Assurance Report on Internal Controls (AAF 01/06...
Transcript of Assurance Report on Internal Controls (AAF 01/06...
Private and Confidential
Assurance Report on Internal Controls (AAF 01/06 and ISAE 3402)
For the year ended 31 December 2015
Private and Confidential 2
IMPORTANT
We permit the disclosure of the Report by the Reporting Accountants (“the Report”) on pages 23
and 24, in full only, to customers and potential customers (together “customers”) of Dalriada
Trustees Limited using Dalriada Trustees Limited pensions trustee services (as defined in the
appendix to this letter), Dalriada Trustees Limited’s co-trustees (where applicable), to pension
scheme members, relevant auditors and other professional advisers, to the Pensions Regulator and
to the public in general, to enable customers and their auditors to verify that a report by reporting
accountants has been commissioned by the directors of Dalriada Trustees Limited and issued in
connection with the internal controls of Dalriada Trustees Limited and without assuming or
accepting any responsibility or liability to them on our part, and on the condition that the directors
provide all such customers a written statement at the commencement of the Dalriada Trustees
Limited report in the form set out in Appendix 1 Section 5 of this report
RSM NI, (the “Reporting Accountants”) wish readers to be aware that the Reporting Accountants'
work for the Directors of Dalriada Trustees Limited was designed solely to meet their agreed
requirements and was determined by their needs at the time.
This Report should not be regarded as suitable to be used or relied on by any reader wishing to
acquire any rights against the Reporting Accountants other than the Directors (as a body) for any
purpose or in any context. In consenting to the posting of the Report on this website, the Reporting
Accountants do not accept or assume any responsibility to any readers other than the Directors (as
a body) in respect of the Reporting Accountants' work for the Directors, the Report, or any opinions
that the Reporting Accountants may have formed and, to the fullest extent permitted by law, the
Reporting Accountants will accept no liability in respect of any such matters to any readers other
than the Directors. Should any readers other than the Directors choose to rely on the Report, they
will do so at their own risk.
RSM NI
Chartered Accountants
Belfast
Private and Confidential
Table of Contents
Introduction ....................................................................................................................... 2
Background and organisational structure ................................................................................ 4
Pension Administration ......................................................................................................... 8
Information Security ........................................................................................................... 14
Risk Management ............................................................................................................... 16
Information Technology ...................................................................................................... 18
Report of the Directors of Dalriada Trustees Limited ............................................................... 21
Report by the reporting accountants ..................................................................................... 23
Summary of control objectives ............................................................................................. 26
Control procedures and audit testing .................................................................................... 31
Appendix 1 Letter of Engagement ......................................................................................... 57
Private and Confidential 2
Introduction
The directors of Dalriada Trustees Limited (“Dalriada”) are pleased to present our report detailing
the control procedures that are in place for our pension administration and pension database
services.
This report covers the year ended 31 December 2015 and has been prepared in accordance with
the Technical Release AAF 01/06 “Assurance Reports on Internal Controls of Service Organisations
made available to Third Parties” published by the Institute of Chartered Accountants in England
and Wales (“the ICAEW”).
As the control objectives are consistent with The International Standard on Assurance
Engagements (“ISAE”) 3402 Dalriada will be reporting on both standards for this reporting period.
The ISAE 3402, Assurance Reports on Controls at a Service Organisation, was issued in December
2009 by the International Auditing and Assurance Standards Board (“IAASB”), which is part of the
International Federation of Accountants (“IFAC”). The ISAE 3402 provides an international
assurance standard to allow public accountants to issue a report on the controls of a service
organisation that are likely to impact or be a part of a user organisation’s system of internal
controls over financial reporting.
The control objectives are set out on pages 26 to 29 and we demonstrate how we meet these on
pages 31 to 55. These measures have been audited and reported upon by RSM NI. This is the
fourth such report we have published.
Dalriada is a privately owned UK company that acts as a professional independent trustee. Our
organisation is managed by four directors who supervise the activities of a number of highly
experienced and qualified pensions administrators and support staff. We have clients throughout
the UK serviced from our offices in London, Bristol, Belfast, Glasgow and Manchester.
Dalriada provides a range of trustee services which include the provision of administration, pension
fund accounting, pension data audit, and pension benefit audit services to a range of pension
scheme clients. In addition, we have specialist expertise in remedial pension scheme data audit
work, which is often required where a scheme is considering buying out its liabilities or during
Pension Protection Fund (“PPF”) or Financial Assistance Scheme (“FAS”) assessment periods.
Dalriada was appointed to the PPF’s Trustee Advisory Panel (“TAP”) in September 2013. Our
specialist PPF and FAS team handle all aspects of the assessment process including project
management, administration and pension fund accounting.
Private and Confidential 4
Background and Organisational structure
Dalriada was established in 2003 and acts as an independent, professional trustee in the United
Kingdom providing a high quality service. Since our inception we have provided trustee services to
pension schemes at varying stages of their development including on-going schemes, schemes in
the process of winding up and schemes in PPF and FAS Assessment.
Dalriada has a number of sister companies. Spence is a professional firm of actuaries, pension
consultants, pension scheme information technology (“IT”) specialists and administrators. Dalriada
Pension Trustees Limited operates as a separate professional trustee company to provide
professional trusteeship services to pension schemes in Ireland. The Pensions Hosting Company
Limited is an IT software business providing web-based pension administration and actuarial
services. Veratta is a privately owned UK firm of data management, software development,
information security and IT specialists with a focus on the pensions and financial services industry.
Our clients are based throughout the UK and Ireland and are serviced from our offices in Belfast,
Bristol, Glasgow, London and Manchester.
Ellcon Investments Limited is the holding company for the Group.
Under our group’s matrix management structure Dalriada is able to draw on the experience of over
90 pension professionals across a range of disciplines. Specialist staff include project managers,
actuaries, consultants, administrators, pension fund accountants, and pension database experts.
The Group structure provides a flexibility which allows us to effectively manage resource levels to
match variable workflows from clients, ensuring a consistency of service.
Private and Confidential 5
Our structure is illustrated in the table below as a two dimensional matrix.
Our Practice Heads across all companies are responsible for all aspects of services to a particular
market.
Practice Heads take overall responsibility for services to clients by drawing on specialist staff from
within each of the functions.
Each Function is managed by a Function Head who controls all resources for client delivery and
provides these to the practice areas as required. The most relevant Functions for this report are
our Consultancy, Administration and Pension Data functions.
The role of the trustee representative is key to our working relationship with clients, and they have
overall responsibility for the service provided to their clients. The trustee representatives have
access to management information to enable them to plan and monitor progress on particular
projects and against agreed fee budgets.
The separation between our Functions is not hard and fast. Although staff members are primarily
associated with one Function they can potentially perform a role in more than one Function
because we deliberately train staff to develop multiple skills.
In addition to the direct client servicing functions our Corporate Services Function contains internal
finance, I.T., HR and Business Support resources.
The Consultancy, Administration, Actuarial and Pension Database Function Heads report to Kerry
Stafford, Company Secretary and Corporate Services Function Head. The Marketing Function Head
reports to David Davison, our Chief Marketing Officer, and the Corporate Services Function and the
Practice Heads report to our Chief Executive Officer, Brian Spence.
Private and Confidential 6
Brian, David and Neil are also supported by a number of advisory groups:
Practice Heads’ Group – external affairs and business development (meets quarterly)
Function Heads’ Group –coordination of resources and internal operations (meets quarterly)
Strategy Group – long term planning (meets quarterly)
Operations Group – (meets monthly)
PPF/FAS Group – coordinates all AVP (Actuarial Valuation Panel), SASP (Specialist
Administration Services Panel) and TAP (Trustee Advisory Panel work (fortnightly conference
call)
Finance Group – financial issues (meets quarterly)
IT Group – (meets quarterly)
Our statutory company boards meet quarterly and perform an oversight and governance role.
Private and Confidential 8
Pension Administration
Dalriada provides a full range of pension administration and pension database services operated
within a quality controlled environment where it acts as a trustee and these services are required.
In some circumstances, Dalriada may be appointed as trustee for a scheme where these services
are provided by, and in certain cases Dalriada may elect to outsource some or all of these services
to a third party administrator. The services provided by third party administrators are outside of
the scope of this report although the third parties may prepare their own Assurance Report.
Our pension administration team carries out all tasks and operations under a strict quality control
and governance framework. We have procedures and checks in place to ensure the accuracy and
quality of our service.
Dalriada recognises that its administration service is the interface between a pension scheme and
its members and our pension administration team fully understands the importance of this. We
never lose sight of the fact that the primary objective of a pension scheme is to provide benefits
and information to its members in an accurate and timely manner. Pension administration is a
core service for our business rather than an adjunct to other services and we are committed to a
process of continuous improvement in terms of the services we provide to our clients.
A complete range of administration services are provided as a core and/or distinct element of our
service including:
calculation and communication of benefit entitlements;
processing of benefit settlements;
cash management - operation of the scheme bank account, cashflow analysis, investment and
disinvestment of funds as appropriate;
production of formal pension scheme annual report and accounts by our specialist pension fund
accounting team;
Processing pension payroll; and
a comprehensive data and benefit audit reporting system to comply with the Pensions
Regulator’s record keeping requirement.
MANAGEMENT SYSTEMS AND CONTROLS
Key elements of our management systems and controls to ensure quality of service for our clients
include:
STRUCTURE
A key component of our approach to quality is the separation of responsibility within our Group
between the Practice Head who is responsible for identifying the needs of our clients and
strategically developing our service to meet these needs and our Function Heads (Consultancy
including Trusteeship, Administration, Fund Accounting and Pension Database Functions) who
manage the resources and day to day delivery of services.
Private and Confidential 9
PROCEDURES
Our procedures are owned by the relevant Function Head and documented as a series of controlled
documents available on our intranet site. Where relevant all documents are managed within our
formal Information Security Management System (“ISMS”). Dalriada’s ISMS is externally certified
under ISO/IEC 27001:2013 - Information technology - Security techniques - Information security
management systems - Requirements.
Most procedures are automated as workflows on our in-house workflow system which also captures
and measures our performance against Service Level Agreements.
CONTENT MANAGEMENT
All procedures, documents, records and information are managed within an extensively developed
SharePoint implementation with version control.
All of our members of staff have access to a wide variety of technical information sources.
CHECKING
There are strict checking procedures for all calculations and correspondence with our co-trustees
(where relevant), members and third parties.
Checklists are completed to ensure that all the required steps are followed. All calculations are
peer reviewed by a senior administrator (the checker) along with the checklist to ensure there are
no errors or omissions.
All approvals for calculations and correspondence are held within our workflow system.
SERVICE LEVEL AGREEMENTS
Traditionally a Service Level Agreement (“SLA”) for pension administration focuses on carrying out
an action (e.g. responding to an individual item of post or an email within a defined timescale). The
creation of an “action” becomes more of an end in itself rather than meeting the needs of a
member.
Our monitoring is around whole events (i.e. a member’s death) rather than actions. The traditional
approach would have been to allow a turnaround of one day, say in respect of any incoming
correspondence or trigger for action. A true measure of the performance of the Trustees, and of us
as administrators, is the time taken for the death benefits to actually be paid out.
A member (or in the event of their death, their dependants) will not really place great value on a
particular letter having been answered within one day but will want to know when their benefits
will be settled.
The administration team aim to carry out services and tasks accurately and efficiently to meet or
exceed SLAs. SLAs are continuously monitored internally and reported externally to trustees in the
form of a Stewardship report. The report details the tasks undertaken during the relevant period
and whether the SLAs have been met. This allows the trustees to monitor the performance against
the SLA
ELECTRIC DOCUMENT AND TASK MANAGEMENT
To underpin our workflow management system, we have implemented Microsoft SharePoint
software enabling us to introduce comprehensive electronic document management. All
correspondence for our clients is scanned and available for searching and retrieval. Our workflow
Private and Confidential 10
COMMUNICATION
ATTRACT
MANAGE
DEVELOP
RETAIN
system enables pensions administrators to monitor closely the turnaround times on individual
pieces of work, the total amount of outstanding work and where any particular job is at any
moment in time. Dalriada has also developed advanced reporting tools so that detailed activity and
performance information can be extracted at any point in time and, indeed, forms the basis of our
standard Stewardship Reporting.
AUDIT
Compliance with our procedures is subject to internal audits and external audits (AAF 01/06 & AAF
02/07). The ISMS is subject to separate external audit for ISO 27001 purposes.
OUR EMPLOYEES
Our Company ethos is to provide worthwhile and interesting careers for all our employees. Our
Human Resources team works in partnership with our Function Head Group to deliver the HR
strategy of Attract, Manage, Develop, Retain and support the overall strategy of the Company.
Attract - As a Company we recruit the highest calibre of staff through robust and challenging
recruitment and security exercises to ensure our clients are supported by qualified, professional,
and credible employees.
Manage – We actively manage our employees in a collaborative manner and all our operational
employees engage with our performance management review process on an ongoing basis. The
results of the annual appraisals are integrated with our salary and bonus system rewarding high
performance against agreed objectives aligned with the needs of our business and our clients.
