Assurance Report on Internal Controls (AAF 01/06) Report 2017.pdf · Contents 1. Chief...
Transcript of Assurance Report on Internal Controls (AAF 01/06) Report 2017.pdf · Contents 1. Chief...
Contents
1. Chief Executive’s Welcome 1
2. Report by directors of PS Administration Limited
3
3. Structure of the Punter Southall Group 4
4. PS Administration Limited business structure
5
5. Control environment 6
6. Assurance Report by the reporting accountants
13
7. Summary of control objectives and audit findings
15
8. Control procedures and reporting accountants’ tests
17
9. Prospective customer disclaimer letter 44
PS Administration Limited
1Assurance Report on Internal Controls (AAF 01/06) – October 2017
1. Chief Executive’s Welcome
I am delighted to present this assurance report which describes the control
environment within which our pension administration services operate.
PS Administration Limited (PSAL) (a subsidiary of the Punter Southall Group) provides client focused
administration solutions for occupational pension schemes. Our 300 pension administration staff provide
the full range of services, to over 240 trust-based schemes covering some 360,000 members from offices
around the UK. In August 2017 we opened our eighth office in Perth, Scotland.
Our business has grown quickly in recent years, with revenues doubling from £9.4m in 2011 to £18.8m in
2016. This growth will continue as a result of a number of large new client wins during 2016 and 2017.
Administration is our core business and we put the member first by focusing on accuracy and the member
experience. The high quality, robustness and the consistency of our administration services is widely
recognised in the market: in March 2017 for the third time in 4 years we ranked first in Professional
Pensions’ survey of Third Party Administrators.
We continuously strive to find ways of improving the level of service delivered to our clients. Our
strategy has been to focus on ensuring the delivery of high quality administration services, combined
with a commercial proposition that represents value for money. Pension Administration has become
an increasingly complex occupation and whilst we have invested significantly in our technology and IT
infrastructure over the past 5 years, it is our belief that it is the quality of our people, and the impact they
have on the quality of interactions with pension scheme members, that represents our key differentiator.
In support of our requirement to manage a quality controlled administration business, we operate within a
governance structure which ensures the clear flow of information and the decision making processes. This
enables us to react swiftly to regulatory change and stay at the forefront of developments in the industry.
Annual audit 2016 –17
The directors of PSAL, previously part of Punter Southall Limited, appointed BDO LLP in 2006 to audit the
operation of our procedures and controls in line with the AAF 01/06 requirements. This is the eleventh such
annual report that we have published and it covers the period 1 April 2016 to 31 March 2017. It provides
information and assurance to our clients and their auditors with regard to the controlled environment
within which we operate.
This report has been prepared in accordance with the framework for pension administration services set out in
the ‘Technical Release AAF 01/06 on assurance reports on the internal controls of service organisations made
available to third parties’ issued by the Institute of Chartered Accountants in England and Wales (ICAEW).
Our control procedures are described in section 8 of this report, together with the testing performed by our
external auditors, BDO.
Continued overleaf >>
2 PS Administration Limited
At the time of the audit there were 57 documented operating controls in place relating to the services
provided by PSAL. Following their audit BDO noted only 1 exception during the period from 1 April 2016 to
31 March 2017. This exception identified that BDO were unable to obtain evidence that building access was
removed on a timely basis after an employee had left the business, although evidence was obtained that
system access was removed in a timely manner. We have reviewed BDO’s findings and have put in place
additional measures to ensure that this control is fully adhered to in the future.
For specific details relating to the exception noted by BDO and the remedial action taken please refer
to control 7.1a (ii) in Section 8. BDO have concluded that all other controls were suitably designed and
operating effectively throughout the audit period.
Richard Thomas
Chief Executive
PS Administration Limited
3Assurance Report on Internal Controls (AAF 01/06) – October 2017
2. Report by directors of PS Administration Limited
As directors of PS Administration Limited (PSAL) we are responsible for the identification of control objectives relating to
the provision of pension administration services by PSAL and the design, implementation and operation of PSAL controls
to provide reasonable assurance that the control objectives are achieved.
In carrying out those responsibilities we have regard not only to the interests of clients but also to those of the owners of
the business and the general effectiveness and efficiency of the relevant operations.
The accompanying description has been prepared for clients who have used the pension administration services and
their auditors who have a sufficient understanding to consider the description, along with other information including
information about controls operated by clients themselves, when assessing the risks of material misstatements of clients’
financial statements.
We have evaluated the fairness of the description and the design suitability of PSAL controls having regard to the
International Standard on Assurance Engagements 3402 (ISAE 3402), issued by the International Auditing and Assurance
Standards Board, the Technical Release AAF 01/06 (AAF 01/06), issued by the Institute of Chartered Accountants in
England and Wales, and the control objectives for Pension Administration set out in AAF 01/06.
We confirm that:
a. The accompanying description at pages 5 to 12 and 15 to 43 fairly presents PS Administration Limited pension
administration services from 1 April 2016 to 31 March 2017. In addition to the control objectives specified in AAF
01/06, the criteria used in making this assertion were that the accompanying description:
i. Presents how the services were designed and implemented, including:
• The types of services provided and, as appropriate, the nature of transactions processed.
• The procedures, both automated and manual, by which client transactions were initiated, recorded and
processed; the accounting records and related data that was maintained, reported and corrected as necessary.
• The system which captured and addressed significant events and conditions, other than client transactions.
• The components of the information systems supporting the relevant transactions that protected the
confidentiality, integrity and availability of data.
• Other aspects of our control environment, risk assessment process, monitoring and information and
communication systems, were relevant to our control activities.
ii. Does not omit or distort information relevant to the scope of the services being described, while acknowledging
that the description is prepared to meet the common needs of a broad range of clients and their auditors and
may not, therefore, include every aspect of the services that each individual client may consider important in its
own particular environment.
b. The controls related to the control objectives stated in the accompanying description were suitably designed as at
1 April 2016. The criteria used in making this assertion were that:
i. The risks that threatened achievement of the control objectives stated in the description were identified.
ii. The identified controls would, if operated as described, provide reasonable assurance that those risks did not
prevent the stated control objectives from being achieved.
Richard Thomas
Chief Executive
October 2017
Signed on behalf of the PSAL Board of Directors
4 PS Administration Limited
3. Structure of the Punter Southall GroupPunter Southall was established in 1988 by Jonathan Punter and Stuart Southall to provide actuarial and administration
services to UK pension schemes. The business was originally set up to introduce a fresh, competitive presence to a largely
static pension services market and primarily to put client service first. These guiding principles have not changed.
The Punter Southall Group (the Group) has grown significantly over the years and provides a range of financial services
including actuarial, consulting, administration, employee benefits consulting, covenant assessment, independent financial
advice and investment services for pension funds, corporates and individuals. The Group currently has around 900
employees and advises around 1,200 pension schemes, companies and organisations from a broad spectrum of UK
businesses, charities, unions and institutions.
The Group’s administration business, PSAL, increased revenues from £16m in 2015 to £18.8m in 2016, and continues to
be widely recognised in the market for its high quality, robustness and consistency. PSAL now provides administration
services to some 240 pension schemes with assets of over £32bn. Our client schemes range from 20 to 75,000 members,
and in total we serve over 360,000 members.
The Group comprises ‘sister’ subsidiaries, as shown in the following diagram, whose services complement and mutually
benefit the rest of the Group.
Independent pension scheme trustee serviceswww.psitl.com
Actuarial consultingwww.puntersouthall.com
Pensions administration serviceswww.psadmin.com
Corporate pensions advice and actuarial services in transactionswww.pstransactions.co.uk
Investment consultingwww.puntersouthall.com
DC defined contribution consulting, investment research and member communication serviceswww.psaspire.com
Protection, healthcare, wellness and online benefits for employers and consumerswww.pshp.co.uk
Independent financial advisers www.psfm.com
Wealth managerswww.psigma.com
Investment information, reporting and analyticswww.camradata.com
Payment improvement and legal claim quantification serviceswww.puntersouthallanalytics.com
5Assurance Report on Internal Controls (AAF 01/06) – October 2017
4. PS Administration Limited business structurePSAL provides client focused administration solutions for occupational pension schemes. We provide the full range of pension administration services to over 240 trust-based schemes currently from 8 offices around the UK, within a structured and quality controlled environment. We seek to provide the highest levels of quality, and continuously strive to find ways of improving the level of service delivered to our clients.
In March 2017 we were ranked first in Professional Pensions’ survey of Third Party Administrators, for the third time in 4 years. Our team of around 300 pension administration staff provides services to a wide range of trust-based company pension schemes, including: defined benefit; defined contribution; career average revalued earnings (CARE) and hybrid schemes.
We use an individual scheme-based approach to administration, with one client team responsible for all aspects of our administration service. This ensures we focus on the needs of our clients and their scheme members, and that the quality controls we apply remain relevant and robust.
In support of our requirement to manage a quality controlled administration business we operate within a governance structure which ensures the clear flow of information and the decision making processes, as shown below. This enables us to react swiftly to regulatory change and stay at the forefront of developments in the industry.
Administration Operations Committee (AOC)
• Responsible for the delivery of high quality services • Monitors resourcing levels and capacity planning• Staff development – via Training & Study Sub-Committee• Operational efficiency initiatives –via Efficiency Sub-Committee• Monitors the delivery of agreed SLAs & agrees intervention actions• Oversees continued compliance with legislation and regulation
Risk Management Committee (RMC)
• Oversees risk management framework, including strategic risk
• Sets audit framework, both internal and external audits
• Oversees legal and regulatory framework• Monitors compliance with legislation, regulation
and internal policies• Works with AOC & EXCO to ensure risks / issues
raised & addressed
Strategy Steering Group (SSG)
• Focus on delivery of the 5 year plan• Strategic oversight• Responsibility for the pricing of new business
contracts
Team Leaders Group (TLG)
• Information exchange• Delegated decision
making• Consistent approach
to delivery• Feedback to AOC
Deputy Team Leaders Group
• Information exchange• Delegated decision
making• Consistent approach
to delivery• Feedback to TLG
Admin Services Group (ASG)
• Review and develop quality control framework
• Technical and process analysis of legislative change
• Maintains standard letters and process guidance
• Technical training framework
• Providing support to administration teams via the resolution of specific queries
• Issuing of technical guides, training & awareness to administration teams
Business Services Group (BSG)
• Development and support for business applications
• Management of new business transition projects
• Project support for client teams
• Management of internal business change projects
• Production of management reporting information
• Business interface with IT infrastructure
Client Management Team
• Manage the commercial relationships for Administration only clients
• Ensure the CMT framework is applied for Full Service Contracts where appropriate
• Work with the client teams to deliver shared objectives
• Provide consultancy advice where appropriate
• Liaise with ASG to deliver regulatory & legislative change
Administration Executive Committee (EXCO)
• Delivery of strategy, sets & monitors budgets & KPIs • Approvals – resourcing decisions, all budget spending, changes to T&Cs• Enforces continued compliance with legislation and regulation• Agrees policy & considers response to risk & compliance issues
PSAL Administration Ltd Board
• Business governance• Strategic review
6 PS Administration Limited
5. Control environment5.1 Risk Management
The Punter Southall Group operates a mature risk
management governance structure. A sub-committee of
the Board, the Group Risk Committee oversees the overall
business risk strategy. This Committee has implemented
a risk management framework and risk policy to be used
throughout the organisation. These, combined with an
effective oversight and governance structure, ensure that
the risks the Group face are identified in a timely manner
and are effectively managed.
Our Administration Risk Committee, chaired by the Chief
Executive of PSAL, identifies and monitors administration
related risks. The committee members have been drawn
from all departments within the administration business.
This committee meets regularly and reports back to the
Group Risk Committee via the Group Risk Manager. The
Administration Risk Committee is responsible for the
following areas relating to administration:
• Risk management and reporting
• Internal and external audits
• Internal control framework
• Fraud prevention
• Business continuity and disaster recovery
• Compliance with legislation
• Complaints and errors
• Data Protection and Information Security
• Training and development
• Contractual agreements.
5.2 Business Continuity
Business Continuity Management (BCM) is integral to the
risk management strategy of the Punter Southall Group.
