounts are deleted.

Control See 7.1.1 to 7.1.9, 7.2.1 to 7.2.8 and 7.3.5

This has been tested as part of controls 7.1.1 to 7.1.9, 7.2.1 to 7.2.8 and 7.3.5.

4.1.1 Process Managing Data Protection

Responsibility for ensuring that the collection and use of data complies with Data Protection Law is allocated to all Business Managers. The Data Protection Manager provides advice and guidance on legislative requirements. All new staff receive data protection training when they join XPS Administration and refresher training is given annually. Staff sign a XPS Administration IT and Data Protection policy declaration, a copy of which is held on their HR record (Control 4.1.1). Up to date information relating to the Data Protection Act and its application to XPS Administration are maintained on the XPS Administration Intranet, Xone, by the Data Protection, Privacy & FOI Manager and is available to all staff.

Control On an annual basis the data protection spreadsheet is reviewed by the Business Process Manager to verify that all staff members have carried out their on-line training. A reminder is issued annually and completion of the test is monitored by the Business Process Manager and reported back to the Director of Administration Group Practice via email.

Inspected the data protection spreadsheet for evidence of completion of training. Also inspected the email, issued annually, by Risk and Assurance for evidence of reminders and completion.


Process Physical and Environmental Security

Each of the XPS Administration offices has a security access system which is detailed in the IT section of this document.

Control Control 7.1.1 to 7.1.31

This has been tested as part of controls 7.1.1 to 7.1.31.

39

4.2 Cash is safeguarded and payments are suitably authorised and controlled


4.2.1 Process Client bank accounts are only opened after receipt of authorised instructions from the Client (i.e. Trustee). A list of Authorised Client Representatives is obtained as part of the Scheme Implementation. The Implementation Project Manager or the Administration Manager sends a Client instruction to the Pension Accounts Controller.

Control Scheme bank accounts are authorised via written instruction from the Client and implementation Manager prior to opening an account. A copy of the written instruction to open an account and any related correspondence is filed in the Scheme Payments and Receipts file.

For a selection of new bank accounts, inspected the Scheme Payments and Receipts file for evidence of written instruction to open the account.


4.2.2 Process New scheme bank account details are sent to the bank by the Pension Accounts Administrator. Once the account is opened, the bank confirms the opening of each account in writing.

Control Following confirmation of the new bank account, the Pension Accounts Administrator will check the new bank account number and request that IT set up on DREAM. The Pension Accounts Controller reviews and signs off the request.

For a selection of new bank accounts, inspected the request for the setup on DREAM by the Pensions Accounts Administrator and sign off of the request by the Pensions Accounts Controller.


4.2.3 Process Acknowledgement of Trust is obtained for each new bank account; the Acknowledgement of Trust confirms that the contents of the bank account belong to the Scheme Trustees with no offsetting allowed. The Pension Accounts Controller monitors the account to verify that this is done within 30 days of the account being opened, to avoid the account being invalid.

Control For each new Client bank account, the Pension Accounts Controller monitors a log of dates of which account opening confirmations are received from the bank and dates of receipt of Acknowledgement of Trust Forms. Any Acknowledgements not received within 14 days are followed up with the bank or Trustees and resolved prior to the 30 day limit. A copy of the log and documentation is retained in the Acknowledgement of Trust File.

For a selection of new bank accounts, inspected the log of receipt of Acknowledgement of Trust File and supporting documentation as evidence of Acknowledgements not received within 14 days being followed up with the bank or Trustees.


40

4.2.4 Process A documented process is in place to maintain tiered mandates for release of payments, managed by the Equiniti Pension Solutions Finance Team. Authorisation levels are approved in writing by the Equiniti Pension Solutions Executive Management Group. Addition and removal of staff from the mandates, and amendments to authorisation levels, is managed by the finance team on receipt of authorised instructions from XPS Administration. Authorised instructions are retained by the Finance Team. Where Pension Accounts are not carried out by Equiniti Pension Solutions, changes to the bank mandate are referred to the Scheme Trustees for approval. On receipt of approval the mandates are sent to the bank for implementation.

Control When an additional Member of staff is to be added to the bank mandate the Pension Accounts Controller sends an e-mail request to the Equiniti Pension Solutions Finance Director. The Finance Director evaluates the request and if appropriate, authorises the addition to the bank mandate by e-mail to the Pension Accounts Controller, who arranges for the addition to the bank mandate. The Pension Accounts Controller retains a copy of the confirmation. Where Pension Accounts are not carried out by Equiniti Pension Solutions, changes to the bank mandate are referred for approval to the Scheme Trustees. On receipt of approval the mandate is forwarded to the bank for implementation. Copies of the Trustee approval are retained on the scheme file.

For a selection of additional Members of staff to be added to the bank mandate inspected the email request from the Pension Accounts Controller for evidence of receipt by the Equiniti Paymaster Finance Director and for a response authorising the addition to the bank mandate. Where Pension Accounts were not carried out at Equiniti Paymaster evidence of referral to and approval by the Scheme Trustees was inspected. Inspected evidence that receipt of approval by the Pension Accounts Controller was forwarded to the bank for implementation.


4.2.5 -4.2.6

Process Benefit payments (e.g. retirements, deaths, leavers) are prepared and reviewed by the Pensions Administration Team. See section 2.2 for details on benefit calculation. (Control 4.2.5) The Pensions Administration Team prepares a standard client or member communication (depending on who the payment is made to) indicating the details of the payment, which is sent to the Pension Accounts Team for processing of payment. Payments are authorised and released in CCM or where CCM is not available by online banking or cheque. (Control 4.2.6)

Control 4.2.5 A second Pensions Administrator verifies the payment details in the client communication against the payment details in Compendia. The Control Sheet is signed off by the Pensions Administrator and retained on file.

This has been tested as part of controls in 2.2.

Control 4.2.6 Payments are approved by a second authorised member of staff. Payments are then reviewed for accuracy and released by a third member of staff according to authority levels established in a tiered mandate. (See control 4.2.4)

Inspected the system configuration and noted that payments required authorisation from a second member of staff and reviewed by a third member of staff according to authority levels established in a tiered mandate. For a selection of payments made in the period, inspected system records and noted that the payments had been authorised by a second member of staff, and reviewed and released by a third member of staff.


41

4.2.7 Process Electronic payment files are imported via e-banking for payment on the Lloyds Electronic Payment System. Once payments are uploaded, the payment is released and authorised by two different staff members, as per the tiered mandate structure.

Control Access to release and approve payments in the Lloyds electronic payment system is restricted to the authorised Pension Accounts Administrators via the use of individual access cards and unique PIN.

Inspected the system configuration and noted that access to release and approve payments in the Lloyds electronic payment systems was restricted to authorised Pension Accounts Administrators via the use of individual access cards and unique PIN.


4.2.8 Process Where automatic cheques are used for Lloyds bank, these are generated by Hague, which obtains the payment details from DREAM via CCM and generates an input file of automatic cheque details. The input file is uploaded to a standalone PC and cheques are approved using a secure card reader. Cheque authorisation is restricted to a group of Pension Accountants possessing their own access card and PIN. Cheques are then printed with the electronic signatures of the two individuals who authorised payment and verified for accuracy against client payment correspondence prepared by the Pensions Administration Team. Cheques are not sent out to clients or members until client payment correspondence is received and verified against the cheque details. Any such cheques are held overnight in a locked safe.

Control Staff members have individual access with unique passwords to cheque writing software, and individual access cards to add their signatures to and authorise printing of the cheque.

Inspected the system configuration and noted that staff members had individual access with unique passwords to cheque writing software, and individual access cards to add their signatures to and authorise the printing of cheques.

For a selection of payments during the period inspected the cheque writing software and noted that staff members had used individual access cards to add their signatures to and authorise the printing of the cheques.


4.2.9 -4.2.10

Process Payment files are imported via e-banking and then released for payment. (Control 4.2.9 and 4.2.10) Bank reconciliations are performed against DREAM/SAGE by the Pension Accounts Administration Team within 60 days of the monthly accounting period end date.

Control 4.2.9 Access to loading payment files via e-banking is restricted to authorised individuals in the Pensions Accounts Team via the use of individual log ins and passwords.

Inspected the system configuration and noted that access to loading payment files via e-banking was restricted to authorised individuals in the Pension Accounts Team via the use of individual logins and passwords.


Control 4.2.10 The payment files are released to the bank for payment by two signatories from the tiered signatories’ mandate, using individual access card and PIN. At least monthly, scheme bank statements are reconciled to DREAM to verify that cash book entries have been accurately recorded. See Section 3.2.

Inspected system configuration settings and noted that payment files were only released to the bank for payment once two authorised signatories from the tiered signatories mandate have authorised using an individual access card and PIN.


In respect of bank reconciliations, this has been tested as part of control 3.2.5.

42

5. Monitoring compliance

5.2 Services provided to pension schemes are in line with service level agreements


5.2.1 Process All work received in the Pensions Administration Department is logged into the Work Monitoring System, the system automatically allocates a Service Level Agreement (SLA) date based on the case type created. The Administration system tracks each case against SLA elapsed time. Management Information comparing actual case processing performance against SLA targets is produced on a daily, weekly and monthly basis.

