Assurance Report on Internal Controls (AAF 01/06...

Private and Confidential

Assurance Report on Internal Controls (AAF 01/06 and ISAE 3402)

For the year ended 31 December 2015

Private and Confidential 2

IMPORTANT

We permit the disclosure of the Report by the Reporting Accountants (“the Report”) on pages 23

and 24, in full only, to customers and potential customers (together “customers”) of Dalriada

Trustees Limited using Dalriada Trustees Limited pensions trustee services (as defined in the

appendix to this letter), Dalriada Trustees Limited’s co-trustees (where applicable), to pension

scheme members, relevant auditors and other professional advisers, to the Pensions Regulator and

to the public in general, to enable customers and their auditors to verify that a report by reporting

accountants has been commissioned by the directors of Dalriada Trustees Limited and issued in

connection with the internal controls of Dalriada Trustees Limited and without assuming or

accepting any responsibility or liability to them on our part, and on the condition that the directors

provide all such customers a written statement at the commencement of the Dalriada Trustees

Limited report in the form set out in Appendix 1 Section 5 of this report

RSM NI, (the “Reporting Accountants”) wish readers to be aware that the Reporting Accountants'

work for the Directors of Dalriada Trustees Limited was designed solely to meet their agreed

requirements and was determined by their needs at the time.

This Report should not be regarded as suitable to be used or relied on by any reader wishing to

acquire any rights against the Reporting Accountants other than the Directors (as a body) for any

purpose or in any context. In consenting to the posting of the Report on this website, the Reporting

Accountants do not accept or assume any responsibility to any readers other than the Directors (as

a body) in respect of the Reporting Accountants' work for the Directors, the Report, or any opinions

that the Reporting Accountants may have formed and, to the fullest extent permitted by law, the

Reporting Accountants will accept no liability in respect of any such matters to any readers other

than the Directors. Should any readers other than the Directors choose to rely on the Report, they

will do so at their own risk.

RSM NI

Chartered Accountants

Belfast

Private and Confidential

Table of Contents

Introduction ....................................................................................................................... 2

Background and organisational structure ................................................................................ 4

Pension Administration ......................................................................................................... 8

Information Security ........................................................................................................... 14

Risk Management ............................................................................................................... 16

Information Technology ...................................................................................................... 18

Report of the Directors of Dalriada Trustees Limited ............................................................... 21

Report by the reporting accountants ..................................................................................... 23

Summary of control objectives ............................................................................................. 26

Control procedures and audit testing .................................................................................... 31

Appendix 1 Letter of Engagement ......................................................................................... 57


Introduction

The directors of Dalriada Trustees Limited (“Dalriada”) are pleased to present our report detailing

the control procedures that are in place for our pension administration and pension database

services.

This report covers the year ended 31 December 2015 and has been prepared in accordance with

the Technical Release AAF 01/06 “Assurance Reports on Internal Controls of Service Organisations

made available to Third Parties” published by the Institute of Chartered Accountants in England

and Wales (“the ICAEW”).

As the control objectives are consistent with The International Standard on Assurance

Engagements (“ISAE”) 3402 Dalriada will be reporting on both standards for this reporting period.

The ISAE 3402, Assurance Reports on Controls at a Service Organisation, was issued in December

2009 by the International Auditing and Assurance Standards Board (“IAASB”), which is part of the

International Federation of Accountants (“IFAC”). The ISAE 3402 provides an international

assurance standard to allow public accountants to issue a report on the controls of a service

organisation that are likely to impact or be a part of a user organisation’s system of internal

controls over financial reporting.

The control objectives are set out on pages 26 to 29 and we demonstrate how we meet these on

pages 31 to 55. These measures have been audited and reported upon by RSM NI. This is the

fourth such report we have published.

Dalriada is a privately owned UK company that acts as a professional independent trustee. Our

organisation is managed by four directors who supervise the activities of a number of highly

experienced and qualified pensions administrators and support staff. We have clients throughout

the UK serviced from our offices in London, Bristol, Belfast, Glasgow and Manchester.

Dalriada provides a range of trustee services which include the provision of administration, pension

fund accounting, pension data audit, and pension benefit audit services to a range of pension

scheme clients. In addition, we have specialist expertise in remedial pension scheme data audit

work, which is often required where a scheme is considering buying out its liabilities or during

Pension Protection Fund (“PPF”) or Financial Assistance Scheme (“FAS”) assessment periods.

Dalriada was appointed to the PPF’s Trustee Advisory Panel (“TAP”) in September 2013. Our

specialist PPF and FAS team handle all aspects of the assessment process including project

management, administration and pension fund accounting.


Background and Organisational structure

Dalriada was established in 2003 and acts as an independent, professional trustee in the United

Kingdom providing a high quality service. Since our inception we have provided trustee services to

pension schemes at varying stages of their development including on-going schemes, schemes in

the process of winding up and schemes in PPF and FAS Assessment.

Dalriada has a number of sister companies. Spence is a professional firm of actuaries, pension

consultants, pension scheme information technology (“IT”) specialists and administrators. Dalriada

Pension Trustees Limited operates as a separate professional trustee company to provide

professional trusteeship services to pension schemes in Ireland. The Pensions Hosting Company

Limited is an IT software business providing web-based pension administration and actuarial

services. Veratta is a privately owned UK firm of data management, software development,

information security and IT specialists with a focus on the pensions and financial services industry.

Our clients are based throughout the UK and Ireland and are serviced from our offices in Belfast,

Bristol, Glasgow, London and Manchester.

Ellcon Investments Limited is the holding company for the Group.

Under our group’s matrix management structure Dalriada is able to draw on the experience of over

90 pension professionals across a range of disciplines. Specialist staff include project managers,

actuaries, consultants, administrators, pension fund accountants, and pension database experts.

The Group structure provides a flexibility which allows us to effectively manage resource levels to

match variable workflows from clients, ensuring a consistency of service.


Our structure is illustrated in the table below as a two dimensional matrix.

Our Practice Heads across all companies are responsible for all aspects of services to a particular

market.

Practice Heads take overall responsibility for services to clients by drawing on specialist staff from

within each of the functions.