The primary objective of our BCM programme is to ensure
that critical business functions and processes are prioritised
and can be recovered within predetermined timeframes
in response to a major operational disruption. This ensures
continuity of our core services and safeguards the interests
of all our stakeholders. Our programme is aligned to
IS022301 and industry good practice.
Each business in the Group has a Business Recovery Plan
that prioritises the recovery of its critical processes and
details the strategies and resources required
to do so. These plans are updated at least annually, or
sooner to reflect business change. They are accessible
in paper form, held securely off-site by key personnel,
as well as electronically via the Group’s network. If any
office is inaccessible for more than half a working day,
our displacement strategy ensures that critical functions
can either continue to work from a dedicated third party
work area recovery site, be displaced to another office or
work from home.
The Group operates out of two data centres; a Primary
production site and a geographically separate Disaster
Recovery (DR) data centre. Critical systems and data
are replicated form the primary site to the DR site,
ensuring that in the unlikely event that the primary site is
unavailable, these systems can rapidly be made available
from the DR site. The systems at both the primary and
DR site are monitored on a constant basis to ensure they
are operating as expected, with regular testing to ensure
the procedures required to switch to the DR site are
current and effective.
Business Recovery Plans are tested twice annually; once
focusing on the IT Disaster Recovery elements and once
focussing on a denial of access scenario impacting our
offices. This approach ensures that the plans and data
held within them are tested and validated on a regular
basis. All- staff rapid notification tests are also carried out
annually.
During the last 12 months we carried out two work area
recovery tests to test the Group displacement strategy
in a denial of access scenario. This test confirmed that
our displacement strategy remains appropriate. In August
2017 the Group carried out IT Disaster Recovery testing,
covering the recovery of Business critical systems,
including for PSAL. A rolling programme of ongoing tests
is planned for 2017 / 2018
5.3 Information Security
Punter Southall Group (the Group) believes that
Information Security is fundamental to the risk
management strategy of the Group and takes the
protection of our information assets and those of our
clients very seriously.
The Group Risk Management Committee (RMC) has
responsibility to the Board to ensure the Information
Security framework is in place across the Group and
working effectively. It is supported by the Information
Security Steering Committee (ISSC) which is responsible for
7Assurance Report on Internal Controls (AAF 01/06) – October 2017
ensuring that the annual Information Security Programme
(agreed with the RMC) is delivered. The ISSC is also
responsible for ensuring that all Group IT systems and data
handling are secured in line with current legislation, industry
best practices and ISO27001 standards where appropriate.
The Group has deployed an Information Security
Management System (ISMS) based on ISO 27001:2013.
To support the ISMS there is a comprehensive suite of
Information Security policies which provide staff with
formal guidance on how we protect our information, along
with an Annual Information Security and Data Protection
Awareness training programme. The policies and the controls
documented within the suite are mandatory for all staff.
These policies are reviewed and updated at least annually
and are approved by the Group Board.
The Group’s controls and governance framework are
audited on a regular basis as part of the Group’s Internal
Audit Programme as well as the AAF 01/06 annual
reviews. These controls and the ISMS are aligned to the
ISO27001 standard, which has allowed the Group to gain
certification. PSAL extended the scope of its ISO27001:2013
accreditation to cover all of its clients and offices in
December 2016.
The Group has a range of technical controls in place to
protect its information assets, including next generation
firewalls, Security Information and Event Management
Software (SIEM) and an Intrusion Protection System
(IPS). The Group utilises Vulnerability Scanning Software
to regularly check for weaknesses within its systems/
applications. These scans are supported by additional
independent Penetration Tests that are carried out by
CHECK/ CREST approved suppliers.
Information Security policies require that users must employ
a complex password to access the Groups systems with
users forced to change their passwords on a regular basis.
All Punter Southall Group computer systems are only
accessible by authorised individuals. All users who require
access to Punter Southall Group information systems are
assigned a set of unique credentials with access rights that
will only allow them access to the information they need
to carry out their job function. Access rights for users must
be authorised by line managers and specialised technical
privileges must be authorised by the IT Operations Manager.
Access to client databases is further segregated via security
groups and they are only accessible to those staff that work
on the particular client. This access is reviewed quarterly.
5.4 Third Party Management
The Group has a Third Party Management Policy in place to
ensure that all suppliers with physical or logical access to
information classified Private and Confidential by the Group
are effectively managed. The policy ensures the following:
• Third parties are reviewed prior to any access being
granted. Access is only allowed if they can demonstrate
they comply with the Group’s standards.
• Confidential information is protected when accessed,
handled by, or transmitted to third parties.
• There is a standardised approach to identifying,
communicating and managing risk introduced by
third parties.
• Information Security incidents associated with third party
access are identified and managed effectively.
5.5 Training and Development Programme
PSAL’s services encompass a variety of different disciplines
within the business. We offer full support to all our
employees wishing to sit professional qualifications within
their discipline. The majority of our administrators are either
studying for, or have attained, professional qualifications
established under the Pensions Management Institute.
Following the establishment of PSAL as a new entity
we applied for IIP Accreditation in August 2016 and
were awarded ‘Silver Status’. The Silver award requires
organisations to demonstrate evidence against 115
individual requirements (76 more requirements than those
needed to satisfy the conditions of the core IIP standard).
IIP is about training and developing staff to enable the
company to achieve its aims, visions, goals and strategy.
This benefits both the individual and the company, ensuring
that all employees are motivated and offered progressive
career paths.
We operate a half yearly appraisal system, focusing on
both personal and business development. This provides all
employees with the opportunity to discuss development
opportunities, agree training programmes and work towards
clear objectives.
The pension industry is subject to regular legislative
changes and, in order to continue providing a high quality
service to our clients, it is vital that all our employees are
able to react to these changes. Our dedicated technical
support teams, with representatives from each discipline,
keep abreast of these developments and provide our
employees with any training required.
In addition, all employees are required to participate in
our mandatory online training programme to ensure they
operate in accordance with legislative and Group standards.
This programme includes Awareness of Bribery and
Corruption, Anti-Money Laundering, Information Security
and Data Protection training.
8 PS Administration Limited
We have a Study and Training Committee in place to help
develop and maintain the overall administration training
and study support framework, ensuring it meets the needs
of the business. This is achieved by developing sufficient
technical and procedural expertise to support our
quality structure and manage the risk of noncompliance
with legislation; developing IT skills to assist efficiency;
promoting and supporting the various professional
qualifications and assisting with the personal development
of our administration staff.
5.6 Compliance
Changes in pension legislation just keep on coming!
Our Administration Services Group (ASG) is a central
team that assesses the impact of legislative change
to identify any issues which impact on our clients
and administration processes. Any new compliance
requirements and process changes are communicated
via ‘Hands on Technical Updates’ backed up by face-to-
face discussions with our Administration Managers. ASG
also maintains a comprehensive intranet site which is
accessible to all administrators providing a reference
source for technical materials as well as procedural
guidance, standard letter templates and checklists. All of
this ensures compliant processes and a consistent quality
of administration.
5.7 Management Information
Our corporate governance structure includes an Executive
Committee and an Administration Operations Committee
(AOC) which meets on a monthly basis to analyse key
management information.
A management information pack is produced on a
monthly basis and is distributed to our management
group. It has been designed to capture management
information on all aspects of the administration business.
The statistics provided cover the following:
• Team, client and location performance against Service
Level Agreements
• The volumes of work experienced
• An age analysis for any work outstanding at the end of
the reporting period
• Analysis of accuracy (at the point of checking / peer
review)
• Critical DC processes such as investment and lifestyling
processes, control checks
• Financial and staffing information
• Client banking information
• Feedback from member questionnaires received
• A trend analysis covering the prior three and twelve
month periods
• An analysis of unresolved errors and complaints
recorded.
This provides both our Executive Committee and AOC
with a powerful reporting tool that is used to identify
any risks or issues, with a view to agreeing rectification
measures. There is regular interaction between AOC and
the Administration Risk Committee with representatives
from Operations and Risk on both committees.
5.8 Information and Communication
We regularly report back to our clients on our
performance against the agreed standards through an
administration report which is prepared for each trustee
meeting. This report includes details and commentary on
various aspects of the running of their scheme, including
the following:
• Financials; including contributions received and income
and expenditure
• Trustees’ discretions exercised during period
• Membership statistics
• Service level reports
• Compliance with legislation
• Member satisfaction questionnaires
• Developments / changes within PSAL.
This report has been specifically designed to assist the
trustees with meeting their governance requirements
in accordance with legislation and the Pensions
Regulator’s guidance.
5.9 Administration Technology
We are constantly evaluating and reviewing our
administration systems and infrastructure and have
introduced a number of significant improvements over
the past few years.
PenScope
The platform we use to support our administration service
is PenScope. This system was originally developed in-house
and in 2009 we entered into an outsourcing contract
9Assurance Report on Internal Controls (AAF 01/06) – October 2017
with the pension software and transition management
company, ITM. Accordingly, ITM now own the rights to
PenScope and provide support and further development
to us under contract. We also own a minority shareholding
in ITM and the Chairman of PSAL, John Batting, sits on
their Board.
We have made, and continue to make, a significant
contribution in the development of the PenScope
administration system, to ensure that it represents leading
edge technology, and that it fully supports our focus on
quality, accuracy and efficiency.
The main features of PenScope are:
• It is designed based on extensive experience of final
salary, money purchase, hybrid, cash balance and CARE
schemes.
• It is a browser based application with a zero client install.
• The application database is run on the industry standard
MS SQL Server ensuring flexible access to the database
content.
• A MS.NET framework provides a centralised and well
managed calculation engine coded in the widely used
VBA.NET programming language.
• Web Services enabling integration routes for third party
products and our own member web-access offering.
Member web-access (MyPension.com)
Over the past year we have continued to roll out
MyPension.com to a number of our clients, which has
enabled them in turn to offer their members online access
to the member details we hold on our administration
system (PenScope). Trustee access to scheme membership
data is also supported via MyPension.com.
Over the last year we have also embarked on a redesign
of the platform with a focus on improved client
access, through the introduction of responsive design
technologies and greater self-service. Phased roll-out to
our clients is currently underway.
Some current features for defined benefit
schemes include:
• Access for active, deferred and pensioner members
to personal details.
• Members can view and amend contact and ‘expression
of wish’ details.
• Members can post enquiries directly to their
administration team with the enquiries falling directly
into our Business Process Management (BPM) system.
• Where calculations are automated on PenScope
members can perform online calculations and receive
immediate online quotations.
• Members can view their personal documents e.g. benefit
statements, leaver statements and e-payslips.
• Members can view scheme documents e.g. booklets
and forms.
• Client (pensions manager or trustee) access with ability
to search and view member records.
• Design (logos and colour scheme) can be tailored for a
small additional cost to match clients’ corporate branding.
In addition to the above, features for defined contribution
schemes include:
• Members can view their latest fund values.
• Request changes to their fund choices and contribution
rates.
• Access PS Planner to run pension projections.
• Multi-platform access including browsers, tablet and
smart phone.
Alfresco
Alfresco is our converged Electronic Content Management
(ECM) and Business Process Management (BPM) system
used to create efficient, connected processes that present
member and scheme documents to all our administration
teams in a single browser interface. By utilising its inbuilt
functionality we are able to better manage and audit our
administration processes as well as integrate with our
administration and reporting systems.
Some of our current highlights include:
• The integration of a Central Member Database
(CMDB). This is our master data source to client data
pulled from our various administration systems and is
used to accurately tag content with the most current,
relevant and accurate personal member data.
• Dynamic in flow check-list guiding administrators
through the process and ensuring benefits are accurate
and compliant.
MyPension.com
10 PS Administration Limited
• Integration with our reporting systems allowing us
to report historical and current work item status and
Service Level Agreement counters.
CashFac – Virtual Banking Technology
CashFac is virtual banking software introduced to
support our accounting and treasury services allowing
us to adopt full electronic banking and payment
functionality. CashFac links to our banking partners to
deliver up to date transactional information by 8am each
day. Thus we have removed the risks associated with
paper based cashiering processes and made significant
efficiency gains.
CashFac enables the following:
• Automated payments including BACS, CHAPS and
SWIFT.
• Consistent control of all cash management regardless
of bank.