Develop - We adopt a supported Learning and Development approach working with our employees
through professional qualifications, formal study plans, and mentoring, to enhance the capability of
our employees and thus enhance our client service. All of our operational managers have been
Private and Confidential 11
taken through management development training which has been developed specifically in relation
to our company and industry.
Retain - At the heart of our processes, is effective communication. Through our engaging culture
we have enjoyed high retention levels which ensure consistency of delivery for our clients.
In support of the above:
We have clearly defined and documented policies and procedures governing the services we
provide which are clearly communicated to all relevant staff.
Our policies and procedures are regularly reviewed with a view to identifying and implementing
continuous improvements.
Changes to our policies and procedures are clearly communicated to all staff and relevant
contractors.
Compliance with our standards and relevant policies and procedures is regularly audited.
KNOWLEDGE MANAGEMENT
Sharing of expertise is paramount in our company and is implemented through our Knowledge
Management Framework, the below diagram outlines our process.
We appoint Knowledge champions who are expected to keep abreast of all developments in their
particular technical area and develop the company and client understanding on key updates.
Private and Confidential 12
CULTURE
Our culture has a vital role to play in the delivery of our vision and our achievement of quality.
Our culture is embedded in everything we do and lived out by our employees. We have annual
training days attended by all employees where we outline strategy and focus on Group wide
communication within an environment which encourages and allows open and honest feedback.
We always benefit from a tremendous level of participation by employees on these days and value
the input we receive from our employees.
Private and Confidential 14
Information Security
Information security is of paramount importance to our organisation. We are committed to
protecting information from a wide range of threats in order to preserve the confidentiality,
availability and integrity of that information, to ensure business continuity and to minimise
business risk for us and our clients.
Our group has engaged a CESG Listed Adviser Scheme (“CLAS”) consultant to provide information
assurance advice in relation to our systems and all recommendations have been implemented.
Since December 2011, Dalriada has been successfully certified under the International
Organisation for Standardisation, ISO 27001, an internationally recognised standard for
information security management. During 2014, Dalriada was recertified to ISO27001:2013.
ISO 27001 is fast becoming the international touchstone for effective, secure information
management practices that protect organisations and ensure their compliance with data protection,
privacy and computer misuse regulations. The use of this standard primarily ensures business
continuity, minimising business damage by preventing and reducing the impact of security
incidents.
The security practices, policies and technical and physical controls adopted by Dalriada comply with
the ISO 27001 accreditation and are essential to ensure the safe and secure deployment of IT
systems and services, and to protect the interests of the firm’s people and its clients.
Our information security policy outlines our:
Commitment to information security
Protection of key assets: information, personnel, technology, processes
Risk management process
Training and awareness of staff and third parties
Reporting and resolution of information security breaches
Business Continuity Management System
Private and Confidential 16
Risk Management
Our risk assessment process involves identifying risk scenarios based on our key information
assets. Associated threats to these assets are identified, along with the vulnerabilities that might
be exploited by the threats.
Our Information Security Focus Group (“ISFG”) meets quarterly and analyses risk scenarios.
The business impact and consequences of each risk are assessed on its consequences in terms of
loss of confidentiality, integrity, or availability. This is scored and multiplied by a risk rating for
business operational impact (severity impact), likelihood (probability score) and the extent to
which it is business criticality rating giving a risk level scale of 1-243. Identified risks are analysed
and evaluated against risk acceptance criteria. Once risks have been identified and assessed,
techniques to manage risk fall into one or more of these categories:
Avoidance (elimination)
Reduction (mitigation)
Retention (acceptance)
Transfer (insurance)
Risk Treatment Plans are drawn up to provide the basis for knowingly and objectively accepting
risks or implementing the required countermeasures. The Risk Treatment Plans will be escalated
and formally approved where appropriate.
The Risk Register is reviewed at planned intervals by our ISFG to reflect changes in the underlying
environment.
Private and Confidential 18
Information Technology
Dalriada’s IT infrastructure is hosted in an offsite datacentre and is managed by a combination of
in-house staff and an external managed service supplier to whom the following is outsourced:
24/7 pro-active monitoring and alerting system to ensure early warning of system failure.
Business hours access to an IT helpdesk for call escalation and 3rd level support services.
24/7 access to engineers for out of hours support services.
Managed daily backups and monthly restores and recovery tests.
Dalriada also utilises Mantle an innovative web application provided by Dalriada’s sister company
The Pensions Hosting Company Limited.
Our voice network is hosted by BT with only end user devices held onsite.
NETWORK INFRASTRUCTURE
Voice and data are carried over leased high speed fibre optic lines with failover to an independent
Exchange First Mile copper connection.
To reduce the risk of a ‘one application, one server’ model, we use VMware VSphere 5.5 for server
virtualisation management.
SECURITY
Our IT infrastructure is protected by a range of security measures within our ISO 27001 framework
including:
Perimeter firewalls
Segregation of traffic using VLANs
Regular CESG CHECK penetration testing to ensure compliance with HMG policy
SHAREPOINT
We use SharePoint as a central resource for document management and workflow. Scheme
documentation, member correspondence and internal function process documents are worked on
and stored in this repository. Security permissions are in place to ensure that no conflicts of
interest occur across our clients, and sensitive documents are managed accordingly. Significant
on-going developments have been made over recent years enabling more efficient working
practices across all client related functions, including a bespoke document tagging feature.
BACKUP AND RECOVERY
Using our VMware implementation all servers bar one are virtualised, with each virtual machine
(“VM”)’s workload encapsulated into a single file containing the operating system, applications, and
data. Virtualisation enables faster recovery in terms of provisioning and getting data back online
and is not dependent upon particular hardware.
Private and Confidential 19
Zerto replication technology is in place, replicating the primary IT infrastructure in the datacentre
back to the target Disaster Recovery IT environment in the Belfast office. Zerto replication offers a
resilient and reliable business continuity solution if the IT environment fails in the datacentre.
Veeam backup in the datacentre provides fast, flexible and reliable recovery of our virtualised
applications and data.
ADMINISTRATION DATABASE
Mantle is the most efficient pension administration system available in the market today and was
developed by our sister company, The Pensions Hosting Company Limited, to meet developing
industry needs. Functionality includes fully automated benefit calculations, document storage,
automated workflows, daily actuarial valuations and data audits.
Dalriada also utilises a separate Microsoft SQL based application for certain one-off projects and is
in the process of decommissioning this application for ongoing schemes.
EMAIL ARCHIVING
Dalriada has maintained an online database of all emails sent and received since it was founded in
2003.
Any email can be accessed within a matter of seconds using our email archiving software
Mimecast.
Mimecast is an online email archiving portal hosted on the cloud which backs up all mailboxes on
Exchange. It provides access to emails during outages through a web based personal portal giving
users access to their email in real time in cases where the core infrastructure may be offline.
END USER COMPUTING
Dalriada does not incur the risk associated with data residing on notebook computers or desktops
with all access being provided using Citrix desktop virtualisation software.
Access to our network from outside the perimeter is achieved with the use of two factor
authentication.
Private and Confidential 21
Report of the Directors of Dalriada Trustees Limited
As directors of Dalriada we are responsible for the identification of control objectives relating to
pension scheme transactions in the provision of pension administration services and the design,
implementation and operation of the control procedures of Dalriada to provide reasonable
assurance that the control objectives are achieved.
In carrying out those responsibilities we have regard not only to the interests of our pension
scheme members, but also to the requirements of the business and the general effectiveness and
efficiency of the relevant operations.
We have evaluated the effectiveness of Dalriada’s control procedures having regard to the
International Standard on Assurance Engagements 3402 (ISAE 3402), issued by the International
Auditing and Assurance Standards Board, the Technical Release AAF 01/06 (AAF 01/06), issued by
the Institute of Chartered Accountants in England and Wales, and the criteria for pension
administration and pension database services. The control objectives identified include all of those
listed in Appendices 1(c) and 1(g) of the ICAEW AAF 01/06.
We set out in this report a description of the relevant control procedures together with the related
control objectives which were in operation during the year ended 31 December 2015 and confirm
that:
1. the report describes fairly the control procedures that relate to the control objectives referred
to above, which were in place for the year ended 31 December 2015;
2. the control procedures described were suitably designed throughout the year ended 31
December 2015 such that there is reasonable assurance that the specified control objectives
would be achieved if the described control procedures were complied with satisfactorily; and
3. the control procedures described were operating with sufficient effectiveness to provide
reasonable assurance that the related control objectives were achieved during the year ended
31 December 2015.
Neil Copeland
Director
Signed on behalf of the Board of Directors Date: 22nd February 2016
Dalriada Trustees Limited
Private and Confidential 23
Report by the reporting accountants
USE OF REPORT
This report is made solely for the use of the directors, as a body, of Dalriada and solely for the
purpose of reporting on the control procedures within Dalriada, in accordance with the terms of our
engagement letter dated 27 January 2016, which is attached as an Appendix to your report.
Our work has been undertaken so that we might report to the directors on those matters that we
have agreed to state to them in this report and for no other purpose. Our report must not be
recited or referred to in whole or in part in any other document nor made available, copied or
recited to any other party, in any circumstances, without our express prior written permission.
We permit the disclosure of our report, in full only, to customers and potential customers (together
“customers”) of Dalriada using Dalriada’s pension administration services (as defined in the
appendix to this letter), Dalriada’s co-trustees (where applicable), to pension scheme members,
relevant auditors and other professional advisers and to the public in general, to enable customers
and their auditors to verify that a report by reporting accountants has been commissioned by the
directors of Dalriada and issued in connection with the internal controls of Dalriada and without
assuming or accepting any responsibility or liability to them on our part, and on the condition that
the directors provide all such customers a written statement at the commencement of the Dalriada
report in the form set out in our engagement letter.
To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other
than the directors as a body and Dalriada for our work, for this report or for the opinions we have
formed.
SUBJECT MATTER
We have been engaged to report on the description and design, as at 31 December 2015, and
operating effectiveness of Dalriada’s control procedures designed to achieve the control objectives
throughout the year ended 31 December 2015.
RESPECTIVE RESPONSIBILITIES
Dalriada’s responsibilities and assertions are set out on page 21 of your report.
Our responsibility is to form an independent conclusion, based on the work carried out in relation
to the control procedures of Dalriada’s pension administration services as described in the
directors’ report and report this to the directors of Dalriada.
CRITERIA AND SCOPE
We conducted our engagement in accordance with the ISAE 3402 and the ICAEW Technical Release
AAF 01/06. The criteria against which the control procedures were evaluated are the internal
control objectives developed for service organisations as set out within the Technical Release AAF
01/06 and identified by the directors as relevant control objectives relating to the level of control
over customers’ assets and related transactions in the provision of pension administration services.
Private and Confidential 24
Our work was based upon obtaining an understanding of the control procedures as described on
pages 26 to 29, in the report by the directors, and evaluating the directors’ assertions as described
on page 20 in the same report to obtain reasonable assurance so as to form our conclusion. Our
work also included tests of specific control procedures, to obtain evidence about their effectiveness
in meeting the related control objectives. The nature, timing and extent of the tests we applied are
detailed on pages 31 to 55.
Our tests are related to Dalriada as a whole rather than performed to meet the needs of any
particular customer.
INHERENT LIMITATIONS
The control procedures designed to address specified control objectives are subject to inherent
limitations and, accordingly, because of their nature, control procedures at Dalriada may not
prevent or detect and correct all errors or omissions in performing administrative and accounting
procedures. Control procedures cannot guarantee protection against, among other things,
fraudulent collusion especially on the part of those holding positions of authority or trust.
Our conclusion is based on historical information. The projection of any evaluation of the fairness of
the presentation of the description, or opinion about the suitability of the design or operating
effectiveness of the control procedures to future periods would be inappropriate.
CONCLUSION
In our opinion, in all material respects:
1. the accompanying report by the Dalriada directors describes fairly the control procedures that
relate to the control objectives referred to above which were in place during the year ended 31
December 2015;
2. the control procedures described on pages 31-55 of this report were suitably designed such
that there is reasonable, but not absolute, assurance that the specified control objectives would
have been achieved if the described control procedures were complied with satisfactorily; and
3. the control procedures that were tested, as set out on pages 31-55 of this report, were
operating with sufficient effectiveness for us to obtain reasonable, but not absolute, assurance
that the related control objectives were achieved for the year ended 31 December 2015. The
control objectives identified include all of those control objectives listed in Appendices 1(c) and
1(g) of the AAF 01/06.