Each Function is managed by a Function Head who controls all resources for client delivery and

provides these to the practice areas as required. The most relevant Functions for this report are

our Consultancy, Administration and Pension Data functions.

The role of the trustee representative is key to our working relationship with clients, and they have

overall responsibility for the service provided to their clients. The trustee representatives have

access to management information to enable them to plan and monitor progress on particular

projects and against agreed fee budgets.

The separation between our Functions is not hard and fast. Although staff members are primarily

associated with one Function they can potentially perform a role in more than one Function

because we deliberately train staff to develop multiple skills.

In addition to the direct client servicing functions our Corporate Services Function contains internal

finance, I.T., HR and Business Support resources.

The Consultancy, Administration, Actuarial and Pension Database Function Heads report to Kerry

Stafford, Company Secretary and Corporate Services Function Head. The Marketing Function Head

reports to David Davison, our Chief Marketing Officer, and the Corporate Services Function and the

Practice Heads report to our Chief Executive Officer, Brian Spence.


Brian, David and Neil are also supported by a number of advisory groups:

Practice Heads’ Group – external affairs and business development (meets quarterly)

Function Heads’ Group –coordination of resources and internal operations (meets quarterly)

Strategy Group – long term planning (meets quarterly)

Operations Group – (meets monthly)

PPF/FAS Group – coordinates all AVP (Actuarial Valuation Panel), SASP (Specialist

Administration Services Panel) and TAP (Trustee Advisory Panel work (fortnightly conference

call)

Finance Group – financial issues (meets quarterly)

IT Group – (meets quarterly)

Our statutory company boards meet quarterly and perform an oversight and governance role.


Pension Administration

Dalriada provides a full range of pension administration and pension database services operated

within a quality controlled environment where it acts as a trustee and these services are required.

In some circumstances, Dalriada may be appointed as trustee for a scheme where these services

are provided by, and in certain cases Dalriada may elect to outsource some or all of these services

to a third party administrator. The services provided by third party administrators are outside of

the scope of this report although the third parties may prepare their own Assurance Report.

Our pension administration team carries out all tasks and operations under a strict quality control

and governance framework. We have procedures and checks in place to ensure the accuracy and

quality of our service.

Dalriada recognises that its administration service is the interface between a pension scheme and

its members and our pension administration team fully understands the importance of this. We

never lose sight of the fact that the primary objective of a pension scheme is to provide benefits

and information to its members in an accurate and timely manner. Pension administration is a

core service for our business rather than an adjunct to other services and we are committed to a

process of continuous improvement in terms of the services we provide to our clients.

A complete range of administration services are provided as a core and/or distinct element of our

service including:

calculation and communication of benefit entitlements;

processing of benefit settlements;

cash management - operation of the scheme bank account, cashflow analysis, investment and

disinvestment of funds as appropriate;

production of formal pension scheme annual report and accounts by our specialist pension fund

accounting team;

Processing pension payroll; and

a comprehensive data and benefit audit reporting system to comply with the Pensions

Regulator’s record keeping requirement.

MANAGEMENT SYSTEMS AND CONTROLS

Key elements of our management systems and controls to ensure quality of service for our clients

include:

STRUCTURE

A key component of our approach to quality is the separation of responsibility within our Group

between the Practice Head who is responsible for identifying the needs of our clients and

strategically developing our service to meet these needs and our Function Heads (Consultancy

including Trusteeship, Administration, Fund Accounting and Pension Database Functions) who

manage the resources and day to day delivery of services.


PROCEDURES

Our procedures are owned by the relevant Function Head and documented as a series of controlled

documents available on our intranet site. Where relevant all documents are managed within our

formal Information Security Management System (“ISMS”). Dalriada’s ISMS is externally certified

under ISO/IEC 27001:2013 - Information technology - Security techniques - Information security

management systems - Requirements.

Most procedures are automated as workflows on our in-house workflow system which also captures

and measures our performance against Service Level Agreements.

CONTENT MANAGEMENT

All procedures, documents, records and information are managed within an extensively developed

SharePoint implementation with version control.

All of our members of staff have access to a wide variety of technical information sources.

CHECKING

There are strict checking procedures for all calculations and correspondence with our co-trustees

(where relevant), members and third parties.

Checklists are completed to ensure that all the required steps are followed. All calculations are

peer reviewed by a senior administrator (the checker) along with the checklist to ensure there are

no errors or omissions.

All approvals for calculations and correspondence are held within our workflow system.

SERVICE LEVEL AGREEMENTS

Traditionally a Service Level Agreement (“SLA”) for pension administration focuses on carrying out

an action (e.g. responding to an individual item of post or an email within a defined timescale). The

creation of an “action” becomes more of an end in itself rather than meeting the needs of a

member.

Our monitoring is around whole events (i.e. a member’s death) rather than actions. The traditional

approach would have been to allow a turnaround of one day, say in respect of any incoming

correspondence or trigger for action. A true measure of the performance of the Trustees, and of us

as administrators, is the time taken for the death benefits to actually be paid out.

A member (or in the event of their death, their dependants) will not really place great value on a

particular letter having been answered within one day but will want to know when their benefits

will be settled.

The administration team aim to carry out services and tasks accurately and efficiently to meet or

exceed SLAs. SLAs are continuously monitored internally and reported externally to trustees in the

form of a Stewardship report. The report details the tasks undertaken during the relevant period

and whether the SLAs have been met. This allows the trustees to monitor the performance against

the SLA

ELECTRIC DOCUMENT AND TASK MANAGEMENT

To underpin our workflow management system, we have implemented Microsoft SharePoint

software enabling us to introduce comprehensive electronic document management. All

correspondence for our clients is scanned and available for searching and retrieval. Our workflow


COMMUNICATION

ATTRACT

MANAGE

DEVELOP

RETAIN

system enables pensions administrators to monitor closely the turnaround times on individual

pieces of work, the total amount of outstanding work and where any particular job is at any

moment in time. Dalriada has also developed advanced reporting tools so that detailed activity and

performance information can be extracted at any point in time and, indeed, forms the basis of our

standard Stewardship Reporting.

AUDIT

Compliance with our procedures is subject to internal audits and external audits (AAF 01/06 & AAF

02/07). The ISMS is subject to separate external audit for ISO 27001 purposes.