Control Daily/Weekly Management Reports are produced by a Team Leader or above and used to compile a Monthly Management Report which is submitted to the Director of Administration/Office Heads. Where required, the report is discussed at either formal or informal monthly meetings with actions taken to resolve any issues raised.

For a selection of clients and meetings, inspected Management Reports submitted to the Director of Administration/Office Heads and the meeting minutes for evidence of discussion of the Report.


5.2.2 Process An Annual Planner is produced for each scheme detailing the events that are required throughout the year. The Pensions Administration Team produce a formalised annual plan for each scheme in order to manage the timing of periodic and annual transactions.

Control The Pensions Administration team produce a formalised annual plan to manage and monitor periodic and annual transactions, scheme level and non member related activities. The plan is held electronically on the system and reviewed and updated by the Team Leader or Manager each month.

For a selection of clients, inspected the Annual Planner for evidence of monthly review by the Pension Administration team leader or manager.


5.3 Transaction errors are rectified promptly and clients treated fairly


5.3.1 Process Complaints

When a complaint is received it is logged into a central Complaint Management System, by a Senior Pensions Administrator/Team Leader/Manager, or a nominated deputy. Key information relating to the complaint is recorded in the Complaint Management System and it is used to track the progress of the complaint through to resolution and monitor that responses are issued in a timely fashion. Each complaint is thoroughly investigated by a member of the Pensions Administration Team, in accordance with the XPS Administration Complaint handling procedure. When the complaint is completed, the Senior Pensions Administrator/Team Leader/Manager closes the record in the Complaint Management System as confirmation that the complaint has been thoroughly investigated, and resolved within the specified SLAs.

For a selection of complaints, inspected the Complaint Management System and Scheme or Member File for evidence of review by a Pensions Administration Team Leader or Manager to ensure all complaint details were captured, investigated and resolved within the SLA and FCA defined timescales, if applicable.

43

Control Complaint related correspondence is reviewed by a Pensions Administration Team Leader or Manager. Details of the complaint are captured on the Complaint Management System and reviewed to verify that all complaint details are captured, investigated and resolved within the SLA set down between XPS Administration and the Client and within FCA defined timescales if applicable. Where the case is not dealt with by a Manager, correspondence is signed off by a Pension Administration Team Leader/Manager prior to issuance. Copies of signed off correspondence are retained on the Scheme or Member file. On a monthly basis outstanding complaints listing are sent to Administration Managers for review and on a quarterly basis a complaint trend analysis is prepared by the Business Process Manager and reviewed by the members of the Administration Group Practice at their Meeting. Any actions resulting from the review are documented as part of the meeting minutes, copies of which are retained.

For a selection of quarters, where applicable, inspected meeting minutes for evidence of preparation of complaint trend analysis by the Risk and Assurance team and for evidence of review by members of the Risk Management Team to ensure actions resulting from the review were adequately documented.


5.3.2 Process When a transaction or calculation error is identified, Root Cause Analysis is undertaken, including action taken to ensure that the error doesn’t occur again. Where a financial loss is identified details of the Root Cause Analysis are recorded in the Complaint Management System, and where compensation is paid, on a compensation payment request form.

Control Compensation claims details and Root Cause Analysis are reviewed by the Pensions Administration Manager/Team Leader to verify that corrective action has been taken to prevent a repeat of the error. Claim details including calculation of claim amount are verified for accuracy. Once complete, and where necessary, the Pensions Administration Manager/Team Leader completes the Root Cause Analysis fields in the Complaint Management System, and completes and signs off the compensation payment request form. On a quarterly basis the Administration Group Practice review and carry out a Complaint Trend Analysis and feed back to the Managers/Team Leaders where necessary via email, copies of which are retained.

For a selection of Compensation claims, inspected Compensation claim details and Root Cause Analysis for evidence that corrective action has been taken and claim calculations had been verified for accuracy.

Also inspected the Complaint management system for evidence that the Pensions Administration Manager/ Team Leader had completed the Root Cause Analysis field, where necessary, and completed and signed off the payment request form.


5.3.3 Process All compensation payments must be authorised by a XPS Administration Director prior to payment.

Control All Compensation Payment request forms are signed off by a XPS Administration Director prior to agreement to pay compensation.

For a selection of Compensation payments, inspected Compensation Payment request forms for sign off by an XPS Administration director, prior to agreement to pay compensation.


44

6. Reporting to clients

6.1 Periodic reports to participants and scheme sponsors are accurate, complete and provided within the required timescales


6.1.1 Process A timetable for reporting is agreed with the Client and includes regular (usually quarterly or half yearly) Administration Reports. Administration Reports are prepared by the Pensions Administration Team, reviewed by the Administration Manager before being issued or presented to the Client as minuted Service Reviews or Trustee Meetings.

Control Data reports for Scheme Actuaries are verified on a sample basis by the Pensions Administration Team to confirm that data is accurate. The Valuation (DB) Action Sheet is signed off by a second Pensions Administrator as evidence of review. On a quarterly basis or other frequency as agreed with the Client, Administration Reports are prepared by a Pensions Administrator and reviewed for accuracy and completeness by a Senior Administrator/Manager. Once reviewed the report is either manually signed and passed to, or emailed to the Consultant, with confirmation of review. The report is submitted to the Client with copies of the report and emails retained on file.

For a selection of clients and quarters or other frequency as agreed with the client, inspected the Administration reports for evidence of preparation by a Pensions Administrator and review by a Senior Administrator/ Manager or email to Consultant with confirmation of review.


6.1.2 Process The Annual Renewal and Benefit Statement exercise is managed by the Administration Team and is completed using the Benefit Statement Checklist to ensure that statutory and Client deadlines are met. The checklist details all the process steps required, including checks to verify that Member data is complete, accurate, and up to date. As part of the process, a statistically representative sample of calculations is verified to confirm accuracy.

Control On an annual basis, the Administration Manager reviews the Annual Renewal and Benefit Statement Checklists to verify that the renewals have been tested for timeliness, Benefit Statements have been produced accurately on time, the Member data is complete, accurate and up to date, and that a statistically representative sample of calculations has been checked as correct. Once complete, the Benefit Statement Checklist is signed as evidence of review.

For a selection of clients, inspected the Annual Renewal and Benefit Statement Checklist for evidence of sign off by the Administration Manager.


6.2 Annual reports and accounts are prepared in accordance with applicable law and regulations


6.2.1 Process Financial StatementsProduction of the Financial Statements is scheduled in the Scheme timetable. A Scheme Year End Accounts Checklist is used as a guide to the completion of the Annual Scheme Accounts. The Year End Accounts process includes the following:> All cash payments/receipts from the Trustee administration

bank account are reconciled to cash receipts/payments reported by the Investment Managers;

> Investment transactions, balances and related income are posted to the nominal ledger by journals from Investment Manager reports;

> Investment cash is reconciled taking into account purchases, sales, investment income and charges; Investment cost to cost and market value to market value reconciliations are performed as required for all Investment Managers;

> Change in market value is reconciled to Investment Manager reports of realised and unrealised gains and losses

For a selection of clients, inspected the Scheme Year End Accounts Checklist for evidence of sign off by a Pension Accountant and a second Pension Accountant or Senior Manager. For the accounts completed by Equniti, inspected the Job Progress Sheet for evidence of internal review by the Pension Accounts Controller.


45

Control On an annual basis, the Pension Accountant reviews the draft accounts to verify the accuracy and completeness of the content, figures and disclosures. All statements are reviewed against the model example statements contained in the Statement of Recommended Practice (SORP), and the content is reviewed for legislative and regulatory guideline changes. Once satisfied, the Pension Accountant signs off the Scheme Year End Accounts Checklist as evidence of review. The draft accounts are reviewed and the Scheme Year End Accounts Checklist signed off by a second Pension Accountant or a Senior Manager. Where the production of the draft accounts is completed by Equiniti Pension Solutions they will be subject to an internal review, performed at least monthly by the Pension Accounts Controller. This control may also include client oversight as required. Evidence of the internal review is maintained on the Job Progress Sheet.

6.2.2 Process Progress of production of Scheme Accounts is monitored against agreed and statutory deadlines. On a monthly basis or as agreed with the Client, functional Directors are provided with management information progress for the Individual Schemes, production of accounts, including any potential breaches of the Pensions Act 1995 seven month deadline.

Control At least monthly the Pensions Accounts Team Leader reviews the completion of Annual Accounts against the Accounts Production Schedule. The schedule is updated with progress and any concerns are discussed with the Pension Accountant, or the Pension Accounts Controller if appropriate. A copy of the schedule is retained in Pension Accounts.

For a selection of clients and months, inspected the Accounts Production Schedule for evidence of review and update with production progress by the Pension Accountant.


6.3 Regulatory reports are made if necessary


6.3.1 Process Breaches are reported by the Administration Manager or their deputy to Group Compliance and recorded on the Error and Complaints Database (Pentana).