Date: 25th February 2016
RSM
Private and Confidential 26
Summary of Control Objectives
CONTROL OBJECTIVE AUDIT FINDINGS
1. ACCEPTING CLIENTS
Accounts are set up and administered in accordance
with the Schemes’ Trust Deed and Rules, or
Appointment Order from the Pensions Regulator
(“tPR”) and applicable regulations
No exceptions noted
The appropriate Deed of Appointment is executed by
all parties, or Appointment Order from tPR is
received prior to initialising administration activity
No exceptions noted
Pension schemes taken on are properly established
in the system in accordance with the scheme rules
and individual elections
No exceptions noted
2. AUTHORISATION AND PROCESSING TRANSACTIONS
Contributions to defined contribution plans, defined
benefit schemes, or both, and transfers of members'
funds between investment options are processed
accurately and in a timely manner
No exceptions noted
Benefits payable and transfer values are calculated
in accordance with scheme rules and relevant
legislation and are paid on a timely basis
No exceptions noted
Private and Confidential 27
CONTROL OBJECTIVE AUDIT FINDINGS
3. MAINTAINING FINANCIAL AND OTHER RECORDS
Member records consist of up to date and accurate
information and are updated and reconciled
regularly
No exceptions noted
Contributions and benefit payments are completely
and accurately recorded in the proper period
No exceptions noted
Investment transactions, balances and related
income are completely and accurately recorded in
the proper period
No exceptions noted
Scheme documents are complete, up to date and
securely held
No exceptions noted
4. SAFEGUARDING ASSETS
Member and scheme data is appropriately stored to
ensure security and protection from unauthorised
use
No exceptions noted
Cash is safeguarded and payments are suitably
authorised and controlled
No exceptions noted
5. MONITORING COMPLIANCE
Contributions are received in accordance with the
scheme rules and relevant legislation (where
Dalriada carry out the treasury function)
No exceptions noted
Services provided to pension schemes are in line
with agreed service levels.
No exceptions noted
Transaction errors are rectified promptly and clients
treated fairly
No exceptions noted
6. REPORTING TO CLIENTS
Periodic reports to Trustees and scheme sponsors,
where applicable, are accurate and complete and
provided within agreed timescales
No exceptions noted
Annual reports and accounts are prepared in
accordance with applicable law and regulations
No exceptions noted
Private and Confidential 28
CONTROL OBJECTIVE AUDIT FINDINGS
Regulatory reports are made if necessary No exceptions noted
INFORMATION TECHNOLOGY
7. RESTRICTING ACCESS TO SYSTEMS AND DATA
Physical access to computer networks, equipment,
storage media and program documentation is
restricted to authorised individuals.
No exceptions noted
Logical access to computer systems, programs,
master data, transaction data and parameters,
including access by administrators to applications,
databases, systems and networks, is restricted to
authorised individuals via information security tools
and techniques.
No exceptions noted
Segregation of incompatible duties is defined,
implemented and enforced by logical security
controls in accordance with job roles.
No exceptions noted
8. PROVIDING INTEGRITY AND RESILIENCE TO THE INFORMATION PROCESSING
ENVIRONMENT, COMMENSURATE WITH THE VALUE OF THE INFORMATION HELD,
INFORMATION PROCESSING PERFORMED AND EXTERNAL THREATS
IT processing is authorised and scheduled
appropriately and exceptions identified and
resolved in a timely manner.
No exceptions noted
Data transmissions between the service
organisation and its counterparties are complete,
accurate, timely and secure.
No exceptions noted
Appropriate measures are implemented to counter
the threat from malicious electronic attack (e.g.
Firewalls, anti-virus etc).
No exceptions noted
The physical IT equipment is maintained in a
controlled environment
No exceptions noted
Private and Confidential 29
CONTROL OBJECTIVE AUDIT FINDINGS
9. MAINTAINING AND DEVELOPING SYSTEMS HARDWARE AND SOFTWARE
Development and implementation of new systems,
applications and software, and changes to existing
systems, applications and software, are authorised,
tested, approved and implemented
No exceptions noted
Data migration or modification is authorised, tested
and, once performed, reconciled back to the source
data
No exceptions noted
10. RECOVERING FROM PROCESSING INTERRUPTIONS
Data and systems are backed up regularly, retained
offsite and regularly tested for recoverability
No exceptions noted
IT software and hardware issues are monitored and
resolved in a timely manner
No exceptions noted
Business and information systems recovery plans
are documented, approved, tested and maintained
No exceptions noted
11. MONITORING COMPLIANCE
Outsourced activities are properly managed and
monitored
No exceptions noted
Private and Confidential 31
Control procedures and audit testing
CONTROL PROCEDURE AUDIT TESTING
1. Accepting clients
On confirmation that Dalriada have been appointed by
Deed of Appointment or by Order of tPR and will be
providing administration services a New Client
Implementation Document is prepared to act as a
project planning document. As part of the Client take on
process, the relevant client take on documentation is
completed as outlined in the client take on process note.
Standard administration tasks are also added to the
workflow system, reflecting standard performance
timescales or bespoke timescales.
Verified for new schemes taken on during
the year that the New Client
Implementation Document, Pre
Appointment Conflict Consideration and
Accepting Trusteeship Risk Management
documents have been completed and
signed off by the Client Manager
No exceptions noted
Only on receipt of a signed Deed of Appointment or
Appointment Order from tPR, can the client be added to
the workflow system such that people are able to record
time against the client. Occasionally, due to time
constraints, Dalriada may be required to carry out some
work before it is possible to have the Deed signed. On
receipt of a signed Deed or Order from tPR, this is
scanned to SharePoint and tagged appropriately.
Verified for new schemes taken on during
the year that the Deed of Appointment
and Fee and Service Agreement has been
received and signed by Dalriada and the
co-Trustees before the client is added to
the workflow system
No exceptions noted
As part of the implementation process a copy of all
scheme documentation is requested. This
documentation is reviewed and, where administration
services are provided, forms the basis of scheme benefit
specifications which are reviewed and signed off. Where
appropriate, the Benefit Specification is reviewed and
signed off by our co-trustees and/or the scheme’s legal
advisers, particularly if there is any ambiguity in
interpretation or if there is any concern that the benefits
provided do not comply with legislative requirements.
The remaining control objectives assume that the
relevant service is not outsourced to a third party.
Verified for new schemes taken on during
the year that the Scheme Installation
Checklist has been signed and filed and
that the Benefit Specification has been
compiled from Scheme Rules, signed by
the administrator, client manager and the
trustees.
No exceptions noted
Private and Confidential 32
CONTROL PROCEDURE AUDIT TESTING
Prior to commencement of administration services, the
Pension database team’s business analyst reconciles
scheme data provided by the previous administrator to
Dalriada’s administration system, and raises any
exceptions regarding missing or incorrect data with the
client manager. Data is analysed using Dalriada’s
bespoke data audit software, which generates reports
that identify any gaps or errors in the data received.
Reports generated by the data audit, along with
correspondence to resolve any data gaps or errors, are
held on our document management system
Data is requested in all forms and any electronic data is
imported onto Dalriada administration system and
tested against the data quality standards set out by the
Pensions Regulator. Membership statistics are reconciled
to the last set of audited Accounts and to control totals
provided by the previous administrator. Where
necessary remedial action is proposed in the event that
data is materially deficient to the extent that Dalriada
cannot carry out some or all of the services they have
been contracted to perform
Verified for new schemes taken on during
the year that data migration and
reconciliation has been carried out as well
as a data audit to test the data quality
standards
No exceptions noted
Scheme data reconciliations and correspondence
relating to the follow up of any gaps or errors identified
are verified by a member of the Pension database team
as evidenced by the sign off on the scheme installation
checklist. Copies of work relating to the installation are
held on our document management system.
The Scheme Installation Checklist has
been completed as far as possible for the
work in progress with respect to each
client take-on in our sample.
No exceptions noted
Wherever possible, Dalriada request sight of any
previous administrators’ specifications and/or details of
custom and practice to establish any precedent in areas
of interpretation of the Rules where this might not be
clear and where member specific benefits may override,
for example where senior employees have an
entitlement to different benefits, detailed in an
individual announcement letter.
Due to all client take-ons during the year
being work in progress we were not able
to test this control procedure.
No exceptions noted
The benefit specification is prepared by the
administrator and reviewed by the client manager.
Where appropriate the benefit specification is reviewed
and signed off by the trustees and/or the scheme’s legal
advisers, particularly if there is any ambiguity in
interpretation or if there is any concern that the benefits
provided do not comply with legislative requirements.
For the sample chosen and all client take-
ons during the year the development of
the Benefit Specification was work in
progress still to be completed and
therefore could not be tested.
No exceptions noted
Private and Confidential 33
CONTROL PROCEDURE AUDIT TESTING
All documentation is scanned, tagged and filed in
SharePoint, for ease of reference.
Verified that scanned documents have
been saved in SharePoint with original
documentation held in the Glasgow office
No exceptions noted
2. Authorising and processing transactions procedure
Procedures are followed for banking cheques and
electronic credits and contributions monitoring whereby
all cheques received are logged and banked on the
same day by the Business Support Team (“BST”).
Electronic credits are logged by the accounts team. The
paperwork accompanying the cheque/ electronic credit
is passed to the accounts team who prepare a deposit
form and update the transaction on QuickBooks to
record receipt of the contributions. The deposit form is
signed by the fund accountant/cashflow administrator
and is filed
For each month selected during the
period, verified for a sample of
transactions that once the receipt
instruction was received a deposit form
was completed, signed off by the
necessary signatories and QuickBooks was
updated on a timely basis.
No exceptions noted
The contributions monitoring spreadsheet is reviewed on
15th of each month and any outstanding contributions
usually received by that date are followed up. The
receipt of the remainder is monitored. Any late
contributions are notified to the client manager, actuary
and trustees. They are recorded on the breaches log
which is on the agenda at the quarterly board meetings.
For each of the receipt transactions
selected, ensured that contributions are
processed accurately and on a timely
basis in accordance with a schedule
agreed between the employer and the
trustees with member contributions
having to be paid to the trustees before
the 19th of the month following the
deduction of the contributions from the
members’ salaries.
No exceptions noted
At least three months in advance of a member’s normal
retirement age a task is created on the workflow
system. An administrator can be notified of a task to
calculate benefits by post, email or 'other' e.g. phone
call, verbally, meeting minute. The request is set up as
a task within the workflow system and an administrator
will complete the appropriate checklist.
From the sample of benefits payable
selected, ensured that processing requests
are authorised and checked prior to
submission by a senior administrator or
manager, payments are processed
accurately and on a timely basis, and the
appropriate checklist is completed and
signed by the relevant administrators
No exceptions noted
Private and Confidential 34
CONTROL PROCEDURE AUDIT TESTING
Calculations are processed by an administrator in
accordance with the scheme rules with reference to the
scheme’s benefit specification where appropriate. All
calculations are checked by a senior administrator or
administration manager. Approval workflows are run
against all calculations and documents prepared, along
with the checklist. The workflow tasks are monitored by
the administrator and the administration manager with
the aim that they will be finalised within the service
level agreement agreed with the client. Once the task is
finalised, the workflow checklist will be completed.
From the sample of benefits payable
selected, verified that the workflow
checklist had been completed and signed
off by two members of the administration
team.
No exceptions noted
Procedures are followed for making cheques and
electronic payments from the scheme bank account.
Payments are processed by the fund accountant within 1
day of the request and with the appropriate backing
papers detailing the amount payable. Payment
withdrawal forms are processed and checked by
separate staff and cheques/electronic payment
instructions are signed in accordance with the bank
mandate by staff who are different from the requestor,
processor and checker. Once a task has been completed
it is closed off on the workflow system.
From the sample of benefits payable
selected, verified that payments are
processed accurately and on a timely
basis, supporting documentation for the
payments is included, there are two
signatories on each cheque and there is
evidence that the QuickBooks account
balance has been updated.
No exceptions noted
Every month a payroll administrator updates the control
spreadsheet with the payment date and the, latest date
on which the payment file can be submitted to the bank
(taking into account bank/public holidays).
The payroll administrator maintains a monthly payroll
checklist, detailing for each payroll, each stage of
running and paying the payroll. This checklist is
monitored during the period to ensure payment dates
are met.
Any changes are notified to the payroll team by a set
monthly cut off date and are applied to the payroll. As
changes are received they are added to the carry
forward spreadsheet.
The payroll is run using Sage 50 Payroll Professional.
Each payroll run for each client is reconciled by the
payroll administrator for recorded changes against the
previous payroll run. Each change and reconciliation is
peer reviewed for accuracy.
Reconciliations and payroll reports for each period are
saved on our file management system Sharepoint.
Verified for a sample of internal payroll
runs for a number of pension schemes
that a payroll checklist is completed and is
updated and a reconciliation is carried out
for any amendments against the previous
payroll run. Ensured that a peer review of
payroll changes is carried out and there is
evidence of payroll file check against
payroll data.
No exceptions noted.
Private and Confidential 35
CONTROL PROCEDURE AUDIT TESTING
The payment file is checked against the payroll data
before being uploaded to the online banking facility.
Monthly payrolls are checked and approved for payment
by the administrator. The administrator will reconcile
any changes to the payroll against the administration
data to check that the correct pensions are being paid.
Pension increases are calculated in accordance with the
scheme rules. Recurring tasks are set up on the
workflow system for the increases to be calculated
either on anniversary or annually depending on the
scheme rules. The increases are checked by a senior
administrator and a checklist is completed.