• Automatic daily bank account reconciliation.
• Secure, distributed and tailored user access to scheme
bank accounts and cash analysis across multiple locations.
• Simultaneous payment and cash analysis in multiple
currencies.
• An online audit trail for all transactions and events.
• Tailored reporting based on business criteria.
• Automatic Transaction Matching and Allocation
suggests matches for receipts that lack reference data
for automated matching.
• Integration with Alfresco to allow one click retrieval of
supporting transaction documents.
Over 90% of our clients to whom we provide client banking
services have now moved over to CashFac, enabling greater
control and security on the service we provide.
NGA HR Payroll Software
All of our client payrolls are managed by our central
specialist pension payroll team who are based in our
Newcastle office.
The PS Enterprise application is a proven and
comprehensive system, that has been engineered to
provide key users with all the flexibility and functionality
that they require to enable them to carry out their
day to day activities effectively and efficiently. It also
enables those users to utilise powerful analytical and
reporting tools to allow them to analyse and distribute
information in real time. PS Enterprise is scalable to
accommodate many thousands of employees/pensioners.
Robust security and comprehensive audit features
also ensure the integrity of the solution – all historical
information is available on-line at all times.
Currently we have integration in place that:
• Integrates payroll records added and amended within
our CMDB.
• Automates the New Starter processes by adding
retirements processed on PenScope automatically
to the Payroll.
• Automatically publishes pensioner payslips to our
member online web portal (MyPension.com).
Altus Investment Gateway (STP)
We have introduced the Altus Investment Gateway into
our technology framework to enable ‘Straight Through
Processing’ (STP) for both Defined Benefit and Defined
Contribution (DC) investments wherever possible. STP is
the end to end management of investment transactions,
utilising technology and automated system controls, to
minimise manual intervention and therefore to reduce risks.
With PenScope and the Altus Investment Gateway being
fully integrated, we can now load contribution files we
receive into the administration system, validate and
approve them, pass the details of the instruction into the
gateway and send an electronic instruction to the fund
11Assurance Report on Internal Controls (AAF 01/06) – October 2017
managers (utilising the Via Nova standard).
This is confirmed as being received and correctly
formatted, in near real-time. When the deal is complete,
confirmation and prices are passed into the gateway
from the fund manager, and then back into PenScope to
complete the cycle, update member records and also to
update the fund/unit reconciliation (all within PenScope).
Profund Aviary
Profund Aviary is an innovative accounting solution
created specifically for occupational pension schemes
and third-party administrators. The system is designed
to turn data into management intelligence with
the minimum of time and effort through the use of
automation and the ‘Key Once’ philosophy. It was
purposely designed to meet the unique demands created
by members and investments, rather than suppliers and
income as in a conventional ledger. It is used by more
than 1,500 schemes, ranging in size and complexity, to
manage their pension scheme accounts.
Over the last year we have been phasing in the use of
Aviary Draft Accounts Reporting (ADAR), to enable better
automation of end of year scheme reporting.
PS Planner
Our multimedia DC projection tool offers the following
benefits for scheme members:
• Fully interactive modelling of DC pension projection,
consistent with our SMPI approach.
• The ability to see the effect of changing investment
strategy, contributions, retirement age, and pension
options.
• Full graphical reports that can be downloaded and
printed.
• The ability to access the tool from work or home.
Pensions Online Documents (POD)
The Punter Southall Group have developed a secure
online document storage facility that allows our clients
to store scheme documents and access them remotely
via the internet for viewing and/or printing. We currently
have a number of clients across the business who have
sites set up to access this facility.
It can also be used for posting papers for discussion (at
meetings and conference calls) and provides an excellent
archive of historic documents. This enables trustees to easily
access the most up to date version of documents, whilst
also being able to access historic documents if required.
Future Technology Developments
As with the enhancements listed above, future
developments will be evaluated on the basis of clear
business benefits, ranging from risk reduction for
ourselves and for our clients to the achievement of
greater efficiencies via the intelligent use of technology.
We will not step away from our fundamental belief that
quality administration requires quality people, and not
simply investment in technology.
Our systems development roadmap includes the
provision of an enhanced web proposition for clients.
The planned enhancements are:
• The replacement of PS Planner with a DC Modeller
embedded directly into MyPension.com enabling
direct member record data-feeds and scheme specific
customisation.
• Client (pensions manager or trustee) access to our
workflow system to view member casework in progress
and/or produce standard reports.
• The migration of our current payroll solution to the
NGAHR ResourceLink platform.
• The introduction of ePortal, a web facing service
allowing clients to securely post HR interface files
that will be applied to our Administration platform
in real-time.
5.10 Client Control Considerations
The control procedures at PSAL relating to pension
administration activities cover only a portion of the
POD
12 PS Administration Limited
overall internal control structure of each client account
(together termed ‘User Entities’). Each client must
evaluate the control procedures detailed below in
conjunction with the controls in existence at their
own organisation.
This paragraph highlights those control responsibilities
that PSAL believes should be present for each client and
has considered when developing the control procedures
described herein.
The controls described below are intended to address
only those controls surrounding the interface and
communication between each client and PSAL.
Accordingly, this list does not purport to be, and is not, a
complete listing of the controls which clients may need
to have in place.
• Instructions and information provided to PSAL are
in accordance with the provisions of the agreement
governing the account or other applicable agreements
between PSAL and the client.
• Timely written notification of changes to the client
account objectives, guidelines or provisions of the
governing agreement is made to PSAL.
• Timely review of reports provided by PSAL is
performed by the client and written notice is provided
of discrepancies, if any, with the client’s own records.
• Timely review of invoices for fees and written notice
of discrepancies, if any, with market values with
appropriate client records.
• Timely written notification of changes to individuals
authorised to instruct PSAL regarding activities on
behalf of the client, is made to PSAL.
13Assurance Report on Internal Controls (AAF 01/06) – October 2017
6. Assurance report by the reporting accountants
Reporting accountants’ assurance report on internal controls of PS Administration Limited
To the directors of PS Administration Limited
Use of report
This report is made solely for the use of the directors, as a body, of PS Administration Limited, and solely for the purpose of reporting on the internal controls of PS Administration Limited, in accordance with the terms of our engagement letter dated 20 February 2017.
Our work has been undertaken so that we might report to the directors those matters that we have agreed to state to them in this report and for no other purpose. Our report must not be recited or referred to in whole or in part in any other document nor made available, copied or recited to any other party, in any circumstances, without our express prior written permission.
We permit the disclosure of this report, in full only, by the directors at their discretion to customers of PS Administration Limited and to the auditors of such customers, to enable customers and their auditors to verify that a report by reporting accountants has been commissioned by the directors of PS Administration Limited and issued in connection with the internal controls of PS Administration Limited, and without assuming or accepting any responsibility or liability to customers or their auditors on our part.
To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the directors as a body and PS Administration Limited for our work, for this report or for the conclusions we have formed.
Subject matter
This report covers solely the internal controls of PS Administration Limited as described in our report for the period 1 April 2016 to 31 March 2017. Internal controls are processes designed to provide reasonable assurance regarding the level of control over customers’ assets and related transactions achieved by PS Administration Limited in the provision of pension administrations services by PS Administration Limited.
Respective responsibilities
The directors’ responsibilities and assertions are set out at page 3 of your report. Our responsibility is to form an independent conclusion, based on the work carried out in relation to the control procedures of PS Administration Limited’s pension administration function carried out at the offices of PS Administration Limited as described in the Report by Directors of PS Administration Limited and report this to the directors of PS Administration Limited.
Criteria and scope
We conducted our engagement in accordance with International Standard on Assurance Engagements (ISAE) 3000 and the Institute of Chartered Accountants in England and Wales Technical Release AAF 01/06.
The criteria against which the control procedures were evaluated are the internal control objectives developed for service organisations as set out within the Technical Release AAF 01/06 and identified by the directors as relevant control objectives relating to the level of control over customers’ assets and related transactions in the provision of pension administration services. Our work was based upon obtaining an understanding of the control procedures as described on pages 17 to 43 and evaluating PS Administration Limited’s assertions as described on page 3 in the same report to obtain reasonable assurance so as to form our conclusion. Our work also included tests of specific control procedures, to obtain evidence about their design and implementation in meeting the related control objectives. The nature, timing and extent of the tests we applied are detailed on pages 17 to 43.
Our tests are related to PS Administration Limited as a whole rather than performed to meet the needs of any particular customer.
55 Baker Street London W1U 7EU Telephone: +44 (0)20 7486 5888 Facsimile: +44 (0)20 7487 3686 DX 9025 West End W1 Website: www.bdo.co.uk
BDO LLP Chartered Accountants
14 PS Administration Limited
Inherent limitations
PS Administration Limited’s control procedures are designed to address specified control objectives and are subject to inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Such control procedures cannot guarantee protection against (amongst other things) fraudulent collusion especially on the part of those holding positions of authority or trust. Furthermore, our conclusion is based on historical information and the projection of any information or conclusions in the attached report to any future periods would be inappropriate.
Opinion
On page 30 of PS Administration Limited’s control, the description states ‘access cards/key fobs to Punter Southall Group buildings are provided as part of the induction process of a new employee. Upon an employee leaving the organisation, notifications are sent from HR to Building Services to notify them that access needs to be removed. Access cards to buildings are only granted upon notification from HR or the relevant business heads. Access for out of hours working must be authorised by management. Access is disabled within a timely manner of the employee leaving the company and is initiated by HR/Building services. Quarterly reviews are carried out by Building Services to ensure access is appropriate.’
An exception was noted because for one of the samples selected, we were unable to obtain evidence that physical access to the building was removed in a timely manner. We note however that for this leaver, the network and application access was deactivated in a timely manner, thereby restricting access to the PSAL systems.
In our opinion, except for the matters raised above, in all material respects, based on the criteria including specified control objectives described in the directors’ report on page 3:
(a) The description on pages 17 to 43 fairly presents the pension administration services that were designed and implemented throughout the period from 1 April 2016 to 31 March 2017;
(b) The controls related to the control objectives stated in the description on pages 17 to 43 were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls operated effectively throughout the period from 1 April 2016 to 31 March 2017;
(c) The controls that we tested were operating with sufficient effectiveness to provide reasonable assurance that the related control objectives stated in the description were achieved throughout the period 1 April 2016 to 31 March 2017.
Description of tests of controls
The specific controls tested and the nature, timing and results of those tests are detailed on pages 17 to 43.
BDO LLP Chartered Accountants
Date of Assurance Report: 13 October 2017
BDO LLP
15Assurance Report on Internal Controls (AAF 01/06) – October 2017
7. Summary of control objectives and audit findings
Ref Control objectives Audit findings
1 Accepting clients
• Accounts are set up and administered in accordance with client agreements and
applicable regulations.
• Complete and authorised client agreements are operative prior to initiating
administration activity.
• Pension schemes taken on are properly established in the system in accordance
with the scheme rules and individual elections.
No exceptions
noted
2 Authorising and processing transactions
• Contributions to defined contribution plans, defined benefit schemes, or both,
and transfers of members’ funds between investment options are processed
accurately and in a timely manner.
• Benefits payable and transfer values are calculated in accordance with scheme
rules and relevant legislation and are paid on a timely basis.
No exceptions
noted
3 Maintaining financial and other records
• Member records consist of up to date and accurate information and are updated
and reconciled regularly.
• Contributions and benefit payments are completely and accurately recorded in
the proper period.
• Investment transactions, balances and related income are completely and
accurately recorded in the proper period.
• Scheme documents (deeds, policies, contracts, booklets etc) are complete, up to
date and securely held.
No exceptions
noted
4 Safeguarding assets
• Member and scheme data is appropriately stored to ensure security and
protection from unauthorised use.
• Cash is safeguarded and payments are suitably authorised and controlled.
No exceptions
noted
5 Monitoring compliance
• Contributions are received in accordance with scheme rules and relevant legislation.
• Services provided to pension schemes are in line with service level agreements.
• Transaction errors are rectified promptly and clients treated fairly.
No exceptions
noted
6 Reporting to clients
• Periodic reports to participants and scheme sponsors are accurate and complete
and provided within required timescales.
• Sign off by actuarial / admin team confirming benefit statements are ready to go.