Control Upon identification of a potential breach, an email is immediately prepared and sent to Group Compliance to advise the facts of the potential breach and a new breach is created in the Error and Complaints Database (Pentana). Upon receipt Group Compliance review the facts, requesting additional information if required, and update the Administration Manager on whether the case is an actual breach along with the next steps. The Administration Manager will update Pentana with the information and where necessary repot the case to the Data Controller. If required the Data Controller (Client) will submit a report to the ICO within 72 hours of being informed of the breach.

For a selection of breaches identified, inspected the email prepared and sent to Group Compliance and inspected the breach on the Error and Complaints Database (Pentana). Where required, inspected evidence of submission to the ICO within the 72 hour time limit.


46

6.3.2 Process The Consultants monitor output from Government Bodies, the Pensions Press, and any other bodies, for all changes relating to Pensions Legislation. Any changes to Pensions Legislation are fed through the DB and DC Practice Groups and Managers along with a quarterly Consultants update which is distributed with copies held on the company intranet.

Control At least quarterly the Consultants prepare a Consultants update that includes updates and new information. This is reviewed by the Head of Technical prior to distribution to the Administration Teams. Copies of these updates are sent to the Managers for distribution and copies are held on the company Intranet.

For a selection of quarters inspected Consultants updates for evidence of review by the Head of Technical, prior to distribution.


6.3.3 Process Performance/competency gaps/training requirements/ objectives are discussed and agreed with staff at their six monthly review. The Team Member’s objectives and Personal Development Action Plan are updated and held by the Team member as evidence of completion.

Control Details of technical training received is recorded and monitored in the skills and competencies matrix by the Administration Manager/Team Leader.

For a selection of offices and six monthly reviews, inspected the skills and competencies matrix for evidence of monitoring by the Administration Manager/Team Leader.


7 Restricting access to systems and data

7.1 Physical access to computer networks, equipment, storage media and program documentation is restricted to authorised individuals


7.1.1 -7.1.3

Process The building housing the Reading office is occupied by XPS Administration and other tenants.

Entry is restricted to authorised personnel and visitors and has:> A timed card access system> 24 hour CCTV

Control 7.1.1 The Reading premises is monitored by security personnel and 24 hour CCTV and is externally security locked.

Enquired of management regarding site monitoring and were informed that security personnel were present. Observed the Reading premises and noted that CCTV was in place and monitored by security personnel. Observed the Reading premises and noted that it is externally security locked.


Control 7.1.2 Entry to the floors occupied by XPS Administration is controlled by a card access system. Visitors are required to sign in at reception and are collected and escorted from the reception area.

Observed the XPS Administration office floors and noted that a card access control system was in place. Observed the XPS Administration reception and noted that visitors were issued with a visitor’s pass and were escorted from the reception area. Inspected the visitors log and noted that it records visitors signing in and out of the building.


47

Control 7.1.3 Access cards are issued by the XPS Administration Receptionist upon receipt of an authorised New Starter Form completed by a Line Manager.

Observed the Reading premises and noted that external access has been restricted via access cards. For a selection of new starters from the list of all starters at the Reading office during the period, inspected the corresponding New Starter Forms and noted that access cards had been issued following receipt of formal authorisation from a line manager.


7.1.4 -7.1.5

Process The building housing the Belfast office is occupied by XPS Administration and other tenants. Entry is restricted to authorised personnel and visitors via a Landlord owned, controlled and maintained access system as follows:

> Upon arrival visitors buzz for access to the general reception area of the building and sign in with building security.

> Upon arrival at the XPS Administration floor access to the main office is by means of a bell which is answered by one of the staff from within the office.

Control 7.1.4 Access to the Belfast office is restricted to authorised personnel and visitors via a landlord controlled and maintained access system.

> Upon arrival at the building visitors gain access to the general reception area by means of a buzzer access where they sign in with building security.

> Upon arrival at the XPS Administration floor, access to the main office is by means of a bell which is answered by one of the staff from within the office.

Observed the Belfast premises and noted that access to the building was restricted via an access control system which was controlled and maintained by the Landlord and that the premises were manned by security personnel during predefined hours. Further noted that visitors had to pass through the main reception and were then directed to the XPS Administration area where they were signed in and out of the visitors’ book by reception staff and were collected and escorted by the individual they were visiting.


Control 7.1.5 Visitors are collected and escorted to the XPS Administration operational area by a member of XPS Administration staff.

Observed the visitor areas and noted that visitors were collected and escorted to the XPS Administration operational area by a member of XPS staff.


48

7.1.6 -7.1.7

Process The building housing the Leeds office is occupied by XPS Administration and other tenants. Entry is restricted to authorised personnel and visitors via a Landlord owned, controlled and maintained access systems as follows:

> The main doors are manned for a set number of hours by security personnel and a building reception.

> Visitors are directed to XPS Administration’s offices where they sign a visitors book located at reception and are collected and escorted by the person they are visiting. XPS Administration occupies one floor of a multi tenanted building. Access to the XPS Administration areas is controlled by the Office Manager. Staff are issued with access cards upon formal authorisation from the Office Manager.

Control 7.1.6 Entry is restricted to authorised personnel and visitors via a Landlord owned, controlled and maintained access system.

> The main doors are manned for set hours by security personnel and a building reception.

> Visitors are directed to XPS Administration’s office where they sign the visitor’s book, held in reception, and are collected and escorted around the floor by a member of staff.

> On leaving they are required to sign out of the visitor’s book.

Observed the Leeds premises and noted that access to the building was restricted via an access control system which was controlled and maintained by the Landlord and that the premises were manned by security personnel during predefined hours. Further noted that visitors had to pass through the main reception and were then directed to the XPS Administration area where they were signed in and out of the visitors book by reception staff and were collected and escorted by the individual they were visiting.


Control 7.1.7 Staff are issued with access cards upon formal authorisation from the Office Manager.

Inspected the list of access cards and for a selection of cards issued, inspected supporting documentation and noted that requests had been authorised by the Office Manager.


7.1.8 Process Physical access to the areas containing the IT infrastructure is restricted by the XPS Administration Head of IT. An access request for any other individual is granted by the XPS Administration Head of IT upon request. Room access is gained via Swipe Card.

Control Access to the Reading IT processing facilities (Comms Room) is restricted by Swipe Card Access. Access is restricted to IT staff, within the Systems Support Team and requests for access must be authorised by the XPS Administration Head of IT.

Observed the Reading IT processing facilities and noted that access was restricted by swipe card access. Inspected the list of users with access to the Reading IT processing facilities and noted that access had been restricted to IT staff. For a selection of new users as identified in the HR starters list who had been granted access to the Reading IT processing facilities, inspected access requests and noted that access had been authorised by the XPS Administration Head of IT.


49

7.2 Logical access to computer systems, programs, master data, transactional data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques


7.2.1 Process Network Operating System: Identification and Authentication Logical access to network resources, by users and the Outsourced IT Provider is controlled via unique user logons and self-select passwords which must conform to industry standard length and complexity rules. Passwords expire after a set number of days and history prevents re-use.

Control Network Operating System: Identification and Authentication User accounts are identified to the network through unique user IDs and passwords.

Inspected the network user list and noted that users had been assigned unique user IDs.

Inspected the network password parameters and noted that passwords parameters such as password complexity, length, history, and account lockout threshold were in place.


7.2.2 Process Network Operating System: Lockouts

User accounts are locked out after a set number of failed attempts to authenticate. The user must raise a ticket with the Outsourced IT Provider helpdesk to unlock the account. The user will be asked to identify themselves using a unique identifier. The Outsourced IT Provider can provide metrics on the number of user accounts they have unlocked and provide to the XPS Administration Head of IT if required.

Control Network Operating System: Lockouts

User accounts and administrator accounts are locked out after three failed attempts. Accounts are unlocked by the Outsourced IT Provider upon receipt of a ticket which is logged by the user. Logged requests are retained and the information is provided to the XPS Administration IT management on request.

Inspected the network password parameters and noted that user accounts and administrator accounts had been configured to be locked out after three failed attempts at access.

Inspected the helpdesk ticket list and noted that requests for unlocking accounts had been logged and retained.

For a selection of tickets raised, noted that these were logged by the user and actioned by the outsourced IT provider.


7.2.3 -7.2.4

Process Application, Identification and Authentication

Logical access to the schemes administration application by Pensions Administrators is controlled via unique user login and self-select passwords. Passwords expire after a set number of days and password history prevents re-use within a set number of valid changes.

Control 7.2.3 Users are identified to the scheme administration application through unique user IDs and passwords. Accounts are set up following approval from Line Managers via Passportal which is retained in the system for review.

Inspected the scheme administration application user list and noted that unique User IDs were in place and that users required a password to access the schemes administration application.

For a selection of new account creation requests raised in the Passportal system, inspected access requests and noted that these had been approved by Line Managers before access was granted and that the request had been retained.


50

Control 7.2.4 The schemes administration application passwords are configured by the Systems Support Team and require a combination of alphanumeric characters and a predefined password length.

Inspected the schemes administration application password parameters and noted that password settings configured in the system required passwords to be a minimum length and a combination of alphanumeric characters.