Verified for a sample of monthly payrolls
that they had been checked and approved
for payment by member of the
administration team
No exceptions noted
3. Maintaining financial and other records
For schemes that have active members a recurring task
is set up on the workflow system for pre renewal
schedules to be sent to each client site prior to the
renewal date. A checklist is updated throughout the
process. Once all the data has been returned the
administrator follows the annual renewal checklist and
updates members' salary and status data which is
reconciled against the data received from the client. Any
discrepancies are investigated and resolved. The
renewal is then processed and benefit statements for
each active member are produced. All calculations and
statements are checked by a senior administrator.
For a sample of active schemes verified
that the scheme data has been updated
and reconciled against data received from
the client. Ensured that a renewal
checklist had been completed for each
scheme and that the checklist had been
peer reviewed.
No exceptions noted.
Where applicable, member data is also kept up to date
through periodic and adhoc data loads including payroll
data, pension increase data and changes to personal
details. The information relating to these data loads is
provided to the Pension database team. On receipt of
data a business analyst follows the scheme update
checklist to load the data onto Dalriada’s administration
system. The data is reconciled back to the source data.
Copies of work relating to data loads are held on our
document management system.
For a sample of data loads ensured that
the scheme update checklist had been
completed, a reconciliation to source data
has been completed, peer reviewed, a
confirmation letter is sent and verified the
checklist is maintained on the document
management system.
No exceptions noted.
Any changes to the scheme membership are recorded
on our administration database when advised by
members or clients or trustees. When calls are received
from members verification is sought by asking for date
of birth and national insurance number. Changes can be
made on receipt in writing from members. Ad hoc
checklists are completed and backing documentation is
scanned and filed in the member’s file.
For a sample of schemes ensured that the
member’s details are updated, that the
relevant backing documentation is
received and that the appropriate checklist
is completed and peer reviewed
No exceptions noted
Private and Confidential 36
CONTROL PROCEDURE AUDIT TESTING
All changes are checked by another administrator.
Following a new application, cessation of service,
retirement, death or transfer of benefits the member's
status is updated on our administration database. An
approval workflow is run against a pdf copy of the
member print for any status changes and the
appropriate checklist is completed and checked by a
senior administrator.
Movements in active, deferred and pensioner numbers
are reconciled on an annual basis as part of the
accounts preparation process. Any discrepancies are
investigated and resolved.
Ensured that a periodic report on
membership is prepared for a sample of
schemes with membership data reconciled
to the scheme accounts.
No exceptions noted
Receipt of any documentation from members or third
parties is scanned and filed in SharePoint and checked
by the administrator. Documentation for transfers out
includes the discharge forms signed by the member and
details of the receiving scheme and for deaths and
retirements includes birth/death/ marriage certificates,
retained benefit forms and evidence, signed option
forms and trustee or company authorisation where
required. Copies of documents are tagged and filed in
SharePoint. Any original documents are returned to the
member by recorded delivery.
Verified for a sample of transfers out,
deaths and retirements that the relevant
notification and documentation have been
received, the checklist and calculations
were completed, the system had been
updated and peer review was completed.
No exceptions noted
The pension payroll service administrator is advised of
any new pensions to be added to the payroll and this
request is checked by another administrator. The
cessation of a pension on for example a pensioner death
is advised to the pension payroll service administrator
immediately by the administrator.
Verified correspondence with the pension
payroll service administrator for a sample
of deaths.
No exceptions noted
Each scheme has its own bank account and the financial
records are maintained separately. Passwords are
required to access each scheme account. All credits and
payments are recorded on a scheme cashbook following
the procedures for banking cheques and electronic
credits and the procedures for making cheques and
electronic payments from the scheme bank account. The
scheme deposit form is filed along with any supporting
documentation and the amount received is checked
against any schedule/confirmation advice. The scheme
withdrawal form is checked against and filed along with
the supporting benefit documentation.
Verified for a sample of various scheme
bank accounts throughout the period that
monthly bank reconciliations had been
carried out on a timely basis and peer
reviewed.
No exceptions noted.
Private and Confidential 37
CONTROL PROCEDURE AUDIT TESTING
The procedures for carrying out bank reconciliations are
followed whereby the cashbook is reconciled against the
bank statement for the trust account each
month/quarter and any anomalies are investigated.
Bank reconciliations are completed within 5 working
days of receipt of the bank statement unless where
queries arise which causes a delay. Uncashed cheques
are monitored by the fund accountant and if more than
one month old are notified to the scheme administrator.
The cheque system is reviewed and any outstanding
lodgements are processed or queried and cleared down.
Bank statements and the bank reconciliation report are
filed in SharePoint and the paper copies of bank
statements are filed with the other post items but in a
separate folder.
From our sample of contributions made by
cheque and the monthly bank account
reconciliations, all lodgements had been
cleared down and we confirmed the bank
statements were filed with other post
items but in a separate folder.
No exceptions noted
As part of the annual scheme accounting process the
fund accountant reconciles the contributions to the
schedule of contributions and benefit payments to the
member movement report produced from our
administration database. Any discrepancies are
investigated and resolved.
Verified that a sample of contributions are
paid in accordance with a schedule agreed
between the employer and the trustees,
and obtained evidence that for a sample
of late contributions these had been
appropriately recorded in the compliance
breaches log and notified to trustee board
and actuaries if required
No exceptions noted
As part of the annual accounting process, the fund
accountant reconciles the investment valuation,
investment income, purchases and sales with data
received from the investment managers. Any
discrepancies are checked and investigated by the fund
accountant. Investments and disinvestments in the
scheme cashbook are reconciled to the investment
manager's transactions.
Verified for a sample of schemes that
reconciliations are carried out with the
investment manager's data. No
discrepancies were noted for follow up
No exceptions noted
Private and Confidential 38
CONTROL PROCEDURE AUDIT TESTING
Journals are posted to the trial balance and period end
balances inserted into the accounts template on an
annual basis in accordance with the Statement Of
Recommended Practice and disclosure regulations.
Verified for a sample of schemes that the
template used to prepare the accounts is
in accordance with SORP and disclosure
regulations, the movement in
deferred/active/pensioner numbers is
reconciled, bi-monthly meetings are held
to monitor progress, the accounts have
been peer reviewed, signed by trustees
and the auditor and filed within the
statutory seven month deadline.
No exceptions noted
No original documents are held on file but are sent to
the legal advisers, or offsite storage. All scheme
documents are scanned and filed in SharePoint. Any
new or amending documentation is scanned and filed to
ensure that the latest scheme documentation is
maintained and held on file.
Verified for a sample of schemes that any
original documents are lodged with the
Scheme's legal advisors or held securely
offsite and have been scanned and filed in
SharePoint
No exceptions noted
4. Safeguarding Assets
Access to Dalriada premises is restricted to authorised
personnel. Additional restrictions are in place in respect
of access to IT areas.
Verified the physical security in place to
prevent unauthorised access to the Belfast
office and additional restrictions to
authorised personnel only for access to
the server room
No exceptions noted
Passwords are used by individual members of staff and
laptops/PCs are locked when staff are away from their
desks. Only the IT team can set up access to systems
and access to scheme data on our administration
database.
Reviewed the password policy and change
control request process and ensured that
users are periodically prompted to change
their passwords
No exceptions noted
Private and Confidential 39
CONTROL PROCEDURE AUDIT TESTING
Access to Dalriada networks and administration
database is restricted to authorised individuals, who
gain access with unique logins and passwords that are
compliant with industry standards.
Segregation of duties rules for pensions administrators
are enforced by security profiles built into the
administration system. Profiles are assigned to pensions
administrators based on their roles and responsibilities.
User access to the systems is reviewed on a regular
basis.
ISO auditors carried out a recertification of
compliance with ISO27001 in September
2014 and no issue were noted.
There is also a monthly review by IT to
ensure that only firm employees have
access to systems, for example only firm
issues mobile devices can access Dalriada
email.
No exceptions noted
All new staff complete an online data protection training
course as part of their induction when they join the
Company. Refresher training is given periodically as
and when required. Staff sign a security and
confidentiality policy, a copy of which is held on their HR
record.
Verified that a log of employees
attendance at Data Protection training is
maintained and is up to date. All new staff
are given data protection training when
they join the business and a refresher in
Data Protection is provided every three
years thereafter
No exceptions noted
Member and scheme data is stored electronically on our
administration database and in SharePoint. Any
data/correspondence held in paper form pre-dating the
introduction of SharePoint is securely held offsite.
Dalriada outsource their off-site storage and archive
facilities to a specialist organisation. In the event it is
necessary to retrieve paper files, these are scanned to
SharePoint and the originals returned to off-site storage.
Verified the storage of data on the
administration database and SharePoint
and the existence of the SLA in place with
the off-site storage company. Dalriada
carried out a review of the third party
storage company at their premises during
the year
No exceptions noted
All incoming correspondence is scanned using
Knowledge Lake software by the business support team.
Outgoing mail is created and filed on SharePoint. No
paper is retained in the work area and any printed
material from the system is securely destroyed.
Verified that a sample of correspondence
is scanned and filed in SharePoint and for
a sample of outgoing correspondence
ensured that there was evidence the
correspondence had been peer reviewed
prior to being sent out
No exceptions noted
Private and Confidential 40
CONTROL PROCEDURE AUDIT TESTING
The Business Continuity Plan (“BCP”) sets out the
processes and procedures used to counteract
interruptions to business activities and to protect critical
business processes from the effects of failures or
disasters affecting our information and broader IT
systems and to ensure their timely resumption.
Verified that there is a BCP plan in place
and that events triggering the BCP are
summarised with findings and
recommendations for improvement.
Server testing was undertaken during the
year and recovery time has now been
reduced to less than three hours as a
result of backup now being to an offsite
data centre
No exceptions noted
Dalriada have obtained ISO27001 (information security)
accreditation.
ISO auditors carried out a recertification of
compliance with ISO27001 in September
2014 and no issues were noted.
No exceptions noted
When taking on the administration of the trust account,
bank forms and required information is sent to the bank
along with a copy of the trust deed. The Bank is notified
of a change in cheque signatories and appropriate
documentation is forwarded to the bank.
Verified for the sample of schemes
selected that for new bank accounts
opened, application forms and mandate
papers had been obtained with evidence
of authorised signature by the trustees.
Also verified that process for updating
cheque signatory documentation was
secure through review of Board papers
No exceptions noted
Cheques are banked on the day of receipt unless they
are subject to query. Payments are processed on the
same day or the next day. Cash movements are
recorded on a daily basis on the internal accounting
system.
Tested as part of section 2, Authorising
and Processing Transactions.
No exceptions noted
Trust account balances are circulated to the
administration team and any of the client managers who
have requested bi-monthly updates (approximately on
1st and 15th day of each month). Payments are
processed and checked by separate individuals. At least
two cheque signatories are required for all payments
and are different from the requester, processor and
checker.
Tested as part of section 2, Authorising
and Processing Transactions.
No exceptions noted
Private and Confidential 41
CONTROL PROCEDURE AUDIT TESTING
Cheque books are held in a secure location only
accessible by staff.
Verified that cheque books are held in a
secure location only accessible by staff.
No exceptions noted
Cashflows are carried out in accordance with the
Cashflow Procedures and investment or disinvestments
are carried out where appropriate. The cashflow
administrator ensures that the investment manager
processes the investment/disinvestment and the
disinvestment amount requested is received into the
scheme bank account.
Verified for a sample of schemes that
cashflows are monitored, either monthly
or quarterly depending on the scheme by
the cashflow administrator, a cashflow is
completed by the scheme administrator
and peer reviewed and the approval of the
Trustee is received before an investment
or disinvestment transaction is executed.
No exceptions noted
Scheme expenses are not processed unless authorised
by the relevant authoriser on the invoice, by email or on
SharePoint. The cashflow administrator also needs to be
aware of the payment.
Tested as part of section 2, Authorising
and Processing Transactions
No exceptions noted
Private and Confidential 42
CONTROL PROCEDURE AUDIT TESTING
5. Monitoring Compliance
The procedures for contributions monitoring are
followed. The credit is logged and at the same time
processed on the accounting system. Cheques are
banked on the same day unless a query arises. A
scanned copy of the latest Schedule of Contributions
is held on SharePoint. The amounts due are entered
on the contributions monitoring spread sheet and
monitored. Any unusual differences are investigated.
The contributions monitoring spread sheet is reviewed
on 15th of each month and any outstanding
contributions usually received by that date are
followed up. The receipt of outstanding contributions
is monitored. Any late contributions are notified to
the client manager. They are recorded on the
breaches log which is on the agenda at the quarterly
board meetings.
Tested as part of section 2, Authorising and
Processing Transactions. For the sample
selected, obtained evidence that any late
contributions or late signing of accounts had
been appropriately recorded in the
compliance breaches log and had been
brought to the attention of the relevant
actuary or trustees
No exceptions noted
Service level agreements (“SLAs”) are reported to the
trustees in Stewardship Reports. The administration
team aim to carry out services and tasks accurately
and efficiently and to meet SLAs.