• Annual reports and accounts are prepared in accordance with applicable law
and regulations.
No exceptions
noted
16 PS Administration Limited
7 Information technology
7.1 Restricting access to systems and data
• Physical access to computer networks, equipment, storage media and program
documentation is restricted to authorised individuals.
• Logical access to computer systems, programs, master data, transaction data
and parameters, including access by administrators to applications, databases,
systems and networks, is restricted to authorised individuals via information
security tools and techniques.
• Segregation of incompatible duties is defined, implemented and enforced by
logical security controls in accordance with job roles.
* Exception noted:
Physical access to the building: We were unable to obtain evidence that physical access to the
building was removed for one leaver, from our sample of six leavers selected to test the physical
access removal controls.
We note however that for this leaver, the network and application access was deactivated in a timely
manner, thereby restricting access to the PSAL systems.
7.2 Providing integrity and resilience to the information processing
environment, commensurate with the value of the information held,
information processing performed and external threats
• IT processing is authorised and scheduled appropriately and exceptions are
identified and resolved in a timely manner.
• Data transmissions between the service organisation and its counterparties are
complete, accurate, timely and secure.
• Appropriate measures are implemented to counter the threat from malicious
electronic attack (e.g. firewalls, anti-virus etc.).
• The physical IT equipment is maintained in a controlled environment.
No exceptions
noted
7.3 Maintaining and developing systems hardware and software
• Development and implementation of new systems, applications and software,
and changes to existing systems, applications and software, are authorised,
tested, approved and implemented.
• Data migration or modification is authorised, tested and, once performed,
reconciled back to the source data.
No exceptions
noted
7.4 Recovering from processing interruptions
• Data and systems are backed up regularly, retained offsite and regularly tested
for recoverability.
• IT hardware and software issues are monitored and resolved in a timely manner.
• Business and information systems recovery plans are documented, approved,
tested and maintained.
No exceptions
noted
7.5 Monitoring compliance
• Outsourced activities are properly managed and monitored.
No exceptions
noted
17Assurance Report on Internal Controls (AAF 01/06) – October 2017
8. Control procedures and reporting accountants’ tests
1. Accepting clients
Accounts are set up and administered in accordance with client agreements and applicable regulations.
Control activity and description BDO test procedures
1.1 Process
Due diligence checks, including Anti Money
Laundering (AML) procedures are completed as part
of the initial client set up process. No appointment
is accepted until the process is completed.
An Anti-Money Laundering Verification form is
completed by the Client Manager and forwarded to
PS Administration Limited’s compliance department.
Control
PS Administration Limited’s compliance department
maintains a central database to record that
verification forms have been completed for all new
clients prior to the commencement of the contract.
We verified that PS Administration Limited’s
Compliance Department maintained a central
database to record that verification forms had
been completed for all new clients prior to the
commencement of the contract.
For the sample of new clients selected, verified
through the inspection of documentation that due
diligence checks, including AML procedures had been
completed as part of the initial client set up process.
No appointments were accepted until the process
had been completed.
No exceptions noted
1.2 Process
Following appointment, a ‘handover period’ is agreed
with a date when full administration will commence.
All scheme data and documentation is requested
from the current administrator. A standard data
request form is used to ensure that all relevant data
and information is requested.
Control
When information is received a basic check is
conducted by the Client Team or Business Services
Group (BSG) (where relevant) to ensure that the
correct information / data has been received.
Items received are checked off against the data
request form and the installation checklist by the
Client Team.
For a sample of new clients selected, verified
through the inspection of documentation that when
information is received, a check is conducted by the
Client Team or BSG (where relevant) to ensure that
the correct information / data had been received.
Verified through the inspection of documentation
that items received are checked off against the data
request form and the installation checklist by the
Client Team.
No exceptions noted
18 PS Administration Limited
1.3 Process
Data received is verified reviewed and loaded by the
supervisor.
Control
Once the supervisor / client lead is satisfied that
the data is complete and valid it is loaded on to the
relevant systems. Completion of the transfer of data
is evidenced by a formal sign off from the supervisor
/client lead.
The migration to the relevant systems is confirmed
by BSG once the system is released to live.
For a sample of clients selected, verified through
the inspection of documentation that once the
supervisor / client lead was satisfied that the data
was complete and valid, it is loaded on to the
relevant systems. Completion of the transfer of
data was evidenced by a formal sign off from the
supervisor / client lead.
Further verified through the inspection of
documentation that the migration to the relevant
systems was confirmed by BSG once the system is
released to live.
No exceptions noted
1.4 Process
DC records are set up to mirror totals held by the
previous administrator in accordance with individual
elections.
Controls
Totals are reconciled to the previous administrators’
totals for each investment fund, and individual
records spot-checked by the supervisor. Any
differences or anomalies are identified and corrective
action is taken as necessary.
For a selected sample, verified through the
inspection of documentation that the migration
totals were reconciled to the totals held by the
previous administrator and confirmed that where
differences or anomalies were identified, these
were investigated and corrected. The migration
reconciliation was signed off by the administrator
responsible and reviewed by their supervisor.
No exceptions noted
1.5 Process
The BSG Team (where involved) along with the
Client Team manage and monitor the client take
on process.
Progress of the implementation is reported on
according to the communication strategy agreed for
the project.
Control
Any issues identified during the process are resolved
with the previous administrator or the sponsoring
employer.
Once all stages have been completed the project is
closed off by the Project Manager or the Client Lead,
where appropriate.
For a sample of schemes selected, verified through
the inspection of documentation that any issues
identified during the process are resolved with the
previous administrator or the sponsoring employer.
Once all stages had been completed, the project was
closed off by the Project Manager or the Client Lead,
where appropriate.
No exceptions noted
1.6 Process
An application to set up a new scheme bank account
is completed by the administrator or cashier if
required by the terms and conditions agreed with
the client.
The application is signed by the trustees with a
mandate granting signing rights to authorised
signatories within PS Administration Limited.
Control
The cashier team will process payments in
accordance with the bank mandate which has
been authorised by the Trustees.
For a sample of clients selected, verified through the
inspection of documentation that the cashier team
processed payments in accordance with the bank
mandate which had been authorised by the Trustees.
No exceptions noted
19Assurance Report on Internal Controls (AAF 01/06) – October 2017
Complete and authorised client agreements are operative prior to initiating administration activity.
1.7 Process
A tailored, client-specific administration agreement
which includes an administration and data
protection agreement is drawn up, reviewed and
amended as required.
Control
Work only commences once the appointment
documentation has been acknowledged by the
trustees in writing.
For a sample of new schemes clients selected,
verified through the inspection of documentation
that work only commences once the appointment
documentation has been acknowledged by the
trustees in writing.
No exceptions noted
Pension schemes taken on are properly established in the system in accordance with the scheme rules and individual elections.
1.8 Process
The client team define the calculation requirements
for the scheme and identify the automation
methodology to be used – PenScope, of spreadsheet
functionality or manual calculations.
Appropriate sections are set up on PenScope to
reflect the scheme rules and individual elections.
Calculations are specified in accordance with the
scheme rules.
Where PenScope automation is selected, ITM Ltd
programmes the calculations.
Control
Calculations and automation methodology for each
section to be coded are identified by the client team
and signed off by the Client Lead. Approval for the
calculations to be programmed is authorised by the
Managing Director or such individuals who have
delegated authority.
Calculation specifications for each section to be
coded are created by the Client Team / BSG. These
specifications are then signed off by the Client Lead
or the Scheme Actuary (where specified by client).
A sample of calculations are manually recalculated
in accordance with the scheme rules and checked
by the supervisor to confirm that the results
match. ITM Ltd programmes the calculations to
the specifications and test cases provided. Once
the Client Team / BSG have completed testing and
resolved any issues with ITM Ltd, formal sign off is
required before the calculations are released.
Where manual or spreadsheet automation is to
be provided calculations are set up in accordance
with the calculation specifications and results are
tested against test cases provided. The calculation
methodology adopted is signed off by the Client
Lead or the Scheme Actuary (where specified by
client) before being released.
For a sample selected, verified through the
inspection of systems and documentation that the
client team defined the calculation requirements
of the scheme and identified the automation
methodology. Further, verified that appropriate
sections of PenScope were set-up, tested to verify
that they were operating in accordance with scheme
rules, and authorised by the appropriate parties prior
to go live.
For a sample of calculations, verified that manual
recalculation occurred and were checked by the
appropriate person to confirm that the results match.
Verified through the inspection of documentation
that ITM Ltd had programmed the calculations and
that these had been tested and signed off before
implementation in the live environment.
For a sample of manual calculations, verified that
the calculations are set up in accordance with
the calculation specifications and the calculation
methodology was signed off by the appropriate person.
No exceptions noted
20 PS Administration Limited
2. Authorising and Processing Transactions
Contributions to defined contribution plans, defined benefit schemes, or both, and transfers of members’ funds between investment options are processed accurately and in a timely manner.
Control activity and description BDO test procedures
2.1 Process
DC contributions are allocated in accordance with
members’ choices as advised on client monthly
schedules.
Investment instructions are sent to the investment
manager. The investment manager sends a
transaction note from which the system price is
updated.
Where schemes are set up to enable STP, investment
instructions are sent electronically to the Investment
Manager. Electronic success/failure confirmations
from the Investment Manager are automatically sent
back when processed. Updated unit holdings and
system prices are automatically received daily from
the Investment Manager.
Control
The total contribution amount allocated is
reconciled to the total on the client schedule by
an administrator and signed off by the supervisor.
System units are reconciled to manager units monthly
by an administrator and signed off by the supervisor.
Unallocated balances are reviewed and investigated
with remedial action being taken as necessary.
Straight Through Processing (STP) instructions are
checked and approved in the Altus Gateway by the
Checker or Checker Manager. The status of electronic
transactions is monitored by the administrator
and supervisor. An email alert is sent to the BSG if
system prices are not automatically updated and
corrective action is taken as necessary.
For a sample of schemes selected, verified through
the inspection of documentation that the total
amount allocated was reconciled to the total on the
client schedule by an administrator and signed off by
the supervisor.
Furthermore, verified through the inspection of
documentation that STP transactions were also
reviewed and approved in the Altus Gateway by
two separate people and the status of electronic
transactions was monitored by the administrator
and supervisor.
No exceptions noted
21Assurance Report on Internal Controls (AAF 01/06) – October 2017
2.2 Process
Lifestyle switches are activated by the DC
admin system.
Instructions to disinvest and invest member and
lifestyle switches are sent to the investment managers.
Where schemes are set up to enable Straight
Through Processing (STP), investment instructions
are sent electronically to the investment manager.
Electronic success/failure confirmations from the
investment manager are automatically sent back
when processed.
Control
The relevant checklist is completed by an
administrator and signed off by the supervisor.
Lifestyling is triggered in accordance with the
lifestyling matrix.
System units for lifestyle switches are reconciled
to manager units by an administrator and signed
off. Any differences or anomalies are identified and
corrective action is taken as necessary.
STP instructions are checked and approved in the
Altus Gateway by the checker or checker manager.
The status of electronic transactions is monitored by
the administrator and supervisor.
For the sample of schemes selected, verified through
the inspection of documentation and enquiry that
lifestyle switches were activated by the DC admin
system. The lifestyle switches were executed in
accordance with the lifestyling matrix and a checklist
was signed off by the administrator and the approver.
System units for lifestyle switches were reconciled
to manager units by the administrator and signed
off with differences or anomalies investigated and
corrected if necessary.
For the sample of schemes selected, verified through
the inspection of documentation that the STP
instructions in the Altus gateway were reviewed and
approved by the checker and checker manager.
No exceptions noted
2.3 Process
DB contributions are received from the client. A
cashflow forecast is completed by an administrator,
checked and signed off in accordance with the
specific procedure for each scheme by the supervisor.
Funds are invested/disinvested as per the cashflow
results.
Control
The cashflow forecast for investments is checked
and any errors are corrected before investment/
disinvestment.
Where subsequent changes are required to allow
for any cash movements between date of forecast
and actual investment/disinvestment, this must
be clearly authorised by the supervisor. Cashflow
reports are issued to clients where agreed.