7.2.5 Process Application Lockouts

User accounts are locked out after a set number of failed attempts to authenticate requiring the user to contact the Systems Support Team via telephone, email or in person to enable the account to be unlocked or reset.

Control Application Lockouts

Application accounts are locked out after three failed attempts at access. Accounts are unlocked by a member of the Systems Support Team on receipt of a request from the user.

Inspected the schemes administration application settings and noted they had been configured to lock out users after three unsuccessful attempts.

Inspected a selection of Passportal unlock requests and noted that the accounts had been unlocked by the System Support Team and the request had been recorded on the system.


7.2.6 -7.2.7

Process Provisioning of Users : Network User Accounts: Add and Change

A user administration process to add and change user accounts, security groups or other system objects is instigated, assessed and authorised by business areas using new starter forms or employee change of details forms. The business will detail which systems resources the user can access and their access rights to each.

The request is recorded on the Outsourced IT Provider’s service desk and may be further authorised as required by the XPS Administration Head of IT.

Control 7.2.6 Network User Accounts: Add

Requests to add user accounts are submitted and approved by a business representative to the Outsourced IT Provider’s service desk.

Period 01.01.2018 – 26.09.2018

KPMG enquired of management and noted that due to the method of archiving used by the previous outsourced IT provider no evidence pertaining to the addition of user accounts being approved by a business representative was available. KPMG LLP was therefore unable to test this element of the control.

Period 27.09.2018 – 31.12.2018

For a selection of new users as identified in the HR starters list for whom a new network account had been created, inspected the access requests to determine whether the Outsourced IT Provider had been notified of new starters and gained approval from a business representative.

Exception noted:

For one out of five new starters selected the request to add and approve the user account by a business representative had not been retained.

Management response:

No further evidence could be obtained by the previous outsourced IT provider and all access now goes through the same process. The requirement to ensure that all forms are retained has been reiterated.

51

Control 7.2.7 Network User Accounts: Change

Requests to change user accounts are submitted to the Outsourced IT Provider’s service desk by a business representative and actioned upon authorisation from the XPS Administration IT Management.

Period 01.01.2018 – 26.09.2018

KPMG enquired of management and noted that due to the method of archiving used by the previous outsourced IT provided no evidence pertaining to user account changes being authorised by the XPS Administration IT Management was available. KPMG LLP was therefore unable to test this element of the control.

Period 27.09.2018 – 31.12.2018

For a selection of user account changes, inspected the corresponding requests to determine whether these had been submitted by business representatives to the Outsourced IT Provider and had been authorised by the XPS Administration IT Management.

Exception noted:

For five out of five user account changes selected the approval from XPS administration IT management had not been retained.



52

7.2.8 -7.2.10

Process Network User Accounts: Disable and Remove

Notification of a terminated employee is submitted by an authorised business representatives to the Outsourced IT Provider via a staff leaver request. User accounts are disabled or with business authorisation will remain active for an agreed period. A review of all accounts takes place annually with a monthly report sent to go to the XPS Administration Head of IT at the end of each month of inactive accounts.

Control 7.2.8 Network User Accounts: Disable and Remove

Notifications of terminated employees are sent to the Outsourced IT Provider by a business representative upon completion of a leaver form. The user accounts are either disabled immediately, if the termination date has passed and no authorisation to remain has been agreed or, with business authorisation, remain active for an agreed period after which time the account will be closed.

Period 01.01.2018 – 26.09.2018

KPMG enquired of management and noted that due to the method of archiving used by the previous outsourced IT provider no evidence pertaining to the notification of terminated employees by a business representative was available. KPMG LLP was therefore unable to test this element of the control.

Period 27.09.2018 – 31.12.2018

For a selection of leavers during the period, inspected the notifications of terminated employees to determine whether these had been completed by a business representative and submitted to the Outsourced IT Provider.

Inspected the network system and noted that access for all of the leavers selected had been removed.

Exception noted:

For four out of five leaver accounts selected the notification of terminated employees by a business representative had not been retained.



Control 7.2.9 In order to highlight where staff leavers have not been notified direct to the Outsourced IT Provider, HR submits a monthly report of staff leavers to the Business Process Manager and the Systems Support Team who check to see if the relevant access has been revoked on the system. If the schemes administration application account is still active, a Passportal ticket is logged and the access is closed down. If the network access is still active, the Business Process Manager contacts the relevant business head to arrange for the IT leaver form to be completed and submitted, for action, to the Outsourced IT Provider. For any account where there is no obvious Business Head (for example temporary staff) the Business Process Manager completes the IT leaver form and submit, for completion, to the Outsourced IT Provider.

Inspected the Passportal system and noted that the Business Process Manager and the Systems Support Team had been notified of staff leavers by HR via the receipt of a monthly Staff Leaver List. For a selection of months, inspected the HR Leaver Reports submitted to the Business Process Manager and the Systems Support Team and noted that these had been received on a monthly basis and that the leavers accounts highlighted on the report had been disabled.


53

Control 7.2.10 Network User Accounts:

The Outsourced IT Provider sends a monthly report of all accounts that have been inactive for 6 weeks to the XPS Administration IT Management. A review of the accounts is carried out by the Business Process Manager to see if any staff have left and their accounts are disabled.

For a selection of inactive account reviews, inspected inactive account review evidence and noted that network accounts had been reviewed by the Business Process Manager and identified accounts that were required to be disabled. For a selection of accounts identified to be disabled, inspected the network system and noted that access had been removed.


7.2.11 Process Provisioning of Users: Applications

Access to the schemes administration application is restricted to approved individuals. Access to the schemes administration application is requested and approved through Passportal. Access is requested and authorised by a Pensions Administration Team Leader or above. The access request is logged on Passportal and processed by the Systems Support Team. The user is contacted with their access details. Records of access granted are retained in Passportal.

Control Provisioning of Users: Applications

Access to the schemes administration application is requested and approved through Passportal. Access is requested and authorised by a Pensions Administration Team Leader or above. The access request is logged on Passportal and processed by a Systems Support Analyst. The user is contacted, by email, with details of their user credentials. Records of access granted are retained within Passportal.

For a selection of users granted access to the schemes administration application during the period, inspected the access requests logged within the Passportal system and noted that each had been requested and authorised by a Pension Administration Team Leader or above, had been processed by a System Support Analyst, that users had been contacted with their access details and that the records of access granted had been retained within Passportal.


7.2.12 Process Notifications of terminated employees are sent to Systems Support from Human Resources. The relevant accounts are disabled with copies of the lists and amendments retained by the Systems Support Team.

Control On a monthly basis, the Systems Support Team is provided with a list, from HR, of all leavers. The list is checked against the current users set up in the schemes administration application and any leaver accounts are deactivated. The disabled account is marked as a leaver and the list is retained for a minimum of twelve months as evidence of change.

Process Manager and the Systems Support Team had been notified of staff leavers by HR via the receipt of a monthly Staff Leaver List. For a selection of months, inspected the HR Leaver Reports submitted to the Business Process Manager and the Systems Support Team and noted these had been received on a monthly basis and that the leavers accounts highlighted on the report had been compared to the current application user list and any leaver accounts had been marked as disabled. It was further noted that the lists had been retained for a minimum of twelve months.


54

7.3 Segregation of incompatible duties is defined, implemented and enforced by logical security controls in accordance with job roles


7.3.1 Process The Outsourced IT Provider’s Administrators carry out multi-function roles and as such have access to all the relevant areas of the network. This allows them to carry out their duties fully even when “on call”.

Control The Outsourced IT Provider’s Administrators.

On a monthly basis, meetings are held between the Outsourced IT Provider and XPS Administration to discuss the services provided by the Outsourced IT Provider including access to the XPS Administration network and are evidenced by meeting minutes.

Enquired of management regarding the monthly meetings between the Outsourced IT Provider and XPS Administration and were informed that these were held to discuss services provided by the Outsourced IT Provider.

For a selection of months, inspected the service review meeting minutes and noted that network access had been discussed.


7.3.2 Process Pensions Administration Users

Access to the schemes administration application is controlled by user name and password. Associated with each Pensions Administrator is a security profile which determines:

> The relevant schemes to which they have access> The functionality they can access> The member records they can access> Whether they are permitted to amend data or view data only

Access by a Systems Support Analyst requires entry of a unique username and password into a separate security database. (Control 7.3.2) Built into the schemes administration application are security procedures controlling access to sensitive data and facilities. The audit trail facility records changes made to the data, including who made the changes and when. (Control 7.3.3)

Control Pensions Administration Users

Segregation of duties rules are enforced by security profiles built into the schemes administration application. Profiles are assigned to authorised individuals, following an access request from a Team Leader or above, and are aligned to their job roles and responsibilities. A review of access is carried out, by the Systems Team, at least twice a year to verify that staff still have the required access. Any inconsistencies or anomalies are referred to the Team Manager of the access group for resolution.

Inspected the configuration of the schemes administration application and noted that segregation of duties rules were enforced by security profiles.

For a selection of access requests raised by a Team Leader or above during the period, inspected the access requested and noted that users had been assigned access rights aligned to their roles and responsibilities.