OUR EMPLOYEES

Our Company ethos is to provide worthwhile and interesting careers for all our employees. Our

Human Resources team works in partnership with our Function Head Group to deliver the HR

strategy of Attract, Manage, Develop, Retain and support the overall strategy of the Company.

Attract - As a Company we recruit the highest calibre of staff through robust and challenging

recruitment and security exercises to ensure our clients are supported by qualified, professional,

and credible employees.

Manage – We actively manage our employees in a collaborative manner and all our operational

employees engage with our performance management review process on an ongoing basis. The

results of the annual appraisals are integrated with our salary and bonus system rewarding high

performance against agreed objectives aligned with the needs of our business and our clients.

Develop - We adopt a supported Learning and Development approach working with our employees

through professional qualifications, formal study plans, and mentoring, to enhance the capability of

our employees and thus enhance our client service. All of our operational managers have been


taken through management development training which has been developed specifically in relation

to our company and industry.

Retain - At the heart of our processes, is effective communication. Through our engaging culture

we have enjoyed high retention levels which ensure consistency of delivery for our clients.

In support of the above:

We have clearly defined and documented policies and procedures governing the services we

provide which are clearly communicated to all relevant staff.

Our policies and procedures are regularly reviewed with a view to identifying and implementing

continuous improvements.

Changes to our policies and procedures are clearly communicated to all staff and relevant

contractors.

Compliance with our standards and relevant policies and procedures is regularly audited.

KNOWLEDGE MANAGEMENT

Sharing of expertise is paramount in our company and is implemented through our Knowledge

Management Framework, the below diagram outlines our process.

We appoint Knowledge champions who are expected to keep abreast of all developments in their

particular technical area and develop the company and client understanding on key updates.


CULTURE

Our culture has a vital role to play in the delivery of our vision and our achievement of quality.

Our culture is embedded in everything we do and lived out by our employees. We have annual

training days attended by all employees where we outline strategy and focus on Group wide

communication within an environment which encourages and allows open and honest feedback.

We always benefit from a tremendous level of participation by employees on these days and value

the input we receive from our employees.


Information Security

Information security is of paramount importance to our organisation. We are committed to

protecting information from a wide range of threats in order to preserve the confidentiality,

availability and integrity of that information, to ensure business continuity and to minimise

business risk for us and our clients.

Our group has engaged a CESG Listed Adviser Scheme (“CLAS”) consultant to provide information

assurance advice in relation to our systems and all recommendations have been implemented.

Since December 2011, Dalriada has been successfully certified under the International

Organisation for Standardisation, ISO 27001, an internationally recognised standard for

information security management. During 2014, Dalriada was recertified to ISO27001:2013.

ISO 27001 is fast becoming the international touchstone for effective, secure information

management practices that protect organisations and ensure their compliance with data protection,

privacy and computer misuse regulations. The use of this standard primarily ensures business

continuity, minimising business damage by preventing and reducing the impact of security

incidents.

The security practices, policies and technical and physical controls adopted by Dalriada comply with

the ISO 27001 accreditation and are essential to ensure the safe and secure deployment of IT

systems and services, and to protect the interests of the firm’s people and its clients.

Our information security policy outlines our:

Commitment to information security

Protection of key assets: information, personnel, technology, processes

Risk management process

Training and awareness of staff and third parties

Reporting and resolution of information security breaches

Business Continuity Management System


Risk Management

Our risk assessment process involves identifying risk scenarios based on our key information

assets. Associated threats to these assets are identified, along with the vulnerabilities that might

be exploited by the threats.

Our Information Security Focus Group (“ISFG”) meets quarterly and analyses risk scenarios.

The business impact and consequences of each risk are assessed on its consequences in terms of

loss of confidentiality, integrity, or availability. This is scored and multiplied by a risk rating for

business operational impact (severity impact), likelihood (probability score) and the extent to

which it is business criticality rating giving a risk level scale of 1-243. Identified risks are analysed

and evaluated against risk acceptance criteria. Once risks have been identified and assessed,

techniques to manage risk fall into one or more of these categories:

Avoidance (elimination)

Reduction (mitigation)

Retention (acceptance)

Transfer (insurance)

Risk Treatment Plans are drawn up to provide the basis for knowingly and objectively accepting

risks or implementing the required countermeasures. The Risk Treatment Plans will be escalated

and formally approved where appropriate.

The Risk Register is reviewed at planned intervals by our ISFG to reflect changes in the underlying

environment.


Information Technology

Dalriada’s IT infrastructure is hosted in an offsite datacentre and is managed by a combination of

in-house staff and an external managed service supplier to whom the following is outsourced:

24/7 pro-active monitoring and alerting system to ensure early warning of system failure.

Business hours access to an IT helpdesk for call escalation and 3rd level support services.

24/7 access to engineers for out of hours support services.

Managed daily backups and monthly restores and recovery tests.

Dalriada also utilises Mantle an innovative web application provided by Dalriada’s sister company

The Pensions Hosting Company Limited.

Our voice network is hosted by BT with only end user devices held onsite.

NETWORK INFRASTRUCTURE

Voice and data are carried over leased high speed fibre optic lines with failover to an independent

Exchange First Mile copper connection.

To reduce the risk of a ‘one application, one server’ model, we use VMware VSphere 5.5 for server

virtualisation management.

SECURITY

Our IT infrastructure is protected by a range of security measures within our ISO 27001 framework

including:

Perimeter firewalls

Segregation of traffic using VLANs

Regular CESG CHECK penetration testing to ensure compliance with HMG policy

SHAREPOINT

We use SharePoint as a central resource for document management and workflow. Scheme

documentation, member correspondence and internal function process documents are worked on

and stored in this repository. Security permissions are in place to ensure that no conflicts of

interest occur across our clients, and sensitive documents are managed accordingly. Significant

on-going developments have been made over recent years enabling more efficient working

practices across all client related functions, including a bespoke document tagging feature.

BACKUP AND RECOVERY

Using our VMware implementation all servers bar one are virtualised, with each virtual machine

(“VM”)’s workload encapsulated into a single file containing the operating system, applications, and

data. Virtualisation enables faster recovery in terms of provisioning and getting data back online

and is not dependent upon particular hardware.