For the sample of schemes selected, verified through
inspection of documentation that the cashflow
forecasts were completed by an administrator,
reviewed for accuracy and signed off by the
supervisor. We note that for a sample of one month
for a particular scheme, no cashflow forecast was
prepared as the disinvestment of funds for the
previous month had just been received and there
was no further change to any cash movement.
For the sample of schemes selected, verified through
the inspection of documentation that the cashflow
forecasts were reviewed for accuracy and any errors
were corrected before investment/disinvestment.
No exceptions noted
22 PS Administration Limited
Benefits payable and transfer values are calculated in accordance with scheme rules and relevant legislation and are paid on a timely basis.
2.4 Process
Benefit calculations are either generated
automatically by the system (as programmed), or
manually by reference to the rules.
The workflow system ensures that each case is done
and independently checked.
Control
The process is checked by another administrator
using the electronic checklist on Alfresco to identify
any errors/omissions. Remedial action is then taken
where necessary.
The checklist ensures all necessary steps in the
process have been followed and completed before
the case can be authorised by an appropriate
individual.
For those processes where the workflow system is
in place, the system ensures that each process is
completed by an administrator and independently
checked by an authorised person. The process can
only be authorised once all of the required steps
have been completed.
Calculation details are only issued once the workflow
has been fully authorised. The authorised person will
also use the checklist to ensure that all stages have
been completed and are accurate.
For the sample of schemes selected, verified through
the inspection of documentation that calculations
were signed off by a preparer and a reviewer and
checklists were completed signifying that all actions
had been completed. Further, verified that the
approved calculation was accurately communicated
to members.
No exceptions noted
2.5 Process
As part of the payroll process an exceptions report
is printed for review by the supervisor. The report
highlights any starters, leavers or adjustments to
gross pay being processed that month.
Control
Payroll differences from one month to the next are
reconciled by a payroll administrator, checked and
signed off by an authorised person. Any discrepancies
are resolved before payment is made.
The payroll is approved by two authorised
signatories for transmission by the BACS bureau. A
monthly timetable is used to monitor the processing
of each scheme’s payroll. The timetable is monitored
and maintained by the payroll supervisor to ensure
the deadlines are met.
For a sample of schemes selected, verified through
the inspection of documentation and systems that
as part of the payroll process, an exception report
is produced and reviewed and payroll differences
are reconciled to the previous month, resolved and
approved by an authorised signatory.
For the sample of schemes selected, verified through
the inspection of documentation that payroll is
signed off by at least two individuals.
For the sample of schemes selected, verified through
the inspection of documentation that a monthly
timetable is maintained by a payroll supervisor to
monitor the processing of each scheme’s payroll.
No exceptions noted
23Assurance Report on Internal Controls (AAF 01/06) – October 2017
3. Maintaining financial and other records
Member records consist of up to date and accurate information and are updated and reconciled regularly.
Control activity and description BDO test procedures
3.1 Process
Scheme data is amended on an ad-hoc basis.
Modifications to membership data are processed
in accordance with mail, telephone, fax or email
requests from members or scheme-authorised
personnel.
All requests received are logged onto the workflow
system to ensure all cases are actioned.
Control
For those processes where the workflow system is
in place, the system ensures that each process is
completed by an administrator and independently
checked by an authorised person. The process can
only be authorised once all of the required steps
have been completed. The authorised person reviews
the electronic checklist on Alfresco to ensure that all
necessary steps have been completed.
For a sample of amendments, verified through the
inspection of the system that a workflow existed in
Alfresco for scheme data amendments and each of the
sample amendments had a “maker” and a “checker”.
No exceptions noted
3.2 Process
Scheme data is kept up to date through periodic
(usually annual) data loads from the employer’s
payroll and HR data records.
Control
Renewal checks are conducted to highlight possible
errors such as significant changes in salary. These are
investigated and resolved by administrators prior to
data being loaded. Once queries have been resolved,
the data is uploaded to the relevant administration
database.
A year end checklist is prepared by an administrator
and signed off by the supervisor to confirm the
completeness and accuracy of the data loaded.
For a sample of schemes selected, verified through the
inspection of systems and documentation, that scheme
data was kept up to date through periodic data loads
from the employer’s payroll and HR data records.
For the sample of schemes selected, verified through
the inspection of systems and documentation that
a year-end checklist was used to manage the annual
data check process and had been completed and
authorised appropriately.
No exceptions noted
24 PS Administration Limited
Contributions and benefit payments are completely and accurately recorded in the proper period.
Control activity and description BDO test procedures
3.3a Process
Contributions, receipts and payments are accounted
for in the nominal ledger by posting from the bank
statement or source documentation.
Control
All cash movements are recorded promptly and
reconciled to the bank each month by the cashier.
This is reviewed and signed off by the supervisor. Any
necessary amendments are made and authorised.
Uncashed cheques are monitored on a monthly basis
by the cashier and reviewed by the supervisor.
For a sample of schemes selected, verified through
the inspection of systems and documentation that
contributions, receipts and payments were accounted
for in the nominal ledger by posting from the bank
statement or source documentation.
For the sample of schemes selected, cash movements
were reconciled to the bank statements and
subsequently signed off by the supervisor. These
reconciliations were also used to monitor uncashed
cheques.
No exceptions noted
3.3b Process
Accounting and administration records are reconciled
to one another annually by the accountant. This is
reviewed and signed off by the checker.
Control
Any discrepancies identified under the reconciliation
are corrected as necessary.
For the sample of schemes selected, obtained
supporting documentation and verified that
reconciliations are reviewed and signed off by
the checker. Any discrepancies noted are resolved
accordingly.
No exceptions noted
3.3c
IPS
only
Process
Accounting and administration records are reconciled
to one another annually by the accountant.
This is reviewed and signed off by the supervisor.
Control
Any discrepancies identified under the reconciliation
are corrected as necessary.
For the sample of schemes selected, obtained
supporting documentation and verified that
reconciliations are reviewed and signed off by the
supervisor. Any discrepancies noted are resolved
accordingly.
No exceptions noted
Investment transactions, balances and related income are accurately recorded in the proper period.
Control activity and description BDO test procedures
3.4 Process
All movements between the scheme and
the investment managers are recorded by
the cashiering team.
Control
These transactions are reconciled at least annually
by accounts team.
For the sample of schemes selected, obtained a copy
of the reconciliations performed and the year-end
checklist and verified that accounts are reconciled at
least annually by the accounts team.
No exceptions noted
25Assurance Report on Internal Controls (AAF 01/06) – October 2017
Control activity and description BDO test procedures
3.5 Process
All movements between the scheme and
the investment managers are recorded by
the cashiering team.
Control
Investment transactions are reconciled at least
annually by accounts team.
For the sample of schemes selected, inspected
supporting documentation and verified that client files
are held within network drives with restricted access.
No exceptions noted
4. Safeguarding assets
Member and scheme data is appropriately stored to ensure security and protection from unauthorised use.
Control activity and description BDO test procedures
4.1 Process
Physical access to buildings is restricted, ensuring
only authorised personnel or authorised visitors gain
access to work stations.
Member and scheme data is retained in a
combination of electronic media and paper files.
Control
All entries and exits have security locks and all staff
are issued access cards or key fobs.
All computer records and data held for members
are password protected and have restricted access
controls for authorised staff only.
Punter Southall Group have archived paper filing
off-site to a specialist organisation thereby ensuring
only current cases are required and retained within
the work area. Punter Southall Group also utilise
scanning of inbound and outbound mail using an
electronic document management system.
Where client agreement is in place member files are
scanned once the relevant process is completed and
paper files are securely destroyed.
For the sample selected, verified through observation
and inspection of documents that access cards to
PSG buildings were provided as part of the induction
process for a new employee.
Verified that they were only granted upon
notification from HR or relevant business heads and,
for out of hours access, by management.
For the sample selected, verified through the
inspection of documentation that a notification was
sent from HR to Building Services to notify them of
leavers whose access to the building needed to be
removed during that week.
Verified through the inspection of documentation that
a quarterly review was carried out by Building services.
For the sample of schemes selected, verified through
the inspection of systems that there is electronic
access security in place and confirmed that user
groups are used to appropriately restrict access to
scheme data and that all computer records and data
held for members are password protected and have
restricted access. Only authorised staff had access to
electronic files.
Verified through the inspection of documentation
that contract between Punter Southall and third
party archiving specialists is in place so that only
current cases that are required and kept within the
work area and that these services had been used
during the period.
No exceptions noted
26 PS Administration Limited
5. Monitoring compliance
Contributions received in accordance with scheme rules and relevant legislation.
Control activity and description BDO test procedures
5.1 Process
The cashiering team record receipt of all
contributions received.
Control
Checks are run in accordance with the requirements
under the Pensions Act 1995 and trustee practise
for each scheme e.g. for most schemes the cashier
checks payments have been received by 12th of the
month, with a final check for the rest of the schemes
on 20th of the month.
Administrators are advised which contributions
are outstanding and follow up action is taken if
necessary by the administrator. The administrator
will pursue the employer for payment.
For a sample of schemes selected, verified through
the inspection of documentation that there were
reviews of the contributions received list to verify that
payments were made around the 12th of each month.
Verified through inspection of documentation that
there is a second and final review undertaken of the
contributions received list to confirm that payments
were made and this includes the follow up of
missing or late payments.
No exceptions noted
Cash is safeguarded and payments are suitably authorised and controlled.
4.2 Process
Cash movements are recorded on a daily basis.
Cheques received are logged upon receipt and
banked promptly by a member of the cashier team
unless subject to any query. Payment request forms
for cheques and BACS transfers are supplied by
the administrators to the cashiers team. Scheme
expenses are submitted to the cashier department
with a payment request form.
Control
Payment request forms are checked and authorised
by a supervisor. Payment instructions are signed
or authorised electronically by two authorised
signatories in accordance with the bank mandate.
The cashier checks against client specific limits and
authorised signatories shown on customised forms.
Where CashFac is in place, only authorised
signatories have the ability to sign electronically.
The cashier arranges the signature of cheques and
electronic transfers in accordance with the bank
mandate for each scheme. Payment of expenses is
approved only if the payment form is authorised
by a scheme officer or trustee or is within specific
agreed signing requirements for the relevant scheme.
For the sample of schemes selected, verified through
inspection of systems and documentation that cash
receipts were logged upon receipt in the scheme
cash book and banked promptly and that the details
matched the bank statements.
For the sample of scheme payments selected,
verified that payment request forms were filled
in by a member of the administration team,
authorised by a supervisor and payment instructions
were signed by authorised signatories after being
reviewed against client-specific limits and shown on
customised forms.
Verified that CashFac was used for the sample
selected and that only authorised signatories could
sign electronically. Where CashFac was not used,
obtained written confirmation that these were
manually completed. Payment of expenses was only
approved if the payment form was authorised by a
scheme officer or trustee unless it was within the
specific agreed signing requirements for the relevant
scheme.
No exceptions noted
27Assurance Report on Internal Controls (AAF 01/06) – October 2017
Services provided to pension schemes are in line with service level agreements.
5.2 Process
Day to day work is logged on to the workflow
management system and logged off when completed.
Control
Deadlines are monitored by the administrators to
ensure they are met. Regular reports are produced
at both a team and management level in order to
ensure that standards are being maintained.
Verified through enquiry and observation that
day to day work was logged on to the workflow
management system and logged off when completed.
For a sample of schemes, verified through the
inspection of documentation that deadlines were
monitored by the administrators to confirm they
were met and that regular reports were produced at
both a team and management level in order that the
standards and requirements outlined for each scheme
were being maintained. Confirmed reports were
prepared and reviewed by separate individuals.
No exceptions noted
Transaction errors are rectified promptly and clients treated fairly.
5.3 Process
The administrator checks transactions to ensure that
they are in accordance with relevant instructions.
The administrator will ask the manager to rectify
any transaction issues in a timely manner. If an error
is discovered during the course of an audit this must
be raised with the manager.
Control
For DC schemes the PenScope reconciliation report
will highlight any issues. Once any issues have
been resolved, the reconciliation report is re-run by
the administrator and checked to ensure it agrees.
The admin Client Principal will ascertain whether
there has been any material loss to the client
and authorise payment if required. All errors or
complaints are recorded by the team leader on the
errors and complaints database.