For a selection of access reviews carried out during the period, inspected access review documentation and noted that the Systems Team had reviewed access and that any anomalies had been identified for resolution to the Team Manager.


55

7.3.3 Process Pensions Administration Users

Access to the schemes administration application is controlled by user name and password. Associated with each Pensions Administrator is a security profile which determines:

> The relevant schemes to which they have access> The functionality they can access> The member records they can access> Whether they are permitted to amend data or view data only

Access by a Systems Support Analyst requires entry of a unique username and password into a separate security database. (Control 7.3.2)

Built into the schemes administration application are security procedures controlling access to sensitive data and facilities. The audit trail facility records changes made to the data, including who made the changes and when. (Control 7.3.3)

Control Support Users

Access to the schemes administration application Development environments is restricted to the Systems Support Analyst. Work is only undertaken on receipt of a Project log or Passportal that has been authorised by a team leader or above. All actions are logged in the system and an audit trail is maintained.

For a selection of users with access to the schemes administration application development environments, inspected the system settings and noted that each was a Systems Support Analyst. For a selection of the schemes administration application Developments completed during the period, inspected the Project Logs or Passportal logs and noted that work requests had been raised and authorised by a Team Leader or above and that an audit trail existed for each work request detailing the action taken.


7.4 IT processing is authorised and scheduled appropriately and exceptions are identified and resolved in a timely manner


7.4.1 -7.4.2

Process Batch processing, e.g. monthly allocations, payrolls etc. are scheduled and run by the Pensions Administration Team on an independent server, minimising the impact on Business as Usual. (Control 7.4.1 – 7.4.2)

Control 7.4.1 The Administration Team schedule the tasks in the diary of the schemes administration application. These are then picked up by the ROBOT user/server. The Administration Team review the diary on a daily basis to verify that tasks have been run. Evidence that the task has been run is retained in the schemes administration application diary.

Inspected the schemes administration application and noted the existence of the ROBOT account and that tasks had been assigned to the ROBOT within the Task Diary.

For a selection of jobs assigned to the ROBOT during the period, inspected the Daily Task Diary and noted that there was an entry in the Task Diary which stated the status of the job and that the ROBOT had been used to run the task successfully.


56

Control 7.4.2 Any problems encountered with the ROBOT user/server are logged with the Systems Support Team via the Project Log or Passportal and allocated to a Systems Support Analyst and resolved. Evidence of the problem and its resolution are retained within the Project log or Passportal.

Inspected the Passportal logs and noted that ROBOT errors had been logged.

For a selection of incidents where the ROBOT was unable to complete the task during the audit period, inspected the Passportal logs and noted that the incidents had been logged, allocated to the Systems Support Team and that the resolution details had been retained.


7.6 Appropriate measures are implemented to counter the threat from malicious electronic attachments (e.g. Firewalls, anti-virus etc.)


7.6.1 Process A number of control measures are deployed by Backbone to protect the organisation from malicious attack. Firewalls which control inbound and outbound traffic are maintained by Backbone. Changes to the Firewalls will be made either in response to an incident or through an authorised change process signed off by the XPS Administration Head of IT. Backbone monitors the Firewalls and reports on threats to the XPS Administration Head of IT via the Outsourced IT Provider.

Control 7.4.1 In/outbound traffic is controlled through the implementation of Firewalls. Changes to the Firewall Rules are signed off by XPS Administration Head of IT or the Technical Lead prior to implementation. Monthly Service Review meetings are held between XPS Administration and the Outsourced IT Provider to discuss services provided and minutes of the meetings are retained.

Enquired of management regarding the monthly meetings between the Outsourced IT Provider and XPS Administration and were informed that meetings were held to discuss services provided by the Outsourced IT Provider. For a selection of months, inspected the service review meeting minutes and noted that network security events including any Firewall Perimeter Breaches and potential Firewall Change Requests had been discussed. For a selection of Firewall rule changes, inspected the service desk tickets and noted that the XPS Administration Head of IT or the Technical lead signed off the changes prior to implementation.


57

7.6.2 Process A Penetration Test of the security perimeter is conducted by a specialist supplier at least every 18 months. A report is produced which contains any perceived vulnerabilities. Any changes are raised through the change process to be assessed and remediated by the appropriate technical staff.

Control A Penetration Test of the external network security is conducted at least every 18 months. Findings are raised in a Management report and any changes are discussed with the XPS Administration Head of IT via email and then logged via the change management process for the appropriate actions to be taken.

Inspected a copy of the latest Network Penetration Report and noted that the testing of the external network security was successfully completed in October 2018.

For a selection of findings raised in the report, inspected the related email communication and noted that the findings had been discussed with the XPS Administration Head of IT.


KPMG further noted that there were no actions which required changes to be logged via the change management process.

Since there were no changes required, the operating effectiveness of this part of the control could not be tested.

7.6.3 -7.6.5

Process Anti-virus, Anti –Malware and Internal E-Mail Scanning Internally, Webroot secure anywhere is deployed to provide protection for servers, workstations and laptops attains viruses, spyware and to provide proactive protection against unknown threats. Externally, a specialist supplier is used to scan for viruses, malicious content and SPAM. (Control 7.6.5) Internally, additional rule sets are configurable by the Outsourced IT Provider to either allow or reject attachments for defined file extensions. Files definitions and scan engines are automatically updated as per vendor specifications. (Control 7.6.3) All laptops are encrypted. (Control 7.6.4)

Control 7.6.3 Webroot secure anywhere is configured to provide protection for servers, workstations and laptops against viruses, spyware and to provide proactive protection against other new threats.

Inspected the Webroot Secure Anywhere software and noted that it was deployed on servers, workstations and laptops and that it provided protection against viruses, spyware and threats.


Control 7.6.4 All laptops are encrypted. Laptop encryption cannot be disabled by non IT admin users.

For a selection of users’ laptops, inspected the encryption software and noted that the software was enabled and could not be disabled by non-IT administration.


58

Control 7.6.5 Externally, a specialist supplier is used to scan for viruses, malicious content and SPAM. Internally, additional rule sets are configured by the Outsourced IT Provider to either allow or reject attachments for defined file extensions. Changes to the rule set are informed to the Outsourced IT Provider, by the XPS Administration Head of IT, using the Change Management process in place with the Outsourced IT Provider. The software automatically alerts the Helpdesk if a threat is identified and action is taken. Any such threats will be reported to the XPS Administration Head of IT and raised at the monthly Service Review meetings.

Inspected the configuration of the external software and noted that viruses, content and SPAM were scanned, that additional rule sets had been configured by the Outsourced IT Provider to either allow or reject attachments for defined file extensions. Further noted that the software was configured to send an alert if a threat is identified.


Inspected change management documentation and helpdesk tickets to determine whether there had been any rule-set changes or any alert of threats. We noted that there had been no requests for changes to the rule sets and no threats had been identified which would have triggered an automatic alert. Since there were no rule-set changes, the operating effectiveness of this part of the control could not be tested.

7.7 The Physical IT equipment is maintained in a controlled environment


7.7.1 Process The Reading Comms Room contains the local IT infrastructure and is air conditioned and monitored and alerted for:> Temperature> Fire> Water Detection

Fire extinguishers are available inside the room. An Uninterruptible Power Supply (UPS) is deployed in the event of a mains outage or power spike.

Control The Reading Comms Room is equipped with environmental protection controls including:> Automated fire detection mechanisms> Fire extinguishers> Air conditioning> Raised floors> UPS

Observed the Reading Comms Room and noted that automated fire detectors, fire extinguishers, air conditioning, raised floors and UPS were in place.


59

7.7.2 Process The Leeds Comms Room contains the local IT infrastructure and is air conditioned, monitored and alerted for:> Temperature> Fire> Water Detection

An Uninterruptible Power Supply (UPS) is deployed in the event of a mains outage or power spike.

Control The Leeds Comms Room is equipped with:> Automated fire detection mechanisms> Fire extinguishers> Air conditioning> UPS

Observed the Leeds Comms Room and noted that automated fire detectors, fire extinguishers, air conditioning and UPS were in place.


7.7.3 Process Procedures are in place to ensure obsolete equipment is subject to secure disposal. Certificates of Destruction are obtained in respect of data storage units. When items are collected, a Certificate of Collection, detailing the number and type of units provided, is obtained from the third party supplier. Subsequently, the Certificates of Destruction are reconciled with the certificates of Collection by the XPS Administration Head of IT. Control When items requiring disposal are collected, a Certificate of Collection, detailing the number and type of units provided, is obtained from the third party supplier, the Certificates of Destruction is sent to the XPS Administration IT management to confirm secure destruction.

Enquired of management to determine whether any equipment disposals had been carried out. For a selected disposal carried out during the audit period, inspected the certificate of collection and noted it detailed the number and type of units provided. Inspected the certificate of destruction and noted it was provided to XPS Administration Head of IT and confirmed secure destruction.


7.8 Maintaining and developing systems hardware and software


Development and Implementation of new systems, applications and changes to existing systems, applications and software, are authorised, tested, approved and implemented

7.8.1 Process IT ProjectsThe initiation of an IT project requires authorisation from the XPS Administration Head of IT. Where capital investment is required it will also have a business case, otherwise a statement of requirements. Each project has a sponsor. Project implementation requires approval from the XPS Administration Head of IT.