Zerto replication technology is in place, replicating the primary IT infrastructure in the datacentre

back to the target Disaster Recovery IT environment in the Belfast office. Zerto replication offers a

resilient and reliable business continuity solution if the IT environment fails in the datacentre.

Veeam backup in the datacentre provides fast, flexible and reliable recovery of our virtualised

applications and data.

ADMINISTRATION DATABASE

Mantle is the most efficient pension administration system available in the market today and was

developed by our sister company, The Pensions Hosting Company Limited, to meet developing

industry needs. Functionality includes fully automated benefit calculations, document storage,

automated workflows, daily actuarial valuations and data audits.

Dalriada also utilises a separate Microsoft SQL based application for certain one-off projects and is

in the process of decommissioning this application for ongoing schemes.

EMAIL ARCHIVING

Dalriada has maintained an online database of all emails sent and received since it was founded in

2003.

Any email can be accessed within a matter of seconds using our email archiving software

Mimecast.

Mimecast is an online email archiving portal hosted on the cloud which backs up all mailboxes on

Exchange. It provides access to emails during outages through a web based personal portal giving

users access to their email in real time in cases where the core infrastructure may be offline.

END USER COMPUTING

Dalriada does not incur the risk associated with data residing on notebook computers or desktops

with all access being provided using Citrix desktop virtualisation software.

Access to our network from outside the perimeter is achieved with the use of two factor

authentication.


Report of the Directors of Dalriada Trustees Limited

As directors of Dalriada we are responsible for the identification of control objectives relating to

pension scheme transactions in the provision of pension administration services and the design,

implementation and operation of the control procedures of Dalriada to provide reasonable

assurance that the control objectives are achieved.

In carrying out those responsibilities we have regard not only to the interests of our pension

scheme members, but also to the requirements of the business and the general effectiveness and

efficiency of the relevant operations.

We have evaluated the effectiveness of Dalriada’s control procedures having regard to the

International Standard on Assurance Engagements 3402 (ISAE 3402), issued by the International

Auditing and Assurance Standards Board, the Technical Release AAF 01/06 (AAF 01/06), issued by

the Institute of Chartered Accountants in England and Wales, and the criteria for pension

administration and pension database services. The control objectives identified include all of those

listed in Appendices 1(c) and 1(g) of the ICAEW AAF 01/06.

We set out in this report a description of the relevant control procedures together with the related

control objectives which were in operation during the year ended 31 December 2015 and confirm

that:

1. the report describes fairly the control procedures that relate to the control objectives referred

to above, which were in place for the year ended 31 December 2015;

2. the control procedures described were suitably designed throughout the year ended 31

December 2015 such that there is reasonable assurance that the specified control objectives

would be achieved if the described control procedures were complied with satisfactorily; and

3. the control procedures described were operating with sufficient effectiveness to provide

reasonable assurance that the related control objectives were achieved during the year ended

31 December 2015.

Neil Copeland

Director

Signed on behalf of the Board of Directors Date: 22nd February 2016

Dalriada Trustees Limited


Report by the reporting accountants

USE OF REPORT

This report is made solely for the use of the directors, as a body, of Dalriada and solely for the

purpose of reporting on the control procedures within Dalriada, in accordance with the terms of our

engagement letter dated 27 January 2016, which is attached as an Appendix to your report.

Our work has been undertaken so that we might report to the directors on those matters that we

have agreed to state to them in this report and for no other purpose. Our report must not be

recited or referred to in whole or in part in any other document nor made available, copied or

recited to any other party, in any circumstances, without our express prior written permission.

We permit the disclosure of our report, in full only, to customers and potential customers (together

“customers”) of Dalriada using Dalriada’s pension administration services (as defined in the

appendix to this letter), Dalriada’s co-trustees (where applicable), to pension scheme members,

relevant auditors and other professional advisers and to the public in general, to enable customers

and their auditors to verify that a report by reporting accountants has been commissioned by the

directors of Dalriada and issued in connection with the internal controls of Dalriada and without

assuming or accepting any responsibility or liability to them on our part, and on the condition that

the directors provide all such customers a written statement at the commencement of the Dalriada

report in the form set out in our engagement letter.

To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other

than the directors as a body and Dalriada for our work, for this report or for the opinions we have

formed.

SUBJECT MATTER

We have been engaged to report on the description and design, as at 31 December 2015, and

operating effectiveness of Dalriada’s control procedures designed to achieve the control objectives

throughout the year ended 31 December 2015.

RESPECTIVE RESPONSIBILITIES

Dalriada’s responsibilities and assertions are set out on page 21 of your report.

Our responsibility is to form an independent conclusion, based on the work carried out in relation

to the control procedures of Dalriada’s pension administration services as described in the

directors’ report and report this to the directors of Dalriada.

CRITERIA AND SCOPE

We conducted our engagement in accordance with the ISAE 3402 and the ICAEW Technical Release

AAF 01/06. The criteria against which the control procedures were evaluated are the internal

control objectives developed for service organisations as set out within the Technical Release AAF

01/06 and identified by the directors as relevant control objectives relating to the level of control

over customers’ assets and related transactions in the provision of pension administration services.


Our work was based upon obtaining an understanding of the control procedures as described on

pages 26 to 29, in the report by the directors, and evaluating the directors’ assertions as described

on page 20 in the same report to obtain reasonable assurance so as to form our conclusion. Our

work also included tests of specific control procedures, to obtain evidence about their effectiveness

in meeting the related control objectives. The nature, timing and extent of the tests we applied are

detailed on pages 31 to 55.

Our tests are related to Dalriada as a whole rather than performed to meet the needs of any

particular customer.

INHERENT LIMITATIONS

The control procedures designed to address specified control objectives are subject to inherent

limitations and, accordingly, because of their nature, control procedures at Dalriada may not

prevent or detect and correct all errors or omissions in performing administrative and accounting

procedures. Control procedures cannot guarantee protection against, among other things,

fraudulent collusion especially on the part of those holding positions of authority or trust.

Our conclusion is based on historical information. The projection of any evaluation of the fairness of

the presentation of the description, or opinion about the suitability of the design or operating

effectiveness of the control procedures to future periods would be inappropriate.