For a sample of schemes selected, verified through the
inspection of documentation that the administrator
reviewed transactions to verify that they were in
accordance with relevant instructions. Any error
discovered during the course of an audit was raised
with the manager.
For a sample of schemes selected, verified through the
inspection of documentation that for DC schemes,
the PenScope reconciliation report highlighted any
issues and that once any issues had been resolved, the
reconciliation report was re-run by the administrator
and was reviewed to verify it agrees. Verified no
differences in the reconciliations
Verified through the inspection of documentation
and observation that all errors or complaints were
recorded by the team leader on the errors and
complaints database.
No exceptions noted
28 PS Administration Limited
6. Reporting to clients
Periodic reports to participants and scheme sponsors are accurate and complete and provided within required timescales.
Control activity and description BDO test procedures
6.1 Process
Administration reports, which may include
membership movement analysis and reconciliations,
are produced on the basis and frequency agreed with
the scheme trustees.
Where requested by the trustees, quarterly
administration reports are produced and distributed
to scheme trustees.
Control
The administration reports are checked for
completeness and accuracy and peer reviewed
prior to being issued. Scheme annual events are
monitored on a regular basis by the administrator.
For the sample of schemes selected, verified through
the inspection of documentation that the reports
were checked for completeness and accuracy and
peer reviewed prior to being issued. Scheme annual
events were monitored on a regular basis by the
administrator.
No exceptions noted
6.2 Process
Benefit statements are produced annually from
data held on the administration system and are
despatched within timescales agreed with trustees.
Control
Checks are conducted in accordance with the benefit
statement procedure and signed off in line with the
benefit statement process.
For the sample of schemes selected, obtained and
reviewed supporting documentation and verified that
checklists were completed in accordance with the
benefit statement procedure policy.
No exceptions noted
Annual reports and accounts are prepared in accordance with applicable law and regulations.
Control activity and description BDO test procedures
6.3 Process
Annual report and accounts are prepared
in compliance with the latest Statement of
Recommended Practise (SORP) for pension schemes
based on a standard reporting format.
Control
The accountant updates the standard reporting
format to take into account any changes in legislation.
Annual accounts are prepared and then checked
by a checker prior to audit. Audited accounts once
approved are signed off by the trustees.
For the sample of clients selected, verified through
the inspection of documentation that the accountant
updates the standard reporting format to take into
account any changes in legislation. Annual accounts
are prepared and then checked by a checker prior to
audit. Audited accounts, once approved, are signed off
by the trustees.
No exceptions noted
29Assurance Report on Internal Controls (AAF 01/06) – October 2017
6.4 Process
Deadlines for the finalisation and approval of audited
accounts are monitored by administrative and
accounting staff on a regular basis.
Control
A control sheet detailing progress and accounts
deadlines is monitored regularly by the accounts
manager and any necessary action is taken. The
report is circulated to the management group
monthly for information.
Where requirements are in place, a timetable is
agreed with the auditors detailing the key stages of
the audit.
For the sample of schemes selected, verified through
the inspection of documentation that a control
sheet detailing progress and accounts deadlines was
monitored regularly by the accounts manager and any
necessary action was taken. The report was circulated
to the management group monthly for information.
Where requirements are in place, a timetable was
agreed with the auditors detailing the key stages of
the audit.
No exceptions noted
Regulatory reports are made if necessary.
6.5 Process
Documented internal procedures are followed by
administrators who log all breaches in the breaches
log and notify relevant management.
Control
Reports of breaches are made as necessary under
a traffic light reporting system. The managers
will assess and refer where necessary to another
manager. All “amber” or “red” reports made to the
Regulator are copied to the admin risk committee
which monitors reports across the company.
Verified through the inspection of documentation
that reports were made as necessary under a traffic
light reporting system. The managers will assess
and refer where necessary to another manager. All
“amber” or “red” reports made to the Regulator are
copied to the admin risk committee which monitors
reports across the company.
No exceptions noted
30 PS Administration Limited
7.1 Restricting access to systems and data
Physical access to computer networks, equipment, storage media and program documentation is restricted to authorised individuals.
Control activity and description BDO test procedures
7.1a
(i)
Process
The Punter Southall Group operates its systems
out of dual high availability data centres in
geographically diverse locations. Access is approved
to a limited number of IT Operations staff only and
there are a number of physical and logical controls
in place to prevent unauthorised access.
Control
Keys and key codes are authorised by the ITS
Operations Manager and restricted to authorised
individuals. Authorised individuals can admit others
(e.g. engineers) but will continuously supervise them.
All office entrances and exits are locked and access
is by key cards/fobs issued to staff. Visitors have
restricted access, and must sign in.
Verified through the inspection of documentation that
PSG operates its systems out of dual high availability
data centres in geographically diverse locations.
Verified through the inspection of documentation that
no requests were made for access during the period.
Verified through observation and the inspection of
documentation that there were a number of physical
and logical controls in place to prevent unauthorised
access.
Verified through observation that authorised
individuals could admit others but would continuously
supervise them.
Verified through observation that all office entrances
and exits were locked and access was by key cards/
fobs issued to staff.
Verified through observation and the inspection of
documentation that visitors had restricted access and
must sign in.
No exceptions noted
7.1a
(ii)
Process
Access cards/key fobs to Punter Southall Group
buildings are provided as part of the induction
process of a new employee. Upon an employee
leaving the organisation, notifications are sent from
HR to Building Services to notify them that access
needs to be removed.
Quarterly reviews are carried out by Building
Services to ensure access is appropriate.
Control
Access cards to buildings are only granted upon
notification from HR or the relevant business heads.
Access for out of hours working must be authorised
by management.
Access is disabled within a timely manner of the
employee leaving the company and is initiated by
HR/Building Services.
For the sample selected, verified through observation
and inspection of documents that access cards to
PSG buildings were provided as part of the induction
process for a new employee. Verified that they were
only granted upon notification from HR or relevant
business heads and, for out of hours access, by
management.
For the sample selected, verified through the
inspection of documentation that a notification
was sent from HR to Building Services during that
week to notify them of leavers whose access to the
building needed to be removed.
Verified through the inspection of documentation that
a quarterly review was carried out by Building Services.
Exception noted*
* Exception noted:
We were unable to obtain evidence that physical access to the building was removed for one leaver, from
our sample of six leavers selected to test the physical access removal controls.
We note however, that for this leaver, the network and application access was deactivated in a timely
manner, thereby restricting access to the PSAL systems.
31Assurance Report on Internal Controls (AAF 01/06) – October 2017
7.1a
(iii)
Process
Laptops are encrypted and configured to have
password protections on boot before issue. Portable
media ports are disabled on thin clients. All laptops
and desktops are configured to enforce encryption
on any portable media device inserted.
Control
Quarterly reports on all laptops docked to the
network are run to identify those staff who have been
provided with local administration permissions, and
the results are reviewed by the Group IT Operations
Manager and authorised by a Senior Consultant.
Exceptions are reported to a PS Administration
Limited Director.
Verified through the inspection of documentation
and system settings that laptops were encrypted and
configured to have password protections on boot.
Verified through the inspection of documentation
and system settings that portable media ports were
disabled on thin clients.
Verified through the inspection of documentation
and system settings that all laptops and desktops
were configured to enforce encryption on any
portable media devices inserted.
For the sample of quarters selected, verified through
the inspection of documentation that quarterly
reports were run on all laptops docked to the network
to identify those staff that had been provided with
local administration permissions and that the results
were reviewed by the Group IT Operations Managers
and authorised by a Senior Consultant.
No exceptions noted
7.1a
(iv)
Process
Application documentation is either stored
electronically under password control or if temporarily
in paper form it remains under the control of the
individual until they destroy the paper copy.
A clear desk policy is in place throughout the Group
to ensure that documentation is securely protected
and all paper files are secured away at night.
Control
Electronic files are held in secure areas and
appropriate system restrictions exist.
The application owner checks annually that key
programme documentation is being kept up to
date and is held securely.
Verified through the inspection of documentation
and observation that application documentation was
either stored electronically under password control
or if temporarily in paper form, it remained under
the control of the individual until they destroyed the
paper copy.
Verified through the inspection of documentation
that electronic files were held in secure areas and
appropriate system restrictions existed.
Verified through the inspection of documentation
that the application owner checks annually that key
programme documentation was being kept up to
date and was held securely.
Verified through observation that a clear desk policy
was in place and all paper files were secured away
at night.
No exceptions noted
7.1a
(v)
Process
System Documentation is either stored electronically
under password control or if temporarily in paper
form it remains under the control of the individual
until they destroy the paper copy.
Control
The IT Security Analyst checks annually that key
programme documentation is being kept up to date
and stored following ITIL and PRINCE2 guidelines as
appropriate to PSAL systems and that only domain
users with appropriate permissions can access them.
Verified through the inspection of documentation
and system settings that system documentation was
stored electronically under access control lists.
Verified through the inspection of documentation
that the IS Security Analyst checked annually that
key programme documentation was kept up to date
and stored following ITIL and PRINCE2 guidelines as
appropriate to PSAL systems and that only domain
users with appropriate access permissions could
access them.
No exceptions noted
32 PS Administration Limited
Logical access to computer systems, programs, master data, transaction data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.
Control activity and description BDO test procedures
7.1b Process
All access to computer equipment and systems is
protected by alpha numeric passwords. Passwords
are changed on a regular basis and only issued to
authorised personnel.
Any systems which do not have local password
controls are protected by additional means, for
example, group based permissions on application
servers or digital certificate authentication, thereby
preventing access without first logging on to the
password controlled network.
Control
The domain security policy requires and enforces
that passwords must be ‘complex’, a minimum
of 8 characters and cannot be reused (last 24 are
recorded). In addition, access to network data is
strictly controlled through NTFS permissions and
Windows security group PSAL.
Files can only be created on the NTFS file system,
and the system is configured so that appropriate
administration team group based permissions are
always inherited when new files are created.
All users get remote access granted automatically
when they first join as part of the New Joiner
procedure recorded by Service Desk. What they
have access to, is controlled by the RDS access
security group PSAL in Active Directory (AD). Logs
of; (a) which users have been added into the AD
group PSAL and (b) which users have actually
accessed in a given period, are reviewed by the
Group IT Operations Manager and authorised by a
Senior Consultant. Exceptions are reported to a PS
Administration Limited Director.
Verified through the inspection of documentation
that all access to computer equipment and systems
was protected by alpha numeric passwords.
Passwords were changed on a regular basis and only
issued to authorised personnel.
Verified through the inspection of documentation
that any systems which did not have local password
controls were protected by additional means, for
example, group based permissions on application
servers or digital certificate authentication, thereby
preventing access without first logging on to the
password controlled network.
Verified through the inspection of documentation
that the domain security policy required and
enforced that passwords must be ‘complex’, a
minimum of 8 characters and cannot be reused (last
24 are recorded). In addition, access to network data
was strictly controlled through NTFS permissions
and Windows security group PSAL.
Verified through the inspection of documentation that
files could only be created on the NTFS file system,
and the system was configured so that appropriate
administration team group based permissions were
inherited when new files were created.
Verified through the inspection of documentation
that all remote access was controlled by the RDS
access security group PSAL in Active Directory (AD).
Verified that logs of; (a) which users had been added
into the AD group PSAL and (b) which users had
actually accessed in a given period, were reviewed by
the Group IT Operations Manager and authorised by
a Senior Consultant.
33Assurance Report on Internal Controls (AAF 01/06) – October 2017
Quarterly reviews of access to the following key
administration applications are completed by the
client lead. Any access changes required to the
following systems are made directly by client lead
(where possible) or via a service desk request:
• PS Admin Database (IPS Only)
• Northgate PS Enterprise
• Profund Aviary
• Bottomline
• CashFac
Additional security is provided by the DELL Intrusion
Protection System which monitors activity within the
Groups network and actively prevents behaviours that
match the signatures of known attacks or look unusual.
Noted that exceptions were reported to a PS
Administration Limited Director.
Verified through the inspection of documentation that
quarterly reviews of access to the key administration
applications were completed by the client lead. Any
access changes required were made directly by client
lead (where possible) or via a service desk request.