Control Project initiation requires Business Authorisations by e-mail from the XPS Administration Head of IT. The Outsourced IT Provider’s Change Control Document controls the changes, with the project measured via monthly Service Review meeting minutes. Internal projects are monitored throughout via monthly meetings to discuss progress against milestones. Project updates are produced and retained in the project file which is accessible by Management.

Inspected the list of the Service Desk tickets and noted that there had been no external IT projects implemented during the period. Since there were no external IT projects implemented, the operating effectiveness of this element of the control could not be tested. Enquired of management to determine whether any internal IT projects had been carried out. We were informed that there had been no internal IT projects implemented during the period. Since there were no internal IT projects implemented, KPMG LLP was unable to test this element of the control.

60

7.8.2 Process Segregation of Application Environments

Live Production environments are located on separate servers. (Control 7.8.2) Two types of change are managed within the Systems Support Team

> Production data changes

Control Production environments are logically separated from Test and Development environments.

Inspected the schemes administration application configuration and noted that Production environments were separated logically from the Test and Development environments.


7.8.3 Process Authorisation of Changes and Development to Existing Systems Changes to existing systems are raised by the Pensions Administration Teams with the Systems Support Team and evidenced via the Project Log or Passportal system.

Control The Passportal or Project logs provide evidence of the change details, authorisations for the change by a member of the Pensions Administration Team and sign off by the Head of Pensions Administration Systems/XPS Administration Head of IT to approve release and closure.

Enquired of management to determine whether any changes to existing systems had been carried out and noted that there had been no changes implemented during the period. Since there were no changes implemented, KPMG LLP was unable to test this element of the control.

7.8.4 Process Production Data Changes

When a limited number of data amendments changes are required to the schemes administration application the following process is followed:

Within the Pensions Administration Team

> A Passportal or Project Log is raised providing details of the change

> This is authorised within the Passportal system or the Project Log, by a Senior Member of the Pensions Administration Team

> The request for change is then passed to the Systems Support Analyst

> On receipt in the Systems Support Team, the work management system is updated by a Systems Support Analyst:

> The change is prioritised by a Systems Team Manager> The request is passed to a Systems Support Analyst who will

make the individual changes directly, with an audit trail being retained within the database logs

> Once complete the change is passed back to the Pensions Administration Teams originator

On receipt within the Pensions Administration Team:

The change is checked, signed off and then closed within the Passportal log, by the Pensions Administration Team originator.

Control For scheme calculation releases, the Pensions Administration Team conducts user acceptance testing (UAT) and retains evidence of test results.

For a selection of scheme calculation releases implemented during the period, inspected testing results spreadsheets and noted that User Acceptance Testing (UAT) had been completed by the Pensions Administration Team.


61

7.8.5 Process Software Changes

Software changes generate a “Software Release”. New or amended application code is released to the Live environment by the Systems

Support Team to support the following business requirements:

> Releases of new of amended client specific benefit calculations

> The first time loading of client databases into the Live environment

> Workflow functionality

Control Approval for scheme calculation releases by the Systems Support Team to the Live Production Systems are formalised through a signoff by the Pensions Administration Service Manager or Director and either recorded in the Work Management System or received via e-mail.

For a selection of scheme calculation releases implemented during the period, inspected the sign off documentation and noted that this had been completed by the Pensions Administration Service Manager or Director and recorded in the Work Management System or via email.


7.8.6 Process Documentation

Documentation relating to testing is retained by either the Pensions Administration Team or the Systems Support Team. Documentation relating to authorisation and release is retained by the Systems Support Team.

Control Software Releases are created by either Equiniti Claybrook and signed off by XPS Administration Head of IT or by the Systems Support Team. Documentation relating to the authorisation and release of changes is retained by the Systems Support Team.

Enquired of management to determine whether there had been any software releases implemented within the period. We were informed by management that there had been no software releases implemented during the period. Since there were no software releases implemented, KPMG LLP was unable to test this element of the control.

7.8.7 Process Authorisation of Development of New Client Pensions Administration Systems

New clients are added to the existing application environment. See controls in section 1 – Accepting Clients.

Control Authorisation of Development of New Client Pensions Administration Systems

See controls in Section 1 – Accepting Clients.

(See controls in Section 1 – Accepting Clients).

62

7.8.8 Process IT Changes

The Outsourced IT Provider’s Change Management process follows the Information Technology Infrastructure Library (ITIL) framework.

All proposed changes to the IT infrastructure Systems and Application Code releases will be classified as either

> Service Request (SR), which is submitted to the Outsourced IT Provider Service Desk

> A Change Request (RFC) which is submitted to the XPS Administration Head of IT and captured and recorded via the Change Request with the Outsourced IT Provider (Control 7.8.8)

Note: Service Requests are small repeatable operational changes. These include:

> New Starters and Leavers> New/Change system access> Backup/Restore requests> Remote connectivity> Approved software installs> Approved DLL code releases

Control IT changes – Service Requests (SR’s)

Service Requests (SR’s) are submitted to the Outsourced IT Providers Service Desk.

Each SR is assigned a unique identification number and held within the Outsourced IT Provider’s management tool.

IT changes – Changes Requests (RFC’s)

Change Requests are submitted to the Outsourced IT Provider Service Desk and referred on to the XPS Administration Head of IT for approval.

For a selection of Service Requests submitted during the period, inspected service desk records and noted that they had been submitted to the Outsourced IT Provider, had been assigned a unique identification number and that information was held within the Outsourced IT Provider’s management tool.


Enquired of management to determine whether any IT changes had been carried out. We were informed that there had been no IT changes implemented during the period. Since there were no software releases implemented, KPMG LLP was unable to test this element of the control.

7.8.9 Process Change Implementation, Resolution and Closure

Following implementation, change requests are set to “resolved” status by the Change Implementer within the Outsourced IT Provider’s ticketing systems and the initiator will be informed.

Emergency IT Changes are managed via the Outsourced IT Provider’s Change Management Process and reported back to the XPS Administration Head of IT.

Control Following implementation, change requests are set to “resolved” status by the Change Implementer within the Outsourced IT Provider’s ticketing system and the initiator informed. Emergency changes are managed via the Outsourced IT Provider’s Change Management Process and reported back to the XPS Administration Head of IT on completion.

Enquired of management to determine whether any emergency changes had been carried out in the period. We were informed that there had been no emergency changes implemented during the period. Since there were no emergency changes, KPMG LLP was unable to test this element of the control.

63

7.9 Data migration or modification is authorised, tested and once performed, reconciled back to the source data


7.9.1 Process For the majority of clients our Pensions Administration technologies have not required migration or modification of data in recent years.

Any such modifications would follow our Change Management procedures as described in the section Maintaining and Developing Systems Hardware and Software.

Any migrations that have taken place have followed a comparable process and control set as for new Scheme Implementations (Section 1 – Accepting Clients).

A Project Team is set up to manage the migration. The team is sponsored by a representative from Senior Management and is managed by a dedicated Project Manager.

A Project Board is established to govern the project. The Project Team consists of a number of individual work streams. The Project is managed as a PRINCE 2 project, in accordance with XPS Administration standards and procedures. The project is managed according to a formal Project Plan. The Project Plan is populated with key project milestones and target dates that have been agreed with the Client, evidence of this agreement is retained by the Project Manager.

Control At least monthly, the Project Board monitors the progress of the approved Project Plan. Any issues relating to progress are discussed with the Project Manager and the Client. Meeting minutes are taken, which include any agreed actions, distributed to all meeting participants and retained in the Project Library by the Project Manager. Acceptance of Client set up details and any additional actions required after the go live date are approved by the Service Delivery Manager and Project Manager signing off the Migration Report by e-mail. The completed Migration Report and any supporting e-mails are retained by the Project Manager in the Project Library.

Enquired of management whether any instance of data migrations or modification occurred during the period and were informed that no instances had occurred. Since there were no instances, KPMG LLP was unable to test this element of the control.

64

7.9.2 Process The Project Manager tracks the milestones to verify that they are completed on time and to a standard agreed with the Client and provides regular progress reports to the Project Board and Client. The Project Plan varies according to the specific requirements of each transaction. The Project Manager prepares a Go Live Migration Report which includes Migration Summary results, Client data records, details of any outstanding issues remaining at go live along with member and any unit reconciliations. By signing off the Migration Report in hardcopy or via email the Pensions Administration Team confirm that they have a complete understanding of the scheme and can deliver services according to the Client Agreement and Regulatory and legislative Requirements.

Control Prior to commencement of Administration services on a new System, the Systems Pensions Analyst reconciles Scheme data provided from the previous system to the new system and raises any exceptions regarding missing or incorrect data with the Pensions Administration Team. Reports generated by the data audit, along with any correspondence to resolve any data gaps or errors are held centrally in the Project library.


7.9.3 Process As part of the project, Scheme data is audited, with any queries being raised with the Pensions Administration Team. The data is analysed using a data migration tool, which generates reports that identify any gaps or errors in the data received.