CONCLUSION

In our opinion, in all material respects:

1. the accompanying report by the Dalriada directors describes fairly the control procedures that

relate to the control objectives referred to above which were in place during the year ended 31

December 2015;

2. the control procedures described on pages 31-55 of this report were suitably designed such

that there is reasonable, but not absolute, assurance that the specified control objectives would

have been achieved if the described control procedures were complied with satisfactorily; and

3. the control procedures that were tested, as set out on pages 31-55 of this report, were

operating with sufficient effectiveness for us to obtain reasonable, but not absolute, assurance

that the related control objectives were achieved for the year ended 31 December 2015. The

control objectives identified include all of those control objectives listed in Appendices 1(c) and

1(g) of the AAF 01/06.

Date: 25th February 2016

RSM


Summary of Control Objectives

CONTROL OBJECTIVE AUDIT FINDINGS

1. ACCEPTING CLIENTS

Accounts are set up and administered in accordance

with the Schemes’ Trust Deed and Rules, or

Appointment Order from the Pensions Regulator

(“tPR”) and applicable regulations

No exceptions noted

The appropriate Deed of Appointment is executed by

all parties, or Appointment Order from tPR is

received prior to initialising administration activity

No exceptions noted

Pension schemes taken on are properly established

in the system in accordance with the scheme rules

and individual elections

No exceptions noted

2. AUTHORISATION AND PROCESSING TRANSACTIONS

Contributions to defined contribution plans, defined

benefit schemes, or both, and transfers of members'

funds between investment options are processed

accurately and in a timely manner

No exceptions noted

Benefits payable and transfer values are calculated

in accordance with scheme rules and relevant

legislation and are paid on a timely basis

No exceptions noted



3. MAINTAINING FINANCIAL AND OTHER RECORDS

Member records consist of up to date and accurate

information and are updated and reconciled

regularly

No exceptions noted

Contributions and benefit payments are completely

and accurately recorded in the proper period

No exceptions noted

Investment transactions, balances and related

income are completely and accurately recorded in

the proper period

No exceptions noted

Scheme documents are complete, up to date and

securely held

No exceptions noted

4. SAFEGUARDING ASSETS

Member and scheme data is appropriately stored to

ensure security and protection from unauthorised

use

No exceptions noted

Cash is safeguarded and payments are suitably

authorised and controlled

No exceptions noted

5. MONITORING COMPLIANCE

Contributions are received in accordance with the

scheme rules and relevant legislation (where

Dalriada carry out the treasury function)

No exceptions noted

Services provided to pension schemes are in line

with agreed service levels.

No exceptions noted

Transaction errors are rectified promptly and clients

treated fairly

No exceptions noted

6. REPORTING TO CLIENTS

Periodic reports to Trustees and scheme sponsors,

where applicable, are accurate and complete and

provided within agreed timescales

No exceptions noted

Annual reports and accounts are prepared in

accordance with applicable law and regulations

No exceptions noted



Regulatory reports are made if necessary No exceptions noted

INFORMATION TECHNOLOGY

7. RESTRICTING ACCESS TO SYSTEMS AND DATA

Physical access to computer networks, equipment,

storage media and program documentation is

restricted to authorised individuals.

No exceptions noted

Logical access to computer systems, programs,

master data, transaction data and parameters,

including access by administrators to applications,

databases, systems and networks, is restricted to

authorised individuals via information security tools

and techniques.

No exceptions noted

Segregation of incompatible duties is defined,

implemented and enforced by logical security

controls in accordance with job roles.

No exceptions noted

8. PROVIDING INTEGRITY AND RESILIENCE TO THE INFORMATION PROCESSING

ENVIRONMENT, COMMENSURATE WITH THE VALUE OF THE INFORMATION HELD,

INFORMATION PROCESSING PERFORMED AND EXTERNAL THREATS

IT processing is authorised and scheduled

appropriately and exceptions identified and

resolved in a timely manner.

No exceptions noted

Data transmissions between the service

organisation and its counterparties are complete,

accurate, timely and secure.

No exceptions noted

Appropriate measures are implemented to counter

the threat from malicious electronic attack (e.g.

Firewalls, anti-virus etc).

No exceptions noted

The physical IT equipment is maintained in a

controlled environment

No exceptions noted



9. MAINTAINING AND DEVELOPING SYSTEMS HARDWARE AND SOFTWARE

Development and implementation of new systems,

applications and software, and changes to existing

systems, applications and software, are authorised,

tested, approved and implemented

No exceptions noted

Data migration or modification is authorised, tested

and, once performed, reconciled back to the source

data

No exceptions noted

10. RECOVERING FROM PROCESSING INTERRUPTIONS

Data and systems are backed up regularly, retained

offsite and regularly tested for recoverability

No exceptions noted

IT software and hardware issues are monitored and

resolved in a timely manner

No exceptions noted

Business and information systems recovery plans

are documented, approved, tested and maintained

No exceptions noted

11. MONITORING COMPLIANCE

Outsourced activities are properly managed and

monitored

No exceptions noted


Control procedures and audit testing

CONTROL PROCEDURE AUDIT TESTING

1. Accepting clients

On confirmation that Dalriada have been appointed by

Deed of Appointment or by Order of tPR and will be

providing administration services a New Client

Implementation Document is prepared to act as a

project planning document. As part of the Client take on

process, the relevant client take on documentation is

completed as outlined in the client take on process note.

Standard administration tasks are also added to the

workflow system, reflecting standard performance

timescales or bespoke timescales.

Verified for new schemes taken on during

the year that the New Client

Implementation Document, Pre

Appointment Conflict Consideration and

Accepting Trusteeship Risk Management

documents have been completed and

signed off by the Client Manager

No exceptions noted

Only on receipt of a signed Deed of Appointment or

Appointment Order from tPR, can the client be added to

the workflow system such that people are able to record

time against the client. Occasionally, due to time

constraints, Dalriada may be required to carry out some

work before it is possible to have the Deed signed. On

receipt of a signed Deed or Order from tPR, this is

scanned to SharePoint and tagged appropriately.


the year that the Deed of Appointment

and Fee and Service Agreement has been

received and signed by Dalriada and the

co-Trustees before the client is added to

the workflow system

No exceptions noted

As part of the implementation process a copy of all

scheme documentation is requested. This

documentation is reviewed and, where administration

services are provided, forms the basis of scheme benefit

specifications which are reviewed and signed off. Where

appropriate, the Benefit Specification is reviewed and

signed off by our co-trustees and/or the scheme’s legal

advisers, particularly if there is any ambiguity in

interpretation or if there is any concern that the benefits

provided do not comply with legislative requirements.