Verified through the inspection of documentation
that additional security was provided by the DELL
Intrusion Protection System which monitored activity
within the Groups network and actively prevented
behaviours that matched the signatures of known
attacks or looked unusual.
No exceptions noted
Segregation of incompatible duties is defined, implemented and enforced by logical security controls in accordance with job roles.
7.1c Process
All staff have clearly defined roles and responsibilities
which are set by the department manager.
Control
Access to different applications is restricted as
appropriate to the job role.
Where access to an application is required, a formal
request must be made via the Service Desk which
will then seek a supervisor’s approval. Subject to an
application’s security model, application privilege
levels may be set within an application, by end users
with supervisory roles, or via formal requests to
ITS / BSG.
Verified through the inspection of documentation that
all staff had clearly defined roles and responsibilities
which were set by the department manager.
Verified through the inspection of documentation
that access to different applications was restricted
as appropriate to the job role.
Verified through the inspection of documentation
that where access to an application was required, a
formal request was made via the Service Desk which
would then seek a supervisor’s approval. Subject to
an application’s security model, application privilege
levels were set within an application, by end users
with supervisory roles, or via formal requests to
ITS / BSG.
No exceptions noted
34 PS Administration Limited
7.2 Providing integrity and resilience to the information processing environment, commensurate with the value of the information held, information processing performed and external threats.
IT processing is authorised and scheduled appropriately and exceptions are identified and resolved in a timely manner
Control activity and description BDO test procedures
7.2a
(i)
Process
Data transmission of financial data such as payroll
uses secure encryption algorithms.
Control
Bottomline software encrypts BACS transmissions.
Payroll data which is sent externally for international
payments is sent via a secure website.
Verified through the inspection of documentation
that data transmission of financial data such as
payroll, used secure encryption algorithms.
Verified through the inspection of documentation that
Bottomline software encrypts BACS transmissions and
payroll data was sent via a secure website.
No exceptions noted
7.2a
(ii)
Process
Core systems have documented operating
procedures.
Control
Documentation relating to PSAL specific applications
is reviewed annually to ensure they remain up
to date. Application documentation is reviewed
following each release of PSAL’s internally
developed applications.
Key processing is logged on all our critical
applications (PSAL Database (IPS Only), PenScope,
Filenet/Alfresco, Northgate PS Enterprise, Profund
Aviary, CashFac and Bottomline) via a built-in audit
trail and is available for review in the event of
any incidents.
Verified through the inspection of documentation that
core systems had documented operating procedures.
Verified through the inspection of documentation
that documentation related to PSAL specific
applications were reviewed annually to ensure they
remained up to date. Application documentation was
reviewed following each release of PSALs internally
developed applications.
Verified through the inspection of documentation
that key processing was logged on all PSALs critical
applications (PSAL Database (IPS Only), PenScope,
Northgate PS Enterprise, Profund Aviary, CashFac and
Bottomline) via a built-in audit trail and was available
for review in the event of any incidents.
We noted through enquiry, that there is no in built
audit logging for the systems Alfresco but selective
logging does occur.
No exceptions noted
7.2a
(iii)
Process
The monitoring of scheduled data downloads from
the Altus Investment Gateway web service via the
Windows Service (PenScope) on the PenScope
application server.
Control
In the event of a scheduled download failing,
automated alerts are sent to BSG, IT or Service Desk
ticketing system to ensure timely resolution.
Verified through the inspection of documentation
that scheduled data downloads were monitored to
verify they had been successful.
Verified through the inspection of documentation
that in the event of a scheduled download failing,
automated alerts were sent to IT or PSALs Service
Desk ticketing system to ensure timely resolution.
No exceptions noted
35Assurance Report on Internal Controls (AAF 01/06) – October 2017
Data transmissions between the service organisation and its counterparties are complete, accurate, timely and secure.
Control activity and description BDO test procedures
7.2b
(i)
Process
Data transmission of payroll financial data uses
secure encryption algorithms. Only authorised
personnel can handle financially sensitive data with
permissions set on a scheme by scheme basis.
Control
BACS Bureau facilities are used to process and transmit
payments facilitated through Hardware Security
Module issued by the bank sponsoring the payroll
bureau. Authorisation of payments is made using a
passcode which is only known to authorised employees.
BACS transmissions may only be submitted once
there has been dual approval with an independent
member of payroll verifying the information that has
been previously entered.
A triennial review of BACS Bureau Service is carried
out by BACS to ensure that service complies with
the recommended standards.
Verified through the inspection of documentation
that data transmission of payroll financial data
used secure encryption algorithms. Only authorised
personnel could handle financially sensitive data
with permissions set on a scheme by scheme basis.
Verified through the inspection of documentation
that BACS Bureau facilities were used to process
and transmit payments facilitated through Hardware
Security Module issued by the bank sponsoring
the payroll bureau. Authorisation of payments was
made using a passcode which was only known to
authorised employees.
Verified through the inspection of documentation
that BACS transmissions could only be submitted
once there had been dual approval with an
independent member of payroll verifying the
information that had been previously entered.
Verified through the inspection of documentation
that a triennial review of PSALs BACS Bureau Service
was carried out by BACS to verify that their service
complied with the recommended standards.
No exceptions noted
7.2b
(ii)
Process
Transmissions of data to and from clients are made
via a secure website facility.
Control
Access to the facility is made using individual logon
accounts with complex passwords of 8 characters.
Email alerts are generated when any data is
uploaded to the site.
Verified through the inspection of documentation and
observation that transmissions of data to and from
clients were made via a secure website facility.
Verified through the inspection of documentation that
access to the facility was made using individual logon
accounts with complex passwords of 8 characters and
that email alerts were generated when any data was
uploaded to the site.
No exceptions noted
36 PS Administration Limited
Appropriate measures are implemented to counter the threat from malicious electronic attack (e.g. firewalls, anti-virus etc.)
Control activity and description BDO test procedures
7.2c Process
All external access to the network is strictly
controlled.
Perimeter Firewalls and Endpoint software are in
place, with Anti-Virus updates disseminated to all
computers operating on the PSG networks.
Security testing is performed annually by a third
party provider to ensure network vulnerabilities are
identified and addressed.
Control
An industry standard firewall is in place on the PSG
network and there are rules set to restrict traffic
between public and secure networks. An industry
standard antivirus is in place on all computers
operating on the Punter Southall Network. Antivirus
definitions are updated from the vendor and
disseminated to computers on the network within
an hour.
Results of the annual penetration test are reviewed by
the IT Security Analyst and IT Operations Manager.
Results from the test are submitted to the
Information Security Sub Committee (ISSC) to assess
risks and implement remedial actions where required.
Verified through the inspection of documentation
that security testing was performed annually by a
third party provider to ensure network vulnerabilities
were identified and addressed.
Verified through the inspection of documentation
that an industry standard firewall was in place on
the PSG network and there were rules set to restrict
traffic between public and secure networks.
Verified through the inspection of documentation
that an industry standard antivirus was in place
on all computers operating on the PSG Network
and that antivirus definitions were updated from
the vendor and disseminated to computers on the
network within an hour.
Verified through the inspection of documentation
that results of the annual penetration test
were reviewed by the IT Security Analyst and IT
Operations Manager.
Verified through the inspection of documentation
that the results from the test were submitted to the
Information Security Sub Committee (ISSC).
No exceptions noted
37Assurance Report on Internal Controls (AAF 01/06) – October 2017
The physical IT equipment is maintained in a controlled environment.
Control activity and description BDO test procedures
7.2d Process
Critical IT infrastructure is located in a Tier 3 offsite
data centre. Access is approved to a limited number
of IT Infrastructure staff only by the IT Operations
Manager.
Secure data storage providing an independent
copy of all data held in the offsite data centres is
located in a secure computer equipment room in
the 11 Strand London HQ office and restricted to
authorised individuals only.
Control
Branch office server and network equipment are
located in secure server rooms accessed by pass key
wherever office space allows. PSG datacentres are
provided by SunGard Ltd and are operated under
ISAE3402 guidelines. Local office keys and key codes
are authorised by the IT Operations Manager and
restricted to authorised individuals only.
Where office space does not allow this, the entire
office is secured to the same level using key codes
for the small numbers of staff involved. Logs are kept
of all visitors.
Verified through documentation that Critical IT
infrastructure is located in an offsite data centres.
Verified that access is restricted to IT Operations
only and that any additional access must be
formally approved by the IT Operations Manager.
Through physical inspection and observation of
systems verified that an independent copy of the
data storage was maintained in a secure computer
room based at 11 Strand, London. Further verified
that access to the computer room was restricted via
keypad.
Verified through the inspection of documentation
that no access requests were made during the period.
Verified through observation and the inspection
of documentation that branch office server and
network equipment were located in secure server
rooms accessed by pass key wherever office space
allows, that PSG data centres were provided by
SunGard Ltd and are operated under ISAE 3402
guidelines and that local office keys and key codes
were authorised by the IT Operations Manager and
restricted to authorised individuals only.
Verified through observation that where office space
does not allow this, the entire office was secured to
the same level using key codes for the small numbers
of staff involved and logs were kept of all visitors.
No exceptions noted
38 PS Administration Limited
7.3 Maintaining and developing systems hardware and software.
Development and implementation of new systems, applications and software, and changes to existing systems, applications and software, are authorised, tested, approved and implemented.
Control activity and description BDO test procedures
7.3a Process
A formal change management methodology is
used to implement new and revised infrastructure
changes, application version increments and
significant application developments. Documentation
for these projects are maintained within a central
project documentation library.
Control
BSG Managed Projects
All current Business Services Group projects are
managed with an adapted PRINCE2 process.
The BSG’s “project development lifecycle” has to
be followed for each new application project –
this ensures that the project, development and
change methodologies are followed. The project
documentation is maintained by the Business
Services Group or the application owner (depending
on application affected), is signed off / approved by
the business representative and reviewed / audited
by the application owner.
ITS Managed Projects
All current ITS projects are managed with an
adapted PRINCE2 process. Project documentation
and reporting is held in dedicated web sites [Claizon
& SharePoint] which are secure and available in
agreed business hours to all concerned. Documents
are indexed based on content and are easily
retrievable. User permissions are created for all
documents in order to control who may access or
edit certain files. These documents are managed and
controlled by the subject owner who is normally the
assigned Project Manager. Delivery of infrastructure
and software elements of all projects are controlled
by ITIL Change Management procedures within the
Hornbill helpdesk system and are linked to system CI
(Configuration Item) for software and hardware (VM
or Physical) associated with the project.
For the sample of changes selected, verified through
the inspection of documentation that a formal change
management methodology existed and was used to
implement new and revised infrastructure changes,
application version increments and significant
application developments.
Verified through inspection of documentation that
for a selected sample of changes, the project plan
had been approved and reviewed and that the
documentation for these projects were held in a
central repository.
While we were unable to obtain evidence of initial
authorisation for the changes sampled, we were
however, able to obtain evidence of testing and
approval prior to going live. The initial approvals
could not be evidenced as the workflow tool used to
capture approvals for changes had changed during the
period under review.
No exceptions noted
39Assurance Report on Internal Controls (AAF 01/06) – October 2017
Data migration or modification is authorised, tested and, once performed, reconciled back to the source data.
Control activity and description BDO test procedures
7.3b Process
The Business Services Group and application owner
are responsible for data migration projects. A
detailed testing procedure is followed for all data
migrations. This includes sample data checks and full
reconciliation back to the source data.
Control
Issue logs are used to capture all issues and eventual
resolution of any issues.
The results of any sample data checks and the
reconciliation are reviewed by the application owner
to ensure that no errors have been created and the
data has been migrated completely and accurately.
Final sign off is required from application owner
before the change can be released to live.
Verified through enquiry and the inspection of
documentation that the requirement for the
database migration was initiated from the fact
that PSAL had performance issues with the original
setup where the web and database servers were on
the same servers. ITM had defined and set out the
requirements (the need for separating the servers)
in their PID.
Verified through enquiry and the inspection of
documentation that the results of any sample data
checks and the reconciliation were reviewed by the
application owner to ensure that no errors had been
created and the data has been migrated completely
and accurately.
Final sign off was required from application owner
before the change can be released to live.
No exceptions noted
40 PS Administration Limited
7.4 Recovering from processing interruptions.
Data and systems are backed up regularly, retained offsite and regularly tested for recoverability.