Control Scheme data reconciliations and correspondence relating to the follow up of any gaps or errors identified are verified by a member of the Project Team and evidenced by sign off on the Implementation Control Sheet. Copies of the Implementation Control Sheet are retained in the Project Library.


7.9.4 -7.9.5

Process For DB schemes, automated benefit calculations are tested before being put into the live environment by regression testing calculations in the new system against those completed in the old system. (Control 7.9.4 and 7.9.5)

Control 7.9.4 The Project Team performs regression testing of benefit calculations in the new system by comparing the results with those from existing calculations performed in the old system. Evidence of the results of testing is retained within the Project Library.


Control 7.9.5 Calculations pro formas are prepared, and formally reviewed and signed off by the Scheme Actuary or otherwise by the clients or XPS Administration personnel. The Actuarial review, when available, is retained in the Project Library.


65

7.10 Data and systems are backed up regularly, retained offsite and regularly tested for recoverability


7.10.1 Process Infrastructure layer controls operated at the outsourced IT Service Provider:

Systems, databases and data are backed up according to a predefined schedule via automated tools. The backup cycle incorporates daily, monthly and annual backups.

An issues log is maintained in respect of backups which fail or are incomplete. Failed or incomplete backups are investigated and reported to the XPS Administration Head of IT on a daily basis. Recoverability of data files is tested at least annually by the Outsourced IT provider along with adhoc restores which are logged via the Outsourced IT provider’s service desk.

Control Period 01.01.2018 – 26.09.2018

Systems, databases and data are backed up according to a predefined schedule via automated tools. The backup cycle incorporates daily, weekly, monthly and yearly backups. Daily backups are retained for one week, monthly for one year and yearly for seven years. Any backup failures are raised on the Service Desk for resolution.

27.09.2018 – 31.12.2018

Systems, databases and data are backed up according to a predefined schedule via automated tools. The backup cycle incorporates daily, weekly, monthly and yearly backups. Daily backups are retained for one week, monthly for one year and yearly for seven years. Backup failures are recorded for 30 days and are automatically sent to DPM console which is checked as part of IT daily checks.

Period 01.01.2018 – 26.09.2018

KPMG enquired of management and noted that due to the method of archiving used by the previous outsourced IT provider no evidence was available. KPMG LLP was therefore unable to test this element of the control.

Inspected the list of Service Desk tickets and noted that backup failures had been raised and the respective date of resolution was recorded.

Period 27.09.2018 – 31.12.2018

Inspected the pre-defined backup schedules to determine whether backups had been configured to be taken on a daily, weekly, monthly, and yearly basis and that daily backups are retained for one week, monthly for one year and yearly for seven years.

Inspected the DPM console and noted backup failures for the last 30 days were recorded.

Exception noted:

Monthly backups had been configured to be retained for 11 months instead of 12.


This was a misconfiguration in DPM which has been rectified.

7.10.2 Process Infrastructure layer controls operated at the outsourced IT Service Provider:

Recovery of data files is undertaken by the Outsourced IT Provider via ad hoc file recoveries in response to notifications received by their service desk.

Control Recovery of data files is undertaken by the Outsourced IT Provider via file recoveries in response to notifications received by their Service Desk.

Inspected the list of the Service Desk tickets and noted that requests for the recovery of data files had been raised and the respective date of resolution was recorded.


66

7.10.3 Process Infrastructure layer controls operated at the Outsourced IT Provider:

The Outsourced IT Provider calculates the remaining free space within each database instance and provides the information to the XPS Administration Head of IT for review and action where necessary.

Control Period 01.01.2018 – 26.09.2018

On a monthly basis the Outsourced IT Provider calculates the remaining free space within each database instance. The results of this are passed to the XPS Administration Head of IT in a monthly report and any actions are agreed prior to implementation of any changes.

Period 27.09.2018 – 31.12.2018

The remaining disk space within each database instance is monitored proactively using the network monitor tool. Automated tickets are generated by the tool within the IT outsourced service provider’s helpdesk system when the remaining disk space falls below the expected thresholds. The outsourced IT service provider will investigate the issue and close the ticket as an evidence of addressing the issue.

Period 01.01.2018 – 26.09.2018

KPMG enquired of management and were informed that due to the method of archiving used by the previous outsourced IT provider no evidence was available. KPMG LLP was therefore unable to test this element of the control.

Period 27.09.2018 – 31.12.2018

Inspected the network monitor tool and noted that the remaining disk space within each database instance is proactively monitored.

Inspected the outsourced IT provider’s helpdesk system and noted that automated tickets were generated by the monitor tool when the remaining disk space fell below the expected thresholds.

For a selection of automated helpdesk tickets, inspected the ticket transcripts and noted that tickets were assigned to individuals within the outsourced IT service provider and marked as closed.


7.10.4 Process Application layer controls operated at the Outsourced IT Provider:

Backups and Retention of Data

Systems, databases and data eligible for inclusion in the backup service are backed up according to a pre-defined schedule via automated tools. The backup cycle incorporates weekly Full backups, daily Incremental and where the service requests it, more frequent Incremental backups or log file archiving.

Archiving of data within applications is managed by the business service owners

Monitoring, Reporting and Failures

Outsourced IT Provider’s Service Management monitors job completion. An Issues Log is maintained in respect of backups which fail or are incomplete. Failed and incomplete backups are investigated and rectified by Outsourced IT Provider (Control 7.10.4)

Control Backup services are monitored and management reports on success are produced to Outsourced IT Provider’s Service Management on a daily basis.

For a selection of dates in the period, inspected the backup completion status spreadsheet and noted that backups had either completed successfully or, where a failure had occurred, a ticket had been raised on the Outsourced IT Provider’s Service Management Tool, investigated and had been rectified by Outsourced IT Provider.


67


High Availability & Resilience

The Live / Production server data is replicated between the live and secondary Data Centre on a real-time basis.

Outsourced IT Provider monitors the status of the replication service .If the connection between live and backup storage is lost, the replication service is restarted.

In instances where restarting the service does not resolve the issue, an Incident Record is raised in the Outsourced IT Provider’s Service Management tool.

Control The Live / Production server data is replicated between the live and secondary Data Centre on a real-time basis.

Outsourced IT Provider monitor this service and any alerts regarding this service are resolved as a priority.

If the connection between live and secondary storage is lost, the replication service is restarted.

In instances where restarting the service does not resolve the issue, an Incident Record is raised in the Outsourced IT Provider’s Service Management tool.

Inspected the live replication software settings and noted that the live and secondary data centres were replicated on a real-time basis. Further noted that email alerts regarding errors to the replication service were configured to notify the Outsourced IT Provider. Inspected the log within the replication software and noted that no failures to the live replication service were recorded which required restarting the replication service. Since there were no instances of failures to the live replication service, the operating effectiveness of this element of the control could not be tested.



Off Site Storage

Backups are copied from the outsourced IT provider’s Worthing Data Centre to a secure dedicated storage array at their Lancing Data Centre.

These backups are kept for six weeks in each of the two data centres on dedicated storage arrays.

Month End backups are also copied to tape storage which is stored securely for a year. May Month End backups are treated as Year End and kept for seven years.

All backup tapes are encrypted. The encryption keys are stored securely at two geographically separate locations.

Access to the tape library and secure storage is restricted to authorised individuals within the Outsourced IT Provider (Controls 7.10.6 and 7.10.7).

Control 7.10.6 Backups are copied from the outsourced IT provider’s Worthing site via the backup application to their Lancing site. This service is monitored in line with the backups.

Inspected the configuration of the backup application and noted that jobs for copying backups from the outsourced IT provider’s Worthing site to their Lancing site had been scheduled. Further noted that backup job failures had been reported by email by the Offshore team (as in Control 7.10.4) and that jobs for copying backups from the outsourced IT provider’s Worthing site to their Lancing site had been reviewed as part of the daily checks.


68

Control 7.10.7 All backup tapes are encrypted. The encryption keys are stored securely at two geographically separate locations. Access to the secure storage and encryption is restricted to authorised individuals within the Outsourced IT Provider.

Inspected the backup tape data and noted that backups were encrypted.Inspected the secure storage area and noted that encryption keys were stored securely in locked safes at two geographically separate locations. Inspected physical access logs and noted that individuals within the Outsourced IT Provider had access to the locations. Enquired of management and were informed that all these individuals had been authorised.


7.10.8 Process Application layer controls operated at the outsourced IT Service Provider:

Data File Recovery

Restoration of data is undertaken by the Outsourced IT Provider System Administrators upon receipt of requests logged through the Outsourced IT Provider’s Service Management System.

Control Recoverability of data files is undertaken by Outsourced IT Provider’s System Administrators in response to notifications received by the Outsourced IT Provider’s Service Desk, who:

> restore files to users;

> confirm closure of corresponding incident records within the Outsourced IT Provider’s Service Management System.

Inspected the Outsourced IT Provider’s Service desk and noted that requests for data restores had been raised through the Outsourced IT Provider Service Desk. For a selection of backup restore requests raised in the Outsourced IT Provider’s Service Desk within the period, inspected the Service Desk tickets and noted that these included the action taken to successfully restore files and that confirmation of call closure had been provided.