The remaining control objectives assume that the

relevant service is not outsourced to a third party.


the year that the Scheme Installation

Checklist has been signed and filed and

that the Benefit Specification has been

compiled from Scheme Rules, signed by

the administrator, client manager and the

trustees.

No exceptions noted



Prior to commencement of administration services, the

Pension database team’s business analyst reconciles

scheme data provided by the previous administrator to

Dalriada’s administration system, and raises any

exceptions regarding missing or incorrect data with the

client manager. Data is analysed using Dalriada’s

bespoke data audit software, which generates reports

that identify any gaps or errors in the data received.

Reports generated by the data audit, along with

correspondence to resolve any data gaps or errors, are

held on our document management system

Data is requested in all forms and any electronic data is

imported onto Dalriada administration system and

tested against the data quality standards set out by the

Pensions Regulator. Membership statistics are reconciled

to the last set of audited Accounts and to control totals

provided by the previous administrator. Where

necessary remedial action is proposed in the event that

data is materially deficient to the extent that Dalriada

cannot carry out some or all of the services they have

been contracted to perform


the year that data migration and

reconciliation has been carried out as well

as a data audit to test the data quality

standards

No exceptions noted

Scheme data reconciliations and correspondence

relating to the follow up of any gaps or errors identified

are verified by a member of the Pension database team

as evidenced by the sign off on the scheme installation

checklist. Copies of work relating to the installation are

held on our document management system.

The Scheme Installation Checklist has

been completed as far as possible for the

work in progress with respect to each

client take-on in our sample.

No exceptions noted

Wherever possible, Dalriada request sight of any

previous administrators’ specifications and/or details of

custom and practice to establish any precedent in areas

of interpretation of the Rules where this might not be

clear and where member specific benefits may override,

for example where senior employees have an

entitlement to different benefits, detailed in an

individual announcement letter.

Due to all client take-ons during the year

being work in progress we were not able

to test this control procedure.

No exceptions noted

The benefit specification is prepared by the

administrator and reviewed by the client manager.

Where appropriate the benefit specification is reviewed

and signed off by the trustees and/or the scheme’s legal

advisers, particularly if there is any ambiguity in

interpretation or if there is any concern that the benefits

provided do not comply with legislative requirements.

For the sample chosen and all client take-

ons during the year the development of

the Benefit Specification was work in

progress still to be completed and

therefore could not be tested.

No exceptions noted



All documentation is scanned, tagged and filed in

SharePoint, for ease of reference.

Verified that scanned documents have

been saved in SharePoint with original

documentation held in the Glasgow office

No exceptions noted

2. Authorising and processing transactions procedure

Procedures are followed for banking cheques and

electronic credits and contributions monitoring whereby

all cheques received are logged and banked on the

same day by the Business Support Team (“BST”).

Electronic credits are logged by the accounts team. The

paperwork accompanying the cheque/ electronic credit

is passed to the accounts team who prepare a deposit

form and update the transaction on QuickBooks to

record receipt of the contributions. The deposit form is

signed by the fund accountant/cashflow administrator

and is filed

For each month selected during the

period, verified for a sample of

transactions that once the receipt

instruction was received a deposit form

was completed, signed off by the

necessary signatories and QuickBooks was

updated on a timely basis.

No exceptions noted

The contributions monitoring spreadsheet is reviewed on

15th of each month and any outstanding contributions

usually received by that date are followed up. The

receipt of the remainder is monitored. Any late

contributions are notified to the client manager, actuary

and trustees. They are recorded on the breaches log

which is on the agenda at the quarterly board meetings.

For each of the receipt transactions

selected, ensured that contributions are

processed accurately and on a timely

basis in accordance with a schedule

agreed between the employer and the

trustees with member contributions

having to be paid to the trustees before

the 19th of the month following the

deduction of the contributions from the

members’ salaries.

No exceptions noted

At least three months in advance of a member’s normal

retirement age a task is created on the workflow

system. An administrator can be notified of a task to

calculate benefits by post, email or 'other' e.g. phone

call, verbally, meeting minute. The request is set up as

a task within the workflow system and an administrator

will complete the appropriate checklist.

From the sample of benefits payable

selected, ensured that processing requests

are authorised and checked prior to

submission by a senior administrator or

manager, payments are processed

accurately and on a timely basis, and the

appropriate checklist is completed and

signed by the relevant administrators

No exceptions noted



Calculations are processed by an administrator in

accordance with the scheme rules with reference to the

scheme’s benefit specification where appropriate. All

calculations are checked by a senior administrator or

administration manager. Approval workflows are run

against all calculations and documents prepared, along

with the checklist. The workflow tasks are monitored by

the administrator and the administration manager with

the aim that they will be finalised within the service

level agreement agreed with the client. Once the task is

finalised, the workflow checklist will be completed.


selected, verified that the workflow

checklist had been completed and signed

off by two members of the administration

team.

No exceptions noted

Procedures are followed for making cheques and

electronic payments from the scheme bank account.

Payments are processed by the fund accountant within 1

day of the request and with the appropriate backing

papers detailing the amount payable. Payment

withdrawal forms are processed and checked by

separate staff and cheques/electronic payment

instructions are signed in accordance with the bank

mandate by staff who are different from the requestor,

processor and checker. Once a task has been completed

it is closed off on the workflow system.


selected, verified that payments are

processed accurately and on a timely

basis, supporting documentation for the

payments is included, there are two

signatories on each cheque and there is

evidence that the QuickBooks account

balance has been updated.

No exceptions noted

Every month a payroll administrator updates the control

spreadsheet with the payment date and the, latest date

on which the payment file can be submitted to the bank

(taking into account bank/public holidays).