Control activity and description BDO test procedures
7.4a
(i)
Process
Backups are taken on a daily basis with a full backup
taken at the end of the week.
Control
The Group maintains a twin data centre design
(SunGard data centres TC2 and TC3), with all
systems and data replicated across both data
centres, ensuring that there are multiple copies
of the data available. In the unlikely event that a
data centre was made unavailable to the Group, it
can make all systems and data available from the
remaining data centre using the data that has been
backed up there through the replication.
Different replication approaches (i.e. frequency of
the replication, data storage tiers and hence the
speed with which they can be restored) are used for
systems with different business criticalities, as some
require restoration within an hour, with other non-
critical systems not being required for up to a week
after a data centre outage.
In addition to this, the Group backs-up all systems
and data to separate storage based at the 11 Strand
offices every day, this is done automatically with
emails alerts being produced on completion. These
emails are reviewed by IT Ops each day and all
failures are reviewed and remedied. A random file
restore is also carried out to ensure that the files
backed up can be restored and used if required. Both
the review of the back-up emails and the successful
file restore are recorded on the daily checks checklist.
Obtained evidence to verify that incremental backups
were taken on a daily basis with a full backup being
taken at the end of the week.
Verified through the inspection of systems and
documentation that a twin data centre design was
implemented across both data centres, ensuring that
multiple copies of data were available.
Verified through the inspection of documentation and
enquiry that, during business continuity planning, the
business identified the business criticality of each of
their systems.
Verified that the business criticality was reflected in
the selection of the frequency of replication and data
storage tiers and other settings within VEEAM.
For the sample selected, verified through the
inspection of documentation that the group back up
all systems and data to separate storage based at
the 11 Strand Offices every day and that an email
alert is automatically produced on completion of the
backup process.
Further verified through the inspection of
documentation that these emails were reviewed by IT
Operations every day and that failures were reviewed
and remedied. This was evidenced on the daily backup
checks checklist.
A random file restore was also carried out successfully
and the results recorded on the daily backup checks
checklist.
No exceptions noted
41Assurance Report on Internal Controls (AAF 01/06) – October 2017
7.4a
(ii)
Process
All systems and data are hosted on high availability
virtual servers with mirrored SAN RAID disk systems
which helps ensure no loss of data through media
failure. Virtual server backups are replicated across
the 2 geographically separate data centres as well as
an independent copy sent to offsite storage.
Windows Shadow Copy is enabled across all storage
servers allowing instant restoration of deleted or
corrupted files from snapshots taken not less than
once day.
Control
Virtual environment is monitored daily to ensure
that it is functioning correctly with new, known and
resolved issues reported. Backup logs are emailed daily
with exceptions recorded by the IT Operations team.
Verified through the inspection of documentation and
system settings that all systems and data were hosted
on high availability virtual servers with mirrored SAN
RAID disk systems.
Verified through the inspection of documentation
and system settings that virtual server back-ups
were replicated across the 2 geographically separate
data centres.
For a sample of weeks selected, verified through the
inspection of documentation that an independent copy
of virtual server back-ups was sent to offsite storage.
Verified through the inspection of documentation
and system settings, that Windows Shadow Copy
was enabled across all storage servers allowing
instant restoration of deleted or corrupted files from
snapshots taken at least once a day.
For the sample of days selected, verified through
the inspection of documentation that the virtual
environment was monitored daily to ensure that
it was functioning correctly with new, known and
resolved issues reported.
Verified through the inspection of documentation
that back-up logs were emailed daily with exceptions
recorded by the IT Operations Team.
No exceptions noted
IT hardware and software issues are monitored and resolved in a timely manner.
Control activity and description BDO test procedures
7.4b Process
All hardware and system problems are recorded via
a dedicated Service Desk procedure.
Control
Incidents and Problems are only defined once they
have reached the helpdesk system based on ITIL
guidelines; any other ad-hoc requests for assistance
are not classified as faults.
Open tickets in the service desk are reviewed on
a monthly basis to ensure that issues are being
resolved in a timely manner. In addition, a number
of tools are used to proactively monitor the PSG
network and server environments.
Verified through the inspection of documentation
that all hardware and system problems were
recorded via a dedicated Service Desk procedure.
For the sample selected, verified through the
inspection of documentation that open tickets in
the service desk were reviewed on a monthly basis
to ensure that issues were being resolved in a timely
manner. In addition, a number of tools were used
to proactively monitor the PSG network and server
environments.
No exceptions noted
42 PS Administration Limited
Business and information systems recovery plans are documented, approved, tested and maintained.
Control activity and description BDO test procedures
7.4c Process
Recovery Plans which provide for the recovery of all
key business processes are in place.
Control
Recovery plans for PSAL exist and are maintained and
cover the applications and systems which support all
business processes carried out at each location.
All plans are based around a recovery point, time and
capacity objectives that have been agreed within the
business and reflect the Group’s strategy for business
continuity. The plans are reviewed and tested annually
to ensure they remain appropriate. Test results are
reported to the Admin Risk Committee.
Verified through the inspection of documentation that
recovery plans which provide for the recovery of all key
business processes were in place.
Verified through the inspection of documentation that
recovery plans for PSAL exist and were maintained and
cover the applications and systems which support all
business processes carried out at each location.
Verified through the inspection of documentation that
all plans were based around a recovery point, time and
capacity objectives that have been agreed within the
business and reflect the Group’s strategy for business
continuity and that the plans were reviewed and tested
annually so that they remain appropriate.
Verified through the inspection of documentation
that test results are reported on to the Admin Risk
Committee.
No exceptions noted
43Assurance Report on Internal Controls (AAF 01/06) – October 2017
7.5 Monitoring compliance.
Outsourced activities are properly managed and monitored.
Control activity and description BDO test procedures
7.5a
(i)
Process
Outsourced activities are actively managed and
monitored. Service Level Agreements are in place,
covered by appropriate contracts and monitored by
either the Business Services Group or the central
PSG IT infrastructure team depending on activity.
Control
Pension administration system maintenance and
development has been outsourced to ITM Ltd. A
contract is in place with ITM Ltd detailing services
being supplied together with appropriate Service
Level Agreements. Regular governance and service
review meetings are held.
Verified through the inspection of documentation
that outsourced activities were actively managed and
monitored and that Service Level Agreements were in
place, covered by appropriate contracts and monitored
by either the Business Services Group or the central
PSG IT infrastructure team depending on activity.
Verified through the inspection of documentation
that pension administration system maintenance and
development had been outsourced to ITM Ltd, that a
contract was in place with ITM Ltd detailing services
being supplied together with appropriate Service Level
Agreements and that regular governance and service
review meetings were held.
No exceptions noted
7.5a
(ii)
Process
PSG IT outsources some network monitoring and
management tasks to a third party Wide Area
Network solutions provider – SSE. PSG also have
Service Level Agreements in place with SSE, covered
by appropriate contracts and monitored by the IT
Operations Team.
Control
Real time monitoring of all network services is carried
out 24/7 by ITS using SolarWinds Event management
and action taken if needed direct with SSE under ITIL
Incident Management tracked in Hornbill.
Verified through the inspection of documentation
that PSG IT outsource some network monitoring
and management tasks to a third party Wide Area
Network solutions provider – SSE.
Verified through the inspection of documentation
that PSG also have Service Level Agreements in
place with SSE, covered by appropriate contracts
and monitored by the IT Operations team.
Verified through observation and the inspection
of documentation that real time monitoring of
all networks was carried out 24/7 by PSG IT using
SolarWinds Event Management.
We were informed that there were no issues during
the period.
No exceptions noted
7.5a
(iii)
Process
Network services provided by third parties are
reviewed on an on-going basis to ensure the services
provided, meet the organisations requirement.
Control
The services are reviewed by both the IT Operations
Manager and IT Director, any issues are escalated to
the IT Governance Board.
Verified through enquiry that network services
provided by third parties were reviewed on an
on-going basis to ensure that the services provided
met the organisations requirements.
Verified through enquiry that the services were
reviewed by both the IT Operations Manager and
IT Director.
Verified through enquiry that there were no issues
during the period.
No exceptions noted
44 PS Administration Limited
9. Prospective customer disclaimer letter
Private and Confidential
The Directors 13 October 2017 PS Administration Limited 11 Strand London WC2N 5HR
Dear Sir/Madam
Release of the 2017 AAF 01/06 Report to prospective customers of PS Administration Limited.
The 2017 AAF 01/06 report which covers the internal controls relating to pension administration services provided by PS Administration Limited (the ‘service organisation’) as at 31 March 2017 has been prepared by the directors of the service organisation principally for the purposes of providing information to organisations who were customers at 31 March 2017. You have asked us to agree to you providing to prospective customers, i.e. organisations that were not customers at 31 March 2017, a copy of the 2017 AAF 01/06 report which included our service auditor’s assurance report (‘our assurance report’).
We confirm that we are agreeable to you so doing on the clear understanding that our assurance report was addressed to you and was prepared on your instructions as set out in our engagement letter dated 20 February 2017. The report was not prepared for the benefit of any prospective customers and therefore items of possible interest to prospective customers may not have been specifically addressed by the 2017 AAF 01/06 report or the work supporting our assurance report. Nor does BDO LLP warrant or represent that the information in the 2017 AAF 01/06 report or work done in connection with our assurance report is appropriate for the interests or purposes of prospective customers. For the foregoing reasons the 2017 AAF 01/06 report cannot in any way serve as a substitute for enquiries and procedures that prospective customers would (or should) undertake and judgements they should make for the purpose of satisfying themselves regarding any matters of interest to them. Furthermore, we (BDO LLP, its partners, employees and agents) accept no duty or responsibility (whether in contact or in tort and including, without limitation, negligence and breach of statutory duty) and deny any liability to prospective customers or to any other third party in relation to our assurance report or otherwise, whether or not the 2017 AAF 01/06 report or our assurance report therein influences the decision or action of any prospective customer or any other party.
Prospective customers are also bound by a duty of confidentiality to BDO LLP, as well as to you. Consequently the 2017 AAF 01/06 report, and information obtained from it, must not be made available or copied in whole or in part to any other person without our prior written permission which we may, at our discretion, grant, withhold or grant subject to conditions (including conditions as to legal responsibility or absence thereof).
Notwithstanding our consent to the release of the 2017 AAF 01/06 report to prospective customers, our assurance report remains addressed to you and it is a matter for you to decide whether the release of the 2017 AAF 01/06 report is appropriate in the circumstances.
To ensure that prospective customers have a clear understanding of the terms under which our assurance report is being provided to them, a copy of this letter should accompany our assurance report.
Yours faithfully
For and on behalf of BDO LLP
55 Baker Street London W1U 7EU Telephone: +44 (0)20 7486 5888 Facsimile: +44 (0)20 7487 3686 DX 9025 West End W1 Web site: www.bdo.co.uk
BDO LLP Chartered Accountants
PSAL offices
Birmingham1 Colmore Row, Birmingham B3 2BJ T 0330 202 0770 E [email protected]
Edinburgh7 Castle Street, Edinburgh EH2 3AH T 0330 202 0770 E [email protected]
Newcastle 36 Gallowgate, Newcastle upon Tyne NE1 4TD T 0330 202 0770 E [email protected]
BristolQueen’s Quay, 33-35 Queen Square, Bristol BS1 4LU T 0330 202 0770 E [email protected]
London11 Strand, London WC2N 5HR T 0330 202 0770 E [email protected]
WokinghamAlbion, Fishponds Road, Wokingham, Berkshire RG41 2QE T 0330 202 0770 E [email protected]
ChelmsfordPriory Place, New London Road, Chelmsford CM2 0PP T 0330 202 0770 E [email protected]
PerthSaltire House, 3 Whitefriars Crescent, Perth PH2 0PA T 01738 503 400
© PSAL 2017. PSAL and PS Administration are both trading names of PS Administration Limited. Registered in England and Wales No. 09428346. Registered office: 11 Strand, London WC2N 5HR.
This communication is based on our understanding of the position as at the date shown. It should not be relied upon for detailed advice or taken as an authoritative statement of the law.
A Punter Southall Group company
For further information, visit our website at www.psadmin.com