Ensured for a sample of schemes that signed
SLAs are in place between Dalriada and the
schemes selected.
No exceptions noted
Private and Confidential 43
CONTROL PROCEDURE AUDIT TESTING
A workflow system is in place for all tasks carried out
by the administration team. As soon as a task is
initiated it is recorded on the workflow system by the
administrator (the owner). Each task has a SLA that
is clearly defined from when the task begins and
when it ends.
Reports can be run off the workflow system so that
SLAs and statutory deadlines can be monitored. The
administrator and the administration manager
monitor each task against the service standards and
disclosure deadlines so as to highlight any instances
where service standards are being breached. Service
standards are always shorter than disclosure
deadlines and therefore disclosure breaches should be
avoided unless extenuating circumstances arise.
Stewardship reports' contents and frequency are
agreed by the scheme trustees. They will contain a
report from the workflow system detailing the tasks
undertaken during the relevant period and whether
the SLAs have been met. This allows the trustees to
monitor their performance.
Verified from a sample of workflows that
Dalriada have internal reporting deadlines
which are shorter than disclosure deadlines,
therefore minimising the number of service
standards being breached. Also verified a
number of tasks appearing in owners'
Outlook highlighting and acting as a
reminder of tasks to be completed
No exceptions noted
Procedures are followed for errors & omissions
whereby any transaction errors are notified
immediately by the administrator to their line
manager and the client manager. Details of the error
or omission are entered in the appropriate section in
the ‘Regulatory Breaches Log’ and consideration is
given to the need for any further action that may be
required. All errors and omissions are notified to the
board of directors as part of the internal management
information reporting process. The client manager will
determine if any further action is required and notify
the relevant parties to implement.
We could not test this control as there were
no errors recorded during the year.
No exceptions noted
Private and Confidential 44
CONTROL PROCEDURE AUDIT TESTING
6. Reporting to Clients
A report of members reaching normal retirement date
in the next 12 months is produced as part of the
stewardship report. Any other movement requiring
trustee approval is also recorded and detailed on the
stewardship report. Stewardship reports are provided
for each scheme as determined by the client
manager. The reports contain membership details
provided from our administration database and a
reconciliation of membership is carried out. They also
contain details of any member movements for the
period of the report. When the scheme administrator
has checked the report it is forwarded to the Trustee
as and when required.
Verified for the sample of schemes
selected that quarterly stewardship
reports are prepared detailing member
movements, reconciled to ensure accuracy
and that the report is peer reviewed
before being issued in a timely manner.
No exceptions noted
For schemes that have active members a recurring
task is set up on the workflow system for pre renewal
schedules to be sent to each client site prior to the
renewal date. A checklist is updated throughout the
process. Once all the data has been returned the
administrator follows the annual renewal checklist
and updates members' salary and status data which
is reconciled against the data received from the
client. Any discrepancies are investigated and
resolved. The renewal is then processed and benefit
statements for each active member are produced. All
calculations and statements are checked by a senior
administrator.
Verified for the sample of schemes
selected that bulk members' data updates
and ad-hoc individual member updates
are reconciled on a regular basis,
differences are investigated and resolved,
checklists and annual membership
schedules are prepared and peer reviewed
before being sent to members.
No exceptions noted
Annual reports and accounts are prepared using the
accounts template which complies with the latest
Statement of Recommended Practice (“SORP”) for
pension schemes. Any changes to the standard
template are logged on a proposed amendments
spread sheet. As part of the drafting process annual
reports are peer reviewed by another fund accountant
in the team prior to audit. Evidence of peer review is
maintained through SharePoint. A report and
accounts project is set up to record completion of
each task by the statutory deadline.
The draft report will be passed to the client manager
for review.
Verified that a standard reporting format
was in place for the creation of annual
reports and accounts and that this format
has been updated as a result of the most
recent changes to SORP. Verified for a
sample of annual reports prepared, that
they have been checked by a second
member of staff to confirm their
completeness and accuracy, and signed by
both the trustees and auditors within the
statutory reporting deadline.
No exceptions noted
Private and Confidential 45
CONTROL PROCEDURE AUDIT TESTING
Initially a timetable is set for signing within five
months. Bi-weekly meetings are scheduled to monitor
progress of the report and accounts projects against
the statutory deadlines. Following the meeting a
report is circulated to the consultancy team.
Procedures are followed for regulatory breaches which
sets out the statutory deadlines applicable. The
administrator and the administration manager
monitor tasks on the workflow system to ensure that
cases that are approaching the statutory deadline are
highlighted and followed up. Where a case
approaches the statutory deadline the administrator
informs the client manager. Any breach is notified by
the administrator to the administration manager, the
client manager and the scheme actuary as soon as
he/she becomes aware of the breach. Details of any
breach are entered in the relevant section of the
‘Regulatory Breaches Log’. All compliance breaches
are notified to the board of directors as part of the
internal management information reporting process.
The client manager should determine if a regulatory
report is required.
Verified the existence of procedures for
regulatory breaches and obtained a copy
of the breaches log for the period. The
client manager and actuary were informed
of the breaches and they were reported to
the board of directors.
No exceptions noted
Private and Confidential 46
CONTROL PROCEDURE AUDIT TESTING
7. Restricting access to systems and data
The business operates across five office sites, Belfast,
Bristol, Glasgow, London and Manchester. The
Physical and Environmental Process (Process 11)
outlines physical controls, securing offices, rooms,
facilities, protecting against external and
environmental threats, working in secure areas,
public access, delivery and loading areas, equipment
security, power supplies, cabling security, equipment
maintenance, secure disposal or re-use of equipment,
removal of property.
The primary IT infrastructure resides at a secure, ISO
27001 certified, world class, off-site data centre. A
biometric hand entry system is in place and access to
the lobby is via a full height turnstile. Photographic ID
is required and data halls are accessed/lifts are
controlled by passcards.
The Disaster Recovery infrastructure is located in
office premises and physical access is restricted to
authorised keyholders. The on-site server rooms are
equipped with air-conditioning systems which are
maintained on a regular basis. A system is in place to
control the temperature and humidity and fire
extinguishers are located nearby.
The Belfast office is manned by security during office
hours and is locked outside office hours. Only staff
who require access outside office hours are given
keys as approved and issued by the Business Support
team who maintain a list of key holders. Opening and
closing procedures for each location have been issued
to all staff and awareness training has been
conducted. A key fob is required for entry to the
Glasgow office building so is issued to all staff.
Staff inform the Business Support team if keys or key
fobs are lost. Access to the main office is restricted to
entry by a keypad code in Belfast and a key fob in
Glasgow which is only provided to staff. Access to
storage areas in the Belfast office is restricted to staff
in possession of a key fob. Storage facilities in the
Glasgow office are locked by individual staff. Other
authorised personnel (e.g. temporary staff and
cleaners) are issued with key pad codes and key fobs
providing access to the main office only but not to
restricted areas.
As pension administration activity is
largely performed from the Belfast office,
our testing was limited to this location.
Verified for the Belfast office that access
to the office is secure, the office has an
alarm system installed and that only
authorised business support staff can
access the secure documentation room
and server room where a visitors log is
completed upon entry and exit.
No exceptions noted
Private and Confidential 47
CONTROL PROCEDURE AUDIT TESTING
Any visitors are recorded in the visitors’ books and
are issued with a pass which contains their name,
company, who they are visiting, and the time and
date of entry. Passes are returned to reception on
leaving.
Windows laptops are configured by an automated
build to have password protection and data
encryption is enforced. Encryption for Windows
laptops is managed via Active Directory as the
Bitlocker key for the internal hard drive synchronises
with the Active Directory entry for each Windows
Laptop on the domain. When MacBooks are set up by
IT Support the MacBook is encrypted with FileVault
encryption and a password is set for the user and
user is then asked to change this during first use.
Access Control Process (Process 9)
Verified that only authorised personnel
and the outsourced provider of IT services
have access to change passwords via
active directory.
No exceptions noted
The company enforce a clear desk and clear screen
policy. This is enforced through the Security and
Confidentiality Policy. Security Training and
awareness sessions are run periodically for all staff.
Any client correspondence or documentation
containing client information left on any desk or on
the printers at the end of each day is disposed of in
the confidential waste. Individual staff members are
accountable. An Information Security Focus Group
manage all security weaknesses and vulnerabilities
and meet quarterly and /or when required to review
risks, vulnerabilities, treatment, corrective and
preventive plans. All security events / weaknesses are
analysed for root cause and business impact reviewed
and issues escalated to Board for further action.
Documentation is either stored electronically on the
network or in paper form.
Documentation in paper form is stored off-site in a
secure storage facility with Doxbond (local to the
Belfast office). When there is a need for paper
documentation to be stored in the office it is kept in
our secure storage areas in accordance with our clear
desk policy
Verified that paper form documentation is
held in the secure documentation room in
filing cabinets and off-site with the off-site
storage company.
Reviewed incident log and internal audit
issues log and a sample of minutes from
the quarterly Information Security Focus
Group meetings and verified review and
ownership assignment for actioning of
logged security events/weaknesses.
The offsite third party secure storage now
covers all offices and a SLA with the
provider was signed at the end of 2014.
No exceptions noted
Private and Confidential 48
CONTROL PROCEDURE AUDIT TESTING
As part of the Human Resources Security Process
(Leavers Process, 40) upon termination of
employment, all access rights are disabled and any IT
assets e.g. Laptop, mobile phone, keys or fobs are
returned and codes are changed.
For a sample of leavers during the period
being tested, ensured their access rights
were disabled and any IT assets returned.
No exceptions noted
All access to computer equipment and systems is
protected by passwords. Passwords expire after 42
days and users are prompted to change them. The
domain security policy requires that passwords must
be complex, at least 15 characters in length, alpha
numeric. This is detailed in the companies Security
and Confidentiality Policy for staff and backed up by
the Access Control Process (Process 9).
All data must be stored on the corporate network and
no data is permitted to be stored locally on laptops.
Access to data stored on the network is restricted
using appropriate permissions. Functional groups of
users are maintained each with appropriate levels of
access permissions based upon their job function.
Only the outsourced IT provider and authorised IT
Technician can amend an individual’s permissions.
Access rights are reviewed and amended as
necessary i.e. when roles change or new members of
staff join the company. Details of the restrictions in
place on the network are documented. Most of the
application software used is not restricted to
authorised individuals however, some applications
that are specific to a job function, for example cash
management, pension administration, etc., are
restricted to only those who have the associated
privilege. User access is approved by line managers
and actioned by the IT Technician or outsourced IT
provider. (Access Control Process 9)
Reviewed the password policy and change
control request process and ensured that
users are periodically prompted to change
their passwords.
No exceptions noted
Verified for a sample of new joiners and
changes in roles that the line manager
authorises the access rights of individual
users before the outsourced IT provider or
IT manager adds or amends an
individual’s permissions.
No exceptions noted
Private and Confidential 49
CONTROL PROCEDURE AUDIT TESTING
8. Providing integrity and resilience to the information processing environment,
commensurate with the value of the information held, information processing performed
and external threats.
Access to the administration system is controlled by
windows authentication or two factor authentication
on the relevant web browser. Segregation of duties
and rules are enforced by security profiles built into
the administration system. Profiles are assigned to
authorised individuals and aligned to their roles and
responsibilities. Associated with each administrator is
a security profile which determines schemes to which
they have access, functionality they can access,
member records they can access, whether they are
permitted to amend data or view data only.
The audit trail facility records changes made to the
data, including who made the changes and when,
providing integrity and resilience to the information
processing environment, commensurate with the
value of the information held, information processing
performed and external threats.
Confirmed that there is segregation of
duties built into the roles of administrators
and that only administrators have access
to the administration database.
Verified for examples during the period
the existence of audit trails showing the
changes made to data, by whom and
when and that Sharepoint retains previous
versions of the data.
No exceptions noted
All IT processing is carried out on laptops and desktop
PCs in real time.
Verified that the pension administration
system has built in audit functionality and
that all changes to data are recorded. Key
stages of processing are evidenced on a
log with staff sign offs and date of
processing.
No exceptions noted
OneShot and SecureShare are used as the electronic
means of communication in the business.
SecureShare is a bespoke platform for storing and
transferring information. All communications are
securely encrypted with industry standard encryption
and the system uses two-factor authentication for an
additional layer of security. The application has
successfully passed a rigorous third party security
audit and penetration test.
Any document that includes member specific
information is sent to the recipient via our OneShot
system, where possible.
Verified for a sample of external
communications that data sent is
password protected and peer reviewed
before being sent and is followed up by a
phone call to the recipient with the
password.
No exceptions noted
Private and Confidential 50
CONTROL PROCEDURE AUDIT TESTING
All external access to the network is outsourced to
ISO 27001 accredited IT experts Novosco Limited.