The payroll administrator maintains a monthly payroll

checklist, detailing for each payroll, each stage of

running and paying the payroll. This checklist is

monitored during the period to ensure payment dates

are met.

Any changes are notified to the payroll team by a set

monthly cut off date and are applied to the payroll. As

changes are received they are added to the carry

forward spreadsheet.

The payroll is run using Sage 50 Payroll Professional.

Each payroll run for each client is reconciled by the

payroll administrator for recorded changes against the

previous payroll run. Each change and reconciliation is

peer reviewed for accuracy.

Reconciliations and payroll reports for each period are

saved on our file management system Sharepoint.

Verified for a sample of internal payroll

runs for a number of pension schemes

that a payroll checklist is completed and is

updated and a reconciliation is carried out

for any amendments against the previous

payroll run. Ensured that a peer review of

payroll changes is carried out and there is

evidence of payroll file check against

payroll data.

No exceptions noted.



The payment file is checked against the payroll data

before being uploaded to the online banking facility.

Monthly payrolls are checked and approved for payment

by the administrator. The administrator will reconcile

any changes to the payroll against the administration

data to check that the correct pensions are being paid.

Pension increases are calculated in accordance with the

scheme rules. Recurring tasks are set up on the

workflow system for the increases to be calculated

either on anniversary or annually depending on the

scheme rules. The increases are checked by a senior

administrator and a checklist is completed.

Verified for a sample of monthly payrolls

that they had been checked and approved

for payment by member of the

administration team

No exceptions noted

3. Maintaining financial and other records

For schemes that have active members a recurring task

is set up on the workflow system for pre renewal

schedules to be sent to each client site prior to the

renewal date. A checklist is updated throughout the

process. Once all the data has been returned the

administrator follows the annual renewal checklist and

updates members' salary and status data which is

reconciled against the data received from the client. Any

discrepancies are investigated and resolved. The

renewal is then processed and benefit statements for

each active member are produced. All calculations and

statements are checked by a senior administrator.

For a sample of active schemes verified

that the scheme data has been updated

and reconciled against data received from

the client. Ensured that a renewal

checklist had been completed for each

scheme and that the checklist had been

peer reviewed.


Where applicable, member data is also kept up to date

through periodic and adhoc data loads including payroll

data, pension increase data and changes to personal

details. The information relating to these data loads is

provided to the Pension database team. On receipt of

data a business analyst follows the scheme update

checklist to load the data onto Dalriada’s administration

system. The data is reconciled back to the source data.

Copies of work relating to data loads are held on our

document management system.

For a sample of data loads ensured that

the scheme update checklist had been

completed, a reconciliation to source data

has been completed, peer reviewed, a

confirmation letter is sent and verified the

checklist is maintained on the document

management system.


Any changes to the scheme membership are recorded

on our administration database when advised by

members or clients or trustees. When calls are received

from members verification is sought by asking for date

of birth and national insurance number. Changes can be

made on receipt in writing from members. Ad hoc

checklists are completed and backing documentation is

scanned and filed in the member’s file.

For a sample of schemes ensured that the

member’s details are updated, that the

relevant backing documentation is

received and that the appropriate checklist

is completed and peer reviewed

No exceptions noted



All changes are checked by another administrator.

Following a new application, cessation of service,

retirement, death or transfer of benefits the member's

status is updated on our administration database. An

approval workflow is run against a pdf copy of the

member print for any status changes and the

appropriate checklist is completed and checked by a

senior administrator.

Movements in active, deferred and pensioner numbers

are reconciled on an annual basis as part of the

accounts preparation process. Any discrepancies are

investigated and resolved.

Ensured that a periodic report on

membership is prepared for a sample of

schemes with membership data reconciled

to the scheme accounts.

No exceptions noted

Receipt of any documentation from members or third

parties is scanned and filed in SharePoint and checked

by the administrator. Documentation for transfers out

includes the discharge forms signed by the member and

details of the receiving scheme and for deaths and

retirements includes birth/death/ marriage certificates,

retained benefit forms and evidence, signed option

forms and trustee or company authorisation where

required. Copies of documents are tagged and filed in

SharePoint. Any original documents are returned to the

member by recorded delivery.

Verified for a sample of transfers out,

deaths and retirements that the relevant

notification and documentation have been

received, the checklist and calculations

were completed, the system had been

updated and peer review was completed.

No exceptions noted

The pension payroll service administrator is advised of

any new pensions to be added to the payroll and this

request is checked by another administrator. The

cessation of a pension on for example a pensioner death

is advised to the pension payroll service administrator

immediately by the administrator.

Verified correspondence with the pension

payroll service administrator for a sample

of deaths.

No exceptions noted

Each scheme has its own bank account and the financial

records are maintained separately. Passwords are

required to access each scheme account. All credits and

payments are recorded on a scheme cashbook following

the procedures for banking cheques and electronic

credits and the procedures for making cheques and

electronic payments from the scheme bank account. The

scheme deposit form is filed along with any supporting

documentation and the amount received is checked

against any schedule/confirmation advice. The scheme

withdrawal form is checked against and filed along with

the supporting benefit documentation.

Verified for a sample of various scheme

bank accounts throughout the period that

monthly bank reconciliations had been

carried out on a timely basis and peer

reviewed.




The procedures for carrying out bank reconciliations are

followed whereby the cashbook is reconciled against the

bank statement for the trust account each

month/quarter and any anomalies are investigated.

Bank reconciliations are completed within 5 working

days of receipt of the bank statement unless where

queries arise which causes a delay. Uncashed cheques

are monitored by the fund accountant and if more than

one month old are notified to the scheme administrator.

The cheque system is reviewed and any outstanding

lodgements are processed or queried and cleared down.

Bank statements and the bank reconciliation report are

filed in SharePoint and the paper copies of bank

statements are filed with the other post items but in a

separate folder.

From our sample of contributions made by

cheque and the monthly bank account

reconciliations, all lodgements had been

cleared down and we confirmed the bank

statements were filed with other post

items but in a separate folder.

No exceptions noted

As part of the annual scheme accounting process the

fund accountant reconciles the contributions to the

schedule of contributions and benefit payments to the

member movement report produced from our

administration database. Any discrepancies are

investigated and resolved.

Verified that a sample of contributions are

paid in accordance with a schedule agreed

between the employer and the trustees,

and obtained evidence that for a sample

of late contributions these had been

appropriately recorded in the compliance

breaches log and notified to trustee board

and actuaries if required

No exceptions noted

As part of the annual accounting process, the fund

accountant reconciles the investment valuation,

investment income, purchases and sales with data

received from the investment managers. Any

discrepancies are checked and investigated by the fund

accountant. Investments and disinvestments in the

scheme cashbook are reconciled to the investment

manager's transactions.

Verified for a sample of schemes that

reconciliations are carried out with the

investment manager's data. No

discrepancies were noted for follow up

No exceptions noted



Journals are posted to the trial balance and period end

balances inserted into the accounts template on an

annual basis in accordance with the Statement Of

Recommended Practice and disclosure regulations.

Verified for a sample of schemes that the

template used to prepare the accounts is

in accordance with SORP and disclosure

regulations, the movement in

deferred/active/pensioner numbers is

reconciled, bi-monthly meetings are held

to monitor progress, the accounts have

been peer reviewed, signed by trustees

and the auditor and filed within the

statutory seven month deadline.

No exceptions noted

No original documents are held on file but are sent to

the legal advisers, or offsite storage. All scheme

documents are scanned and filed in SharePoint. Any

new or amending documentation is scanned and filed to

ensure that the latest scheme documentation is

maintained and held on file.

Verified for a sample of schemes that any

original documents are lodged with the

Scheme's legal advisors or held securely

offsite and have been scanned and filed in

SharePoint

No exceptions noted

4. Safeguarding Assets

Access to Dalriada premises is restricted to authorised

personnel. Additional restrictions are in place in respect

of access to IT areas.

Verified the physical security in place to

prevent unauthorised access to the Belfast

office and additional restrictions to

authorised personnel only for access to

the server room

No exceptions noted

Passwords are used by individual members of staff and

laptops/PCs are locked when staff are away from their

desks. Only the IT team can set up access to systems

and access to scheme data on our administration

database.

Reviewed the password policy and change

control request process and ensured that

users are periodically prompted to change

their passwords

No exceptions noted



Access to Dalriada networks and administration

database is restricted to authorised individuals, who

gain access with unique logins and passwords that are

compliant with industry standards.

Segregation of duties rules for pensions administrators

are enforced by security profiles built into the

administration system. Profiles are assigned to pensions

administrators based on their roles and responsibilities.

User access to the systems is reviewed on a regular

basis.

ISO auditors carried out a recertification of

compliance with ISO27001 in September

2014 and no issue were noted.

There is also a monthly review by IT to

ensure that only firm employees have

access to systems, for example only firm

issues mobile devices can access Dalriada

email.

No exceptions noted

All new staff complete an online data protection training

course as part of their induction when they join the

Company. Refresher training is given periodically as

and when required. Staff sign a security and

confidentiality policy, a copy of which is held on their HR

record.

Verified that a log of employees

attendance at Data Protection training is

maintained and is up to date. All new staff

are given data protection training when

they join the business and a refresher in

Data Protection is provided every three

years thereafter

No exceptions noted

Member and scheme data is stored electronically on our

administration database and in SharePoint. Any

data/correspondence held in paper form pre-dating the

introduction of SharePoint is securely held offsite.

Dalriada outsource their off-site storage and archive

facilities to a specialist organisation. In the event it is

necessary to retrieve paper files, these are scanned to

SharePoint and the originals returned to off-site storage.

Verified the storage of data on the

administration database and SharePoint

and the existence of the SLA in place with

the off-site storage company. Dalriada

carried out a review of the third party

storage company at their premises during

the year

No exceptions noted

All incoming correspondence is scanned using

Knowledge Lake software by the business support team.

Outgoing mail is created and filed on SharePoint. No

paper is retained in the work area and any printed

material from the system is securely destroyed.

Verified that a sample of correspondence

is scanned and filed in SharePoint and for

a sample of outgoing correspondence

ensured that there was evidence the

correspondence had been peer reviewed

prior to being sent out

No exceptions noted



The Business Continuity Plan (“BCP”) sets out the

processes and procedures used to counteract

interruptions to business activities and to protect critical

business processes from the effects of failures or

disasters affecting our information and broader IT

systems and to ensure their timely resumption.

Verified that there is a BCP plan in place

and that events triggering the BCP are

summarised with findings and

recommendations for improvement.

Server testing was undertaken during the

year and recovery time has now been

reduced to less than three hours as a

result of backup now being to an offsite

data centre

No exceptions noted

Dalriada have obtained ISO27001 (information security)

accreditation.

ISO auditors carried out a recertification of

compliance with ISO27001 in September

2014 and no issues were noted.

No exceptions noted

When taking on the administration of the trust account,

bank forms and required information is sent to the bank

along with a copy of the trust deed. The Bank is notified

of a change in cheque signatories and appropriate

documentation is forwarded to the bank.

Verified for the sample of schemes

selected that for new bank accounts

opened, application forms and mandate

papers had been obtained with evidence

of authorised signature by the trustees.

Also verified that process for updating

cheque signatory documentation was

secure through review of Board papers

No exceptions noted

Cheques are banked on the day of receipt unless they

are subject to query. Payments are processed on the

same day or the next day. Cash movements are

recorded on a daily basis on the internal accounting

system.

Tested as part of section 2, Authorising

and Processing Transactions.

No exceptions noted

Trust account balances are circulated to the

administration team and any of the client managers who

have requested bi-monthly updates (approximately on

1st and 15th day of each month). Payments are

processed and checked by separate individuals. At least

two cheque signatories are required for all payments

and are different from the requester, processor and

checker.


and Processing Transactions.

No exceptions noted



Cheque books are held in a secure location only

accessible by staff.

Verified that cheque books are held in a

secure location only accessible by staff.

No exceptions noted

Cashflows are carried out in accordance with the

Cashflow Procedures and investment or disinvestments

are carried out where appropriate. The cashflow

administrator ensures that the investment manager

processes the investment/disinvestment and the

disinvestment amount requested