7.10.9 Process Application layer controls operated at the outsourced IT provider:

Production Database Backups: Local online backups of databases and transactions logs.

Local online backups of databases and transaction logs are taken on an hourly basis throughout the day in order to provide a more granular and speedy recovery time objective.

Control Local online backups of databases and transaction logs are taken on an hourly basis throughout the day in order to provide a more granular and speedy recovery time.

Inspected a selection of electronic log files and noted that local online backups of the databases and transaction logs had been taken on an hourly basis throughout the day.


69


Production Databases: Health Checks, Capacity Checks and Recoveries

On a daily basis, the Outsourced IT Provider’s Database Administrators (DBAs) undertake the following checks on Production Database instances:

> Mirroring: to determine the status of the mirroring service and to identify where the mirroring is incomplete.

> SQL jobs: to determine completion status and investigate failures.

> SQL logs: to identify and investigate errors.> Database status: to investigate databases indicated as not

‘on-line’.

The checks together with the outcome of any investigation are captured within a spreadsheet

Control On a daily basis, the Outsourced IT Provider’s Database Administrators (DBAs) undertake the checks on Production Database instances. The checks together with the outcome of any investigations are captured within a spreadsheet retained by the Outsourced IT Provider’s DBAs.

For a selection of dates, inspected the daily checklists and noted that the mirroring status, SQL jobs, SQL logs, and database status checks had been performed by the Outsourced IT Provider’s Database Administrators with the outcome of investigations noted within the same document.



On at least a monthly basis, the Outsourced IT Provider’s Administrators (DBAs) calculate the remaining free space within each Production Database instance. The database instances within Shareholder Services are monitored centrally by Microsoft System Centre Operations Manager (SCOM). SCOM has the SQL server management packs imported which monitor, amongst other elements of SQL, the free space of the databases against defined thresholds and alerts into the central console when the warning and critical thresholds (measured in percentages) are breached. These alerts are transferred into incidents by Availability Management for the space issue to be investigated and resolved.

For a selection of months within the period, inspected the capacity spreadsheets to determine whether capacity checks had been performed by the Outsourced IT Provider’s Administrators (DBAs), the results were recorded and where the production databases were designated as red or amber that the spreadsheet noted that subsequent checks had been carried out and the available capacity had returned above 120 days.

Exception noted:

For 2 of 3 months sampled evidence of capacity checks had not been retained.

70

Control On at least a monthly basis, Outsourced IT Provider’s Administrators (DBAs) calculate the remaining free space within each Production Database instance.

The checks and results are recorded within a spreadsheet.

For production databases designated red or amber, evidence that available capacity has returned above 120 days is recorded within subsequent spreadsheets.


It has been identified that a member of staff who has since left and was responsible for this task had not been completing intermittently for a period during 2018. After this staff member left, resource constraints resulted in low level controls being deprioritised against other critical activities. Recognition of the impact of this constraint has resulted in senior management sponsorship of the rollout of automated monitoring tools (MS System Centre) into the Pensions arena to manage this activity. Funding was approved in Q4 2018 and the project is due to complete at the end of Q2 2019.

Additional resources are now in place and a rota to cover, and management accountability in place to ensure this check is completed.


Recoverability of databases are tested by the Outsourced IT Provider’s Database Administrators (DBAs) through on request database recoveries.

Restores are made from a verified backup and results are recorded within the Outsourced IT Provider’s work management system.

Control Recoverability of databases are tested by the Outsourced IT Provider’s Database Administrators (DBAs) through on request database recoveries.

Restores are made from a verified backup and results are recorded within the Outsourced IT Provider’s work management system.

For a selection of database restores recorded in the Outsourced IT Provider’s work management system within the period, inspected records within the system and noted that these confirmed that database restores had been performed and that the results had been recorded.


71

7.11 IT hardware and software issues are monitored and resolved in a timely manner


7.11.1 Process The IT service desk is a single point of contact for:> User incidents> User accounts, security groups and other system objects> Service requests> Software installations and modifications> Hardware incidents> Any IT security issues or threatsIncidents and requests are subject to lifecycle management. They are:> Investigated and diagnosed> Progressed, updated and actively monitored in line with

their resolution target> Either resolved by the implementer/fixer at source or

assigned to the relevant Outsourced IT Provider> Where necessary, are escalated internally and supplemented

by management intervention where appropriate and as required by the requester

Once resolved the Outsourced IT Provider will contact the requester to seek authorisation for closure. Resolution targets are monitored by the Outsourced IT Provider and reported to the XPS Administration Head of IT on a monthly basis.Control Users are able to log calls to the Outsourced IT Provider Service Desk either by phone or email. Incidents are either resolved by the front desk at the point of contact or logged into a queue for a member of the service desk to pick up. Each incident

is assigned a unique ID and a priority. Monthly reports are prepared by the Outsourced IT Provider and discussed with XPS Administration at the monthly Service Review meetings.

Enquired of management regarding the quarterly Service Review meetings between the Outsourced IT Provider and XPS Administration and were informed that meetings were held to discuss services provided by the Outsourced IT Provider.

For a selection of months, inspected the monthly service reports and noted that reports had been prepared.

For a selection of calls raised during the period, inspected the Service Desk records and noted that each had a unique ID number, had been assigned a priority and that details of the incident together with the action taken, had been retained.


7.12 Business and information systems recovery plans are documented, approved, tested and maintained


7.12.1 Process XPS Administration’s Business Continuity Plans are prepared and maintained by the respective Plan Coordinators and approved and signed off by the respective Plan Owners and Business Continuity Manager. The Group Framework and Policy are aligned with ISO22301. The principle accountabilities of ongoing business continuity management are as follows:> Review the current business continuity policy documentation

to ensure it reflects a Group wide approach> Review scenario planning for the business and IT operations

and incorporates a minimum set of likely occurrences into the reviewed business continuity policy

> Support the completion of all plans from all business areas aligned to the revised policy

> Produce appropriate management information detailing policy compliance

> Create a comprehensive testing schedule to be included within the policy

> Create a meaningful monitoring and reporting facility relating to progress with testing plans

Inspected the overall Business Continuity Plan and noted that it covered all offices, had been reviewed during the period and included a version number which was dated.

For a selection of offices, inspected post exercise test reports and noted that performance against the plan had been documented and that actions had been highlighted for improvements.

72

Control Business Continuity Plans are prepared for all offices. These plans are formally reviewed, by the Business Continuity Manager and the Business Continuity Co-ordinators on a yearly basis and updated as appropriate. Changes to the document are shown by a version number and date on the document.

The plans are tested on an annual basis. After the test Business continuity plan owners produce a post exercise test report detailing performance against plan and highlighting any improvement actions.

The Business Continuity Manager updates the testing and exercise schedule throughout the year to measure compliance against the Business Continuity Policy.

Inspected the testing and exercise schedule and noted that the progress of Business Continuity testing for all offices, against the planned schedule, had been documented.


7.13 Monitoring compliance: Outsourced activities are properly managed and monitored


7.13.1 Process The following services are outsourced> Pension Payroll> Pension Accounts> IT

Control A contract is in place for each outsourced service provider that includes a schedule of services provided and defined service level agreements.

Inspected the third party contracts in place and noted that these included a schedule of services to be provided and a defined service level agreement.


7.13.2 Process Management and Monitoring

A contract is in place for each outsourced service provider that includes an agreed schedule of services and defined service levels. Governance meetings are scheduled at least twice a year with the providers to review the outsourced services against the agreed service levels

Control Performance statistics are provided by each outsourced service provider on a monthly basis and reviewed at the Governance meetings which are scheduled at least twice a year. Governance meetings include actions and agreed delivery dates and are minuted with the minutes distributed to the related parties.

For a selection of Governance meetings held during the period, inspected the meeting minutes and noted that meetings had taken place and had been minuted which included the review of performance statistics, relevant actions and agreed delivery dates.


73

Appendix 1 – Reporting Accountants Engagement Letter

93

About usXPS Pensions Group is the largest pure pensions consultancy in the UK, specialising in actuarial, covenant, investment consulting and administration. The XPS Pensions Group business combines expertise, insight and technology to address the needs of over 1,000 pension schemes and their sponsoring employers on an ongoing and project basis. We undertake pensions administration for over 870,000 members and provide advisory services to schemes of all sizes including 25 with over £1bn of assets.

© XPS Pensions Group 2019. XPS Pensions Consulting Limited, Registered No. 2459442. XPS Investment Limited, Registered No. 6242672. XPS Pensions Limited, Registered No. 03842603. XPS Administration Limited, Registered No. 9428346. XPS Pensions (RL) Limited, Registered No. 5817049.

All registered at: Phoenix House, 1 Station Hill, Reading RG1 1NB.

XPS Investment Limited is authorised and regulated by the Financial Conduct Authority for investment and general insurance business (FCA Register No. 528774).

This communication is based on our understanding of the position as at the date shown. It should not be relied upon for detailed advice or taken as an authoritative statement of the law.

Award winning

RATED TOPfor fifth time in 6 years

xpsgroup.com