Remote access set up is authorised by the IT
Technician and connections can only be made through
Citrix Secure Desktop Software. The company deploys
a physical firewall (fort iGATE) to control port access
both in and out of the business. Firewalls are
deployed at the perimeter of the network to protect
the internal devices and also to control and protect
out-going traffic. All email traffic is routed by a third
party, Mimecast, who filter out any email threats i.e.
viruses/spyware & inappropriate content.
Inappropriate content also triggers a rules-based
alerting system that keeps staff members aware of
any trends requiring action. Trend Anti-Virus software
is installed on all servers, desktops and laptops and is
designed to keep users safe from viruses and other
forms of on-line malicious threats.
The deployment of Trend including updates is
centrally controlled and monitored by Novosco
Limited.
Verified the existence of firewalls and anti-
virus applications in place and confirmed
protection is up to date. A third party
company, IT Guarded, carried out IT
security testing during the year.
Administrator provided evidence that
protection is up to date showing us
software automatically scanning and
updating servers, desktops and laptops.
No exceptions noted
9. Maintaining and developing systems hardware and software
Our pension administration technologies have not
required migration or modification of data in recent
years. Any such process would follow our change
management procedures as described in Maintaining
and developing systems hardware and software.
For new scheme implementations please refer to
Accepting clients.
For periodic and ad-hoc data loads please refer to
Maintaining financial and other records.
Verified the existence of the Operational
Change Control procedure. For a sample
of projects that were undertaken during
the period, for example, the changeover
to offsite server, verified that the
Operational Change Control procedure was
followed.
No exceptions noted
Any changes to existing, or the implementation of
new, infrastructure and systems follows the
Operational Change Control process outlined in
Operations Security (Process 12).
Changes are classified as follows:
Major Change
Minor Change
Verified the existence of the Operational
Change Control procedure. For a sample
of projects that were undertaken during
the period verified that the Operational
Change Control procedure was followed
with authorisation by the IT sub-
committee or the Board depending on how
material the project was.
No exceptions noted
Private and Confidential 51
CONTROL PROCEDURE AUDIT TESTING
Major Change examples include:
Server OS upgrade/security patch
Server hardware upgrade/replacement
Implementation of new software package
Changes to system or network security
Changes to web site functionality or additional
modules
Project specific around infrastructure improvements
A major change will typically be a planned
implementation and this will be discussed at Managed
Service reviews with Novosco or ad hoc as required.
When a major change is required business impact is
reviewed and formal sign off and authorisation is
required. (Operations Security Process 12)
Dalriada has also adopted an effective Information
System Acquisition, Development, and Maintenance
process (Process 14).
Controls are in place to ensure the installation and
upgrading of operational software on each operating
system. In addition, user profiles are employed to
ensure that Novosco are the only authorised
individuals that can perform installations or upgrades.
Any maintenance is performed by authorised
representatives from the corresponding
software/support company and is pre-arranged.
Notice is given to staff members of any downtime to
the network that is required for the maintenance of
software.
Any software upgrades are performed only if there is
a requirement to do so, or suitably long enough after
the release, to ensure any bugs or vulnerabilities
have been ironed out. If new software potentially
introduces any element of risk, then the risk will be
assessed and its advantages of functionality will be
subject to continued monitoring and/or isolated.
Windows updates are rolled out periodically to all
computers on the network.
Development of systems is facilitated by an
appropriate rollback strategy.
Reviewed the Information Security
Aspects of Business Continuity
Management process (Process 17)
document and ensured that for examples
of changes or upgrades to operational
software, there was evidence of risk
assessment and authorisation prior to
commencement.
No exceptions noted
Private and Confidential 52
CONTROL PROCEDURE AUDIT TESTING
The pension database team is responsible for data
migration projects. A scheme installation checklist is
completed which follows the key stages of the
migration. Logs are maintained of all issues along
with details of their resolution. The results of sample
data checks and the reconciliation are reviewed by
the pension database team manager to ensure
procedures have been followed.
Verified for a sample of data migration
projects that a checklist is maintained,
risk assessment and mitigation of risks
performed, data reconciled to source, sign
offs are evidenced and an issue log
completed with actions taken to close.
No exceptions noted
10. Recovering from processing interruptions
Dalriada works securely within a virtual environment.
In the event of the failure of a server, functionality is
temporarily transferred to others servers via
automated dynamic resource allocation processes,
minimising interruption to business operations.
The IT infrastructure facilitates the continuation of
business operations from any location in the event of
multiple disaster scenarios.
Dalriada has engaged with Novosco on a Managed
Service contract which covers the maintenance of
equipment (hardware and software) which resides in
datacentre and in the secondary Disaster Recovery
(“DR”) site.
As part of the Managed Service contract Novosco
manage and maintain a DR solution which utilises two
separate technologies to offer multiple recovery
opportunities dependent on failure types.
Backup and Restore Technology
Veeam Backup and Replication technology is in use,
a “virtual only” backup solution which runs on a daily
basis and enables multiple restore options:
Full VM Restore
File Level Restore
Guest OS Level Restore
Veeam technology backs up to a disk based SAN
VNX3200 target in the primary data centre.
Both hardware and software provide local backup
whilst at the same time providing a faster and more
reliable recovery time in the event of a major
incident.
Verified the use of the Veeam Backup and
for a sample ensured daily backup had
been completed.
No exceptions noted
Private and Confidential 53
CONTROL PROCEDURE AUDIT TESTING
Veeam would most likely be used in a scenario where
data corruption has occurred with the solution
resulting in a roll back to previous backup.
Backups consist of any changes to the system, files
and folders. Veeam is a data reduplication
technology; which significantly reduces back up
windows by only storing unique daily changes while
always maintaining daily full back ups for immediate
single step restore. Reports are delivered on a daily
basis via email to IT staff as verification on all backup
jobs. Pro-active reports are also received via email on
a weekly and monthly basis on network and storage
integrity.
All data is saved to a SAN with RAID disk systems
(typically RAID 5) which significantly reduces the risk
of loss of data through media failure.
Replication and Recovery Technology
Dalriada have invested in Zerto Replication
technology, a VMware vSphere aware technology
which enables automated data recovery, failover and
failback of full or partial infrastructures dependent on
the failure type and recovery need.
Zerto’s VMWare Replication is enterprise class
software which replaces traditional array based
replication therefore providing flexibility, scalability
and ease of use without compromising any of the
features and functionality required for protecting
mission-critical production applications.
Zerto management servers are installed in both
primary and secondary infrastructure locations. The
virtual estate is divided into Virtual Protection Groups
(“VPGs”) and these groups of virtual machines are
replicated from the data centre to the DR site using a
process of continuous data protection (“CDP”) or
journaling.
In a primary infrastructure failure scenario, Novosco
will use the Zerto recovery capability to recover all
virtual machines into the DR infrastructure with
Recovery Points Objectives (“RPO”) of under 60-120
seconds per server with Recovery Time Objectives
(“RTO”) of under 3 hours for the entire virtual estate.
As part of the annual Managed Service Contract
Novosco test the recovery to an isolated virtual
network on a quarterly basis.
Private and Confidential 54
CONTROL PROCEDURE AUDIT TESTING
The Business Continuity Plan (“BCP”) details
processes to enable recovery from loss of information
assets (which may be the result of, for example,
natural disasters, accidents, equipment failures, and
deliberate actions) and to minimise the impact of
incidents to an acceptable level through a
combination of preventive and recovery controls.
The critical business processes and information
security management requirements of business
(operations, Dalriada third party resourcing,
information / data hard copy and facilities) have also
been included.
The BCP provides a framework for responses to
specific areas of vulnerability and threat in the event
of incidents of catastrophic failure as well as other
unforeseen events.
Our BCP Team is ultimately responsible for designing
and maintaining the BCP, which is managed and
implemented by the BCP Manager and a deputy. A
command structure is in place to manage an incident.
We have adopted the Gold/Silver command structure,
as widely used elsewhere in contingency planning.
This ensures an effective division of duty between
command and control and operational recovery
responsibilities. Key Dalriada third party resources are
included in this command structure (Business
Continuity Management Process (Process 17);
Business Continuity Plan, Dalriada BCP Testing
Schedule and results 2011 to 2015)
Hard copies of the BCP and supporting documents are
held securely and confidentially off site by the BCP
Manager and Gold team members.
The BCP and supporting documents for the
Information Security Management System are in line
with ISO 27001 framework and guidelines taken from
the BS25999 part 2 Business Continuity Management
Standard.
All plans are based around a recovery point, time and
capacity objectives that have been agreed with the
business.
Maintenance of the plans is controlled as part of the
evaluation of each disaster recovery event.
Verified that there is a BCP in place. Gold
and Silver team members changed during
the period and the BCP was updated.
There were no incidents during the period,
however a 48 hour test of the BCP was
carried out.
No exceptions noted
Private and Confidential 55
CONTROL PROCEDURE AUDIT TESTING
Dalriada outsources the provision of IT services to
Novosco Limited. Documented service level
agreements are in place. Novosco operates a
helpdesk and calls are logged and assigned unique
reference numbers. The IT Technician can access the
helpdesk logging system and monitors the progress of
all calls raised.
(Organisation of Information Security Process 6)
Dalriada works securely within a virtual environment.
In the event of the failure of a server, functionality is
temporarily transferred to other servers via
automated dynamic resource allocation processes
minimising interruption to business operations.
The IT infrastructure facilitates the continuation of
business operations from any location in the event of
multiple disaster scenarios.
As part of the Managed Service contract Novosco
manage and maintain a DR solution which utilises two
separate technologies to offer multiple recovery
opportunities dependent on failure types.
Verified that a signed SLA is in place
between Spence & Partners and Novosco
Limited with an intercompany agreement
between Spence & Partners and Dalriada
to provide Dalriada with IT services.
Reviewed a sample of daily and weekly
backup reports and monthly helpdesk call
logs.
No exceptions noted
11. Monitoring compliance
Dalriada outsource the provision of IT services to
Novosco Limited. Documented service level
agreements are in place, covered by appropriate
contracts and monitored by the directors. Regular
governance and service review meetings are held
along with 3rd party audits conducted on a regular
basis. Dalriada also employ 3rd party penetration and
security experts IT Guarded to audit the network
infrastructure annually.
(Process 6 Organisation of Information Security and
Process 10 Cryptography )
Verified that quarterly governance and
service review meetings are held with
Novosco Limited by review of minutes of
meetings and that a signed SLA is in place
between Spence & Partners and Novosco
with an intercompany agreement between
Spence & Partners and Dalriada to provide
Dalriada with IT services.
No exceptions noted
A full list of Partners of RSM Northern Ireland is available at www.rsmni.uk
Registered to carry on audit work by the Institute of Chartered Accountants in Ireland. Authorised by the Institute of Chartered Accountants in Ireland (ICAI) to carry on investment business in Ireland. Chartered Accounts Ireland is the operating name of ICAI. RSM Northern Ireland is a member of the RSM network and trades as RSM. RSM is the trading name used by the members of the RSM network. Each member of the RSM network is an independent accounting and consulting firm which practices in its own right. The RSM network is not itself a separate legal entity in any jurisdiction
The Directors
Dalriada Trustees Limited
Chamber of Commerce House
22 Great Victoria Street
Belfast
BT2 7BA
18
th January 2016
Our ref: DAL1185/DSW/IM
To the Directors of Dalriada Trustees Limited Engagement Letter for Reporting Accountants
Dear Sirs
The purpose of this letter is to set out the basis on which we act as reporting accountants of the company and the respective areas of responsibility of the directors and of ourselves.
1. Responsibilities of directors
The Directors of the above company to which our report is to be provided (‘the Organisation’) are and shall be responsible for the design, implementation and operation of control procedures that provide an adequate level of control over clients’ assets and related transactions. The Directors’ responsibilities are and shall include:
acceptance of responsibility for internal controls;
evaluation of the effectiveness of the service organisation’s control procedures using suitable criteria;
supporting their evaluation with sufficient evidence, including documentation; and
providing a written report (‘Directors’ Report’) of the effectiveness of the service organisation’s internal
controls for the relevant financial period.
In drafting this report the Directors have regard to, as a minimum, the criteria specified within the Technical Release AAF 01/06 issued by the Institute of Chartered Accountants in England and Wales (‘the Institute’) but they may add to these to the extent that this is considered appropriate in order to meet clients’ expectations.
2. Responsibilities of reporting accountants
It is our responsibility to form an independent conclusion, based on the work carried out in relation to the control procedures of the Organisation’s administration, accounting and information technology functions carried out at the Belfast business unit of the Organisation as described in the Directors’ report and report this to the Directors.
3. Scope of the reporting accountants’ work
We conduct our work in accordance with the procedures set out in AAF 01/06 issued by the Institute. Our work will include enquiries of management, together with tests of certain specific control procedures which will be set out in an appendix to our report. In reaching our conclusion, the criteria against which the control procedures are to be evaluated are the internal control objectives developed for service organisations as set out within the AAF 01/06 issued by the Institute. Any work already performed in connection with this engagement before the date of this letter will also be governed by the terms and conditions of this letter. We may seek written representations from the Directors in relation to matters on which independent corroboration is not available. We shall seek confirmation from the Directors that any significant matters of which we should be aware have been brought to our attention.
4. Inherent limitations
The Directors acknowledge that control procedures designed to address specified control objectives are subject to inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Such procedures cannot guarantee protection against fraudulent collusion especially on the part of those holding positions of authority or trust. Furthermore, the opinion set out in our report will be based on historical information and the projection of any information or conclusions in our report to any future periods will be inappropriate.
5. Use of our report
Our report will, subject to the permitted disclosures set out in this letter, be made solely for the use of the Directors of the Organisation, and solely for the purpose of reporting on the internal controls of the Organisation, in accordance with these terms of our engagement. Our work will be undertaken so that we might report to the Directors those matters that we have agreed to state to them in our report and for no other purpose. Our report will be issued on the basis that it must not be recited or referred to or disclosed, in whole or in part, in any other document or to any other party, without the express prior written permission of the reporting accountants. We permit the disclosure of our report, in full only, to customers of the Organisation using the Organisation’s pension trustee services (‘customers’), and to the auditors of such customers, to enable customers and their auditors to verify that a report by reporting accountants has been commissioned by the Directors of the Organisation and issued in connection with the internal controls of the Organisation without assuming or accepting any responsibility or liability to them on our part. To the fullest extent permitted by law, we do not and will not accept or assume responsibility to anyone other than the Directors as a body and the Organisation for our work, for our report or for the opinions we will have formed.
6. Liability provisions
We will perform the engagement with reasonable skill and care and acknowledge that we will be liable to the Directors as a body and the Organisation for losses, damages, costs or expenses (‘losses’) suffered by the Directors as a body and the Organisation as a result of our breach of contract, negligence, fraud or other deliberate breach of duty. Our liability shall be subject to the following provisions:
We will not be so liable if such losses are due to the provision of false, misleading or incomplete
information or documentation or due to the acts or omissions of any person other than us, except
where, on the basis of the enquiries normally undertaken by us within the scope set out in these terms
of engagement, it would have been reasonable for us to discover such defects;
We accept liability without limit for the consequences of our own fraud or other deliberate breach of duty
and for any other liability which it is not permitted by law to limit or exclude;
Subject to the previous provisions of this Liability paragraph, our total aggregate liability whether in
contract, tort (including negligence) or otherwise, to the Directors as a body and the Organisation,
arising from or in connection with the work which is the subject of these terms (including any addition or
variation to the work), shall not exceed three times the relevant engagement fee.
To the fullest extent permitted by law, the Organisation agrees to indemnify and hold harmless RSM Northern Ireland and its partners and staff against all actions, proceedings and claims brought or threatened against RSM Northern Ireland or against any of its partners and staff by any persons other than the Directors as a body and the Organisation, and all loss, damage and expense (including legal expenses) relating thereto, where any such action, proceeding or claim in any way relates to or concerns or is connected with any of RSM Northern Ireland work under this engagement letter. The Directors as a body and the Organisation agree that they will not bring any claims or proceedings against any of our individual partners, members, directors or employees. This clause is intended to benefit such partners, members, directors and employees who may enforce this clause pursuant to the Contracts (Rights of Third Parties) Act 1999 (‘the Act’). Notwithstanding any benefits or rights conferred by this agreement on such partners, members, directors or employees by virtue of the Act, we and the Directors as a body may together agree in writing to vary or rescind the agreement set out in this letter without the consent of any such partners, members, directors or employees. This engagement is separate from, and unrelated to, our audit work on the financial statements of the Organisation for the purposes of the Companies Act 1985 (or its successor) or other legislation and nothing herein creates obligations or liabilities regarding our statutory audit work, which would not otherwise exist.
7. Quality of service
We aim to provide you with a fully satisfactory service and David Watters as engagement partner will seek to ensure that this is so. If, however, you are unable to deal with any difficulty through him and his team please contact David Gray. We undertake to look into any complaint carefully and promptly and to do all we can to explain the position to you. If we do not answer your complaint to your satisfaction you may of course take up the matter with the Institute of Chartered Accountants in Ireland by whom we are regulated for audit purposes.
8. Agreement of terms
We shall be grateful if you could confirm in writing your agreement to these terms by signing and returning the enclosed copy of this letter, or let us know if they are not in accordance with your understanding of our terms of engagement.
Yours faithfully
RSM
We agree to the terms of this letter and the additional terms and conditions
____________________________________________________________________________________
Signed for and on behalf of Dalriada Trustees Limited
Name: ______________________________________________
Position: ______________________________________________
Date: ______________________________________________
RSM Northern Ireland
STANDARD TERMS AND CONDITIONS OF BUSINESS
Standard T&C (NI)
These additional terms and conditions of engagement should be read together with the accompanying letter from RSM which identifies the engagement to which they relate (the engagement letter).
1. Applicable Law
These engagement documents, the schedule of services and our standard terms and conditions of business are governed by, and should be construed in accordance with Northern Ireland law. Each party agrees that the courts of Northern Ireland will have exclusive jurisdiction in relation to any claim, dispute or difference concerning this engagement letter and any matter arising from it. Each party irrevocably waives any right to object to any action being brought in those Courts, to claim that the action has been brought in an inappropriate forum, or to claim that those Courts do not have jurisdiction.
2. Our Responsibilities
We will provide the services described in our engagement letter (or such variations as may subsequently be agreed between us) with reasonable skill and care in accordance with the professional standards expected of us, and in a timely manner. The nature of any advice we provide will necessarily depend on the amount and accuracy of information provided to us and the time scale within which the advice is required. If general advice is required, the applicability of this will depend on the particular circumstances in which it is to be used by you (of which we might not be aware) and should be viewed accordingly. In relation to any particular transaction, specific advice should always be sought and all material information provided to us. If, at your request, we provide our advice in an abbreviated format (i.e. other than a full written report), you acknowledge that you may not receive all the information you would otherwise have done. Whilst our reports and advice may be a factor to be taken into account when deciding whether or not to proceed with a particular course of action, you remain responsible for any commercial decisions that you make, and regard must be had to the restrictions on the scope of our work and to the large number of other factors, commercial and otherwise, of which you and your other advisers are, or should be, aware by means other than our work.
3. Your Responsibilities
In relation to all our work for you it is the responsibility of the Dalriada Trustees Limited staff to provide us with complete, accurate and timely information where we have requested this and to carry out any other obligations ascribed to the Dalriada Trustees Limited. We will not be responsible for any consequences which may arise from any delay or failure by Dalriada Trustees Limited to do so and these may also result in additional fees for which invoices will be raised.
4. Money Laundering
As with other professional services firms, we are required to identify our clients for the purposes of the UK anti-money laundering legislation. We may request from you, and retain, such information and documentation as we require for these purposes and/or make searches of appropriate databases. If we are not able to obtain satisfactory evidence of your identity within a reasonable time, there may be circumstances in which we are not able to proceed with the appointment. We have a duty under s330 of the Proceeds of Crime Act 2002 (“POCA”) to report to the Serious Organised Crime Agency (“SOCA”) if we know, or have reasonable cause to suspect, that you, or anyone connected with your business, are or have been involved in money laundering. Failure on our part to make a report where we have knowledge or reasonable grounds for suspicion would constitute a criminal offence.
RSM Northern Ireland
STANDARD TERMS AND CONDITIONS OF BUSINESS
Standard T&C (NI)
The offence of money laundering is defined by s340(11) of the POCA and includes concealing, converting, using or possessing the benefits of any activity that constitutes a criminal offence in the UK. It also includes involvement in any arrangement that facilitates the acquisition, retention, use or control of such a benefit. This definition is very wide and would include such crimes as:
deliberate tax evasion (for example through deliberate understatement of income or stocks or overstatement of expenses);
deliberate failure to inform the tax authorities of known underpayments or excessive repayments;
fraudulent claiming of benefits or grants; or
obtaining a contract through bribery. We are obliged by law to report any instances of money laundering to SOCA without your knowledge or consent. In fact we may commit the criminal offence of tipping off under s333 of the POCA if we were to inform you that a report had been made. In consequence, neither the firm’s principals nor staff may enter into any correspondence or discussions with you regarding such matters. We are not required to undertake work for the sole purpose of identifying suspicions of money laundering. We shall fulfil our obligations under the POCA in accordance with the guidance published by the Consultative Committee of Accountancy Bodies.
5. The Bribery Act 2010 We are subject to the Bribery Act 2010 and therefore prohibited from receiving or making any payment of money or anything of value, directly or indirectly to any private individual or corporate body, any government official, political party, or candidate for political office for the purpose of obtaining or retaining business. We have a zero tolerance of bribery and corruption. This policy extends to all the firm’s business dealings and transactions in all the countries in which we operate. This policy is backed up by the existence of procedures that are proportionate to the risk of bribery faced by the firm. Procedures are monitored and revised as necessary to capture changes in law, reputation demands and changes in the business.
6. Client Money
We may, from time to time, hold money on your behalf. Such money will be held in trust in a client bank account, which is segregated from the firm’s funds. The account will be operated, and all funds dealt with, in accordance with the Clients’ Money Regulations of the Institute of Chartered Accountants in Ireland.
In order to avoid an excessive amount of administration, interest will only be paid to you where the amount of interest that would be earned on the balances held on your behalf in any calendar year exceeds £25. Any such interest would be calculated using the prevailing rate applied by the Bank of Ireland for small deposits subject to the minimum period of notice for withdrawals. Subject to any tax legislation, interest will be paid gross.
If the total sum of money held on your behalf exceeds £10,000 for a period of more than 30 days, or such sum is likely to be held for more than 30 days, then the money will be placed in a separate interest-bearing client bank account designated to you. All interest earned on such money will be paid to you. Subject to any tax legislation, interest will be paid gross.
RSM Northern Ireland
STANDARD TERMS AND CONDITIONS OF BUSINESS
Standard T&C (NI)
7. Commissions and Other Benefits
In some circumstances we may receive commissions or other benefits for introductions to other professionals in respect of transactions in which we arrange for you. Where this happens we will notify you in writing of the amount and terms of payment and receipt of any such commissions or benefits. . We will not be liable to pay you any such commission paid to us but we may take it into account in determining our fee. The provisions of the preceding paragraph will not apply to any referrals within the RSM International network.
8. Confidentiality
Communication between us is confidential and we shall take all reasonable steps to keep confidential your information except where we are required to disclose it by law, regulatory bodies, our insurers or as part of an external peer review. Unless we are authorised by you to disclose information on your behalf this undertaking will apply during and after this engagement.
We reserve the right, for the purpose of promotional activity, training or for other business purpose, to mention that you are a client. As stated above we will not disclose any confidential information.
9. Investment Advice (Including Insurance Mediation Services) Investment business is regulated under the Financial Services and Markets Act 2000. If, during the provision of professional services to you, you need advice on investments, including insurances, we may have to refer you to someone who is authorised by the Financial Services Authority or licensed by a designated Professional Body as we are not.
10. Conflicts of Interest
We will inform you if we become aware of any conflict of interest in our relationship with you or in our relationship with you and another client, which, in our opinion cannot be managed. Where conflicts are identified which cannot be managed in a way that protects your interest then we regret that we will be unable to provide further services.
If there is a conflict of interest that is capable of being addressed successfully by the adoption of suitable safeguards to protect your interests then we will adopt those safeguards. We reserve the right to act for other clients whose interests are not the same as or are adverse to yours subject of course to the obligations of confidentiality referred to above.
11. Data Protection
In providing the Services to you or otherwise in connection with the Services, we may need to collect, hold and use information (e.g. contact details) about identifiable individuals (“Data Subjects”). We may also use such information as part of our client account opening and general administration process (e.g. in order to carry out anti-money laundering and conflict checks). Should your officers or employees enquire, please inform them that we may hold information relating to them for these purposes. In providing some of the Services to you we may be processing information about Data Subjects on your behalf and thus act as a “Data Processor” for the purposes of the Data Protection Act 1998. In these circumstances, we will (i) only process personal data in accordance with your lawful and reasonable instructions; and (ii) comply with security obligations equivalent to those imposed on you, as Data Controller, by the seventh principle of that Act.
RSM Northern Ireland
STANDARD TERMS AND CONDITIONS OF BUSINESS
Standard T&C (NI)
The eighth data protection principle provides that personal data shall not be transferred to a country or territory outside the European Economic Area (“EEA”) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The firm may from time to time use cloud based data sharing, for example Drop Box, and cloud based accounting software where servers are located outside of the EEA. In accordance with ICO guidelines, RSM may transfer personal data outside the EEA, provided we:
conduct a risk assessment into whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects; or
if you do not find there is an adequate level of protection, put in place adequate safeguards to protect the rights of the data subjects, possibly using Model Contract Clauses or Binding Corporate Rules; or
consider using one of the other statutory exceptions to the Eighth Principle restriction on international transfers of personal data.
The Information Commissioner has approved the following sets of model contract clauses, which we would draw to your attention. Set I controller-controller 2001 controller to controller Commission Decision 2001/497/EC, dated 15 June 2001 – in which the Commission approved model clauses for transfers from data controllers in the EEA to data controllers outside the EEA. Authorised by the Information Commissioner on 21st December 2001. Set I controller-processor Commission Decision 2002/16/EC, dated 27 December 2001 – in which the Commission approved model clauses for transfers from data controllers in the EEA to data processors outside the EEA.
Authorised by the Information Commissioner on 18th March 2003. Model contract clauses authorisation - controllers to processors authorisation 2003.pdf (Note – this set is no longer available for new users but continues to have effect in relation to arrangements put in place prior to 15th May 2010). Set II controller – controller 2004 controller to controller. Commission Decision 2004/915/EC, dated 27 December 2004 – in which the Commission approved an alternative set of model clauses for transfers from data controllers in the EEA to data controllers outside the EEA. Authorised by the Information Commissioner on 27th May 2005. Set II controller – processor 2010 controller to processor Commission Decision 2010/87/EU, dated 5th February 2010 – in which the Commission approved a new set of model clauses for transfers from data controllers in the EEA to data processors outside the EEA to replace the Set I controller to processor clauses. Authorised by the Information Commissioner on 17th May 2010 Controller to Processor Authorisation 2010 By using these clauses in our terms and conditions, and subsequent contract with you, we will not have to make an assessment of the adequacy of protection afforded to your rights as the data subject in connection with our transfer of your personal data.
RSM Northern Ireland
STANDARD TERMS AND CONDITIONS OF BUSINESS
Standard T&C (NI)
12. Disengagement
Should we resign or be requested to resign we will normally communicate with you in writing to ensure that our respective responsibilities are clear.
Should we have no contact with you for a period of 18 months or more we may write to your last known address and hence cease to act.
13. Electronic and Other Communication
Unless you instruct otherwise we may, where appropriate, communicate with you and with third parties via e-mail or other electronic means. The recipient is responsible for virus checking e-mails and any attachments. With electronic communication there is a risk of non-receipt, delayed receipt, inadvertent misdirection or interception by third parties. We use virus-scanning software to reduce the risk of viruses and similar damaging items being transmitted through e-mails or electronic storage devices. However electronic communication is not totally secure and we cannot be held responsible for damage or loss caused by viruses or changes made to communication which are corrupted or altered after dispatch. Nor can we accept any liability for problems or accidental errors relating to this means of communication especially in relation to commercially sensitive material. These are risks you must bear in return for greater efficiency and lower costs. If you do not wish to accept these risks please let us know and we will communicate by paper mail. Other than where electronic submission is mandatory. Any communication by us with you sent through the post or fax system is deemed to arrive at your postal address two working days after the day that the document was sent. Unless specifically agreed, any communication sent by post within the United Kingdom will be sent Royal Mail standard second class. As this method of delivery is not totally secure or reliable, we cannot be held responsible for damage or loss caused after we have dispatched the item and it has entered the Royal Mail system.
14. External Review As a firm of Registered Auditors, we are subject to external review by independent qualified accountants. In addition, we are subject to internal review under quality assurance requirements of RSM International, of which we are a member firm. Accordingly our client files may be reviewed by an external inspector who will be subject to a confidentiality agreement.
15. Fees and Payment Terms Our fees are computed on the basis of the time spent on your affairs by the partners and our staff and on the levels of skill and responsibility involved. Unless otherwise agreed, our fees will be billed at appropriate intervals during the course of each assignment and will be due on presentation.
If it is necessary to carry out work outside the responsibilities outlined in this letter it will involve additional fees. Accordingly we would like to point out that it is in your interests to ensure that your records etc., are completed to the agreed stage. If we provide you with an estimate of our fees for any specific work, then the estimate will not be contractually binding unless we explicitly state that that will be the case.
RSM Northern Ireland
STANDARD TERMS AND CONDITIONS OF BUSINESS
Standard T&C (NI)
Where requested we may indicate a fixed fee for the provision of specific services or an indicative range of fees for a particular assignment. It is not our practice to identify fixed fees for more than a year ahead as such fees quoted need to be reviewed in the light of events. If it becomes apparent to us, due to unforeseen circumstances that a fee quote is inadequate, we reserve the right to notify you of a revised figure or range and seek your agreement thereto. In some cases, you may be entitled to assistance with your professional fees; particularly in relation to any investigation into your tax affairs by HMRC. Assistance may be provided through policies you hold or via membership of a professional or trade body. Other than where such insurance was arranged through us you will need to advise us of any such insurance cover that you have. You will remain liable for our fees regardless of whether all or part are liable to be paid by your insurers.
Invoices are payable in full before the accounts are signed and made available for filing. Our fees are exclusive of VAT which will be added where it is chargeable. Any disbursements we incur on your behalf and expenses incurred in the course of carrying out our work for you will be added to our invoices where appropriate.
Unless otherwise agreed to the contrary our fees do not include the costs of any third party, counsel or other professional fees.
It is our normal practice to issue interim fees when dealing with continuous or recurring work. The payment terms for interim fees are the same as for invoiced fees.
We reserve the right to charge interest on late paid invoices at the rate of 3% above bank base rates under the Late Payment of Commercial Debts (Interest) Act 1998. We also reserve the right to suspend our services or to cease to act for you on giving written notice if payment of any fees is unduly delayed. We intend to exercise these rights only where it is fair and reasonable to do so.
If you do not accept that an invoiced fee is fair and reasonable you must notify us in writing, within 21 days of receipt, failing which you will be deemed to have accepted that payment is due.
If a client company, trust or other entity is unable or unwilling to settle our fees we reserve the right to seek payment from the individual (or parent company) giving us instructions on behalf of the client and you agree that we shall be entitled to enforce any sums due against the Group Company or individual nominated to act for you.
In the event that we cease to act as your auditors, we reserve the right to recover the actual costs of providing access to the information we hold in respect of the audit work we have carried out to an eventual successor auditor.
16. Implementation
We will only assist with implementation of our advice if specifically instructed and agreed in writing.
17. Intellectual Property Rights
We will retain all copyright in any document prepared by us during the course of carrying out the engagement save where the law specifically provides otherwise.
RSM Northern Ireland
STANDARD TERMS AND CONDITIONS OF BUSINESS
Standard T&C (NI)
18. Interpretation
If any provision of the engagement letter or these terms and conditions is held to be void, then that provision will be deemed not to form part of this contract.
In the event of any conflict between these terms of business and the engagement letter, the relevant provision in the engagement letter or schedules will take precedence.
19. Internal Disputes Within a Client
If we become aware of a dispute between two parties who own or are in some way involved in the ownership and management of the business, it should be noted that our client is the business and we would not provide information or services to one party without the express knowledge and permission of all parties. Unless otherwise agreed by all parties we will continue to supply information to the normal place of business for the attention of the directors. If conflicting advice, information or instructions are received from different directors/principals in the business we will refer the matter back to the board of directors/partnership and take no further action until the board/partnership has agreed the action to be taken.
20. Lien
Insofar as we are permitted to do so by law or professional guidelines, we reserve the right to exercise a lien over all funds, documents and records in our possession relating to all engagements for you until all outstanding fees and disbursements are paid in full.
21. Limitation of Liability
We will provide our services with reasonable care and skill. Our liability to you is limited to losses, damages, and expenses caused by our negligence or wilful default.
Exclusion of liability for loss caused by others
We will not be liable if such losses, penalties, surcharges, interest or additional tax liabilities are due to the acts or omissions of any other person or due to the provision to us of incomplete, misleading or false information or they are due to a failure to act on our advice or a failure to provide us with relevant information.
Exclusion of liability in relation to circumstance beyond our control
We will not be liable to you for any delay or failure to perform our obligations under this engagement letter if the delay or failure is caused by circumstances outside our reasonable control.
Exclusion of liability relating to the discovery of fraud etc
We will not be responsible or liable for any loss, damage or expenses incurred or sustained if information material to the service we are providing is withheld or concealed from us or misrepresented to us. This applies equally to fraudulent acts, misrepresentation or wilful default on the part of any party to the transaction and their directors, officers, employees, agents or advisers.
This exclusion shall not apply where such misrepresentation, withholding or concealment is or should (in carrying out the procedures which we have agreed to perform with reasonable care and skill) have been evident to us without further enquiry.
RSM Northern Ireland
STANDARD TERMS AND CONDITIONS OF BUSINESS
Standard T&C (NI)
Indemnity for unauthorised disclosure
You agree to indemnify us and our agents in respect of any claim (Including any claim for negligence) arising out of any unauthorised disclosure by you or by any person for whom you are responsible of our advice and opinions, whether in writing or otherwise. This indemnity will extend to the cost of defending any such claim, including payment at our usual rates for the time that we spend in defending it.
Limitation of aggregate liability We will perform the engagement with reasonable skill and care. The total aggregate liability to the Partnership and the Partners, as a body, of whatever nature, whether in contract, tort or otherwise, of RSM Northern Ireland for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall not exceed three times the relevant engagement fee.
22. Limitation of Third Party Rights
The advice and information we provide to you as part of our service is for your sole use and not for any third party to whom you may communicate it unless we have expressly agreed in the engagement letter that a specified third party may rely on our work. We accept no responsibility to third parties, including any group company to whom the engagement letter is not addressed, for any advice, information or material produced as part of our work for you which you make available to them. A party to this agreement is the only person who has the right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.
23. Period of Engagement and Termination
The terms set out in this letter shall take effect immediately upon your countersigning this letter and returning it to us or upon the commencement of the audit, accounts or tax return for the previous period, whichever is the earlier.
Each of us may terminate this agreement by giving not less than 21 days notice on writing to the other party except where you fail to cooperate with us or we have reason to believe that you have provided us or HMRC with misleading information, in which case we may terminate this agreement immediately. Termination will be without prejudice to any rights that may have accrued to either of us prior to termination.
In the event of termination of this contract, we will endeavour to agree with you the arrangements for the completion of work in progress at that time, unless we are required for legal or regulatory reasons to cease work immediately. In that event, we shall not be required to carry out further work and shall not be responsible or liable for any consequences arising from termination.
24. Professional Rules and Statutory Obligations
We will observe and act in accordance with the bye-laws, regulations and ethical guidelines of the Institute of Chartered Accountants in Ireland and will accept instructions to act for you on this basis. In particular you give us the authority to correct errors made by HMRC where we become aware of them. We will not be liable for any loss, damage or cost arising from our compliance with statutory or regulatory obligations.
25. Reliance on Advice
We will endeavour to record all advice on important matters in writing. Advice given orally is not intended to be relied upon unless confirmed in writing. Therefore, if we provide oral advice (for example during the course of a meeting or a telephone conversation) and you wish to able to rely on that advice, you must ask for the advice to be confirmed by us in writing.
RSM Northern Ireland
STANDARD TERMS AND CONDITIONS OF BUSINESS
Standard T&C (NI)
26. Retention of Records
You have a legal responsibility to retain documents and records relevant to your tax and accounts affairs. During the course of our work we may collect information from you and others relevant to your affairs. We will return any original documents to you (if requested). Documents and records relevant to your affairs are required by law to be retained as follows:
Individual, trustees and partnership
with trading or rental income: 5 years and 10 months after the end of the tax year;
otherwise: 22 months after the end of the tax year;
Companies
6 years from the end of the accounting period;
Whilst certain documents may legally belong to you, we intend to destroy correspondence and other papers that we store which are more than seven years old, other than documents which we consider to be of continuing significance. If you require retention of any document you must notify us of that fact in writing.
27. Health and Safety
We acknowledge our statutory responsibility to co-operate with the Spence & Partners health and safety requirements, provided we are given notice of these. Whilst on the Spence & Partners premises our partners and staff shall be afforded by Spence & Partners the same protection for health and safety purposes as is due to its employees. If we are required by Spence & Partners to enter the premises of a third party it will procure that the third party also affords such protection to our partners and staff as is due to its employees.
28. Force Majeure Clause
No party to this agreement shall be held in any way responsible for any failure to fulfil its obligations under this Agreement if such failure has been caused (directly or indirectly) by circumstances beyond the control of the defaulting party. This shall include war, riot, acts of terrorism, industrial action, accident or equipment failure (except where such accident or equipment failure has been caused by the negligence of the defaulting party, its employees, sub-licensees, subcontractors, agencies or otherwise).
29. Our Staff
You undertake that during the course of this engagement and for a period of six months following its conclusion you will not: a) solicit or entice away (or assist anyone else in soliciting or enticing away) any member
of our professional staff with whom you have had dealings in connection with this engagement during the 12 months immediately prior to your approach; or
b) employ any such person or engage them in any way to provide services to you.
This undertaking shall not apply in respect of any member of our staff who responds to an advertisement placed by you or on your behalf without having been previously approached directly or indirectly by you. In the event of a breach of the terms of this undertaking, you will pay to RSM Northern Ireland, on demand, a sum equivalent to 50% of the total annual remuneration package paid by RSM Northern Ireland to the individual prior to his or her departure. You acknowledge that this provision is a fair and reasonable term intended to be a genuine assessment of the likely loss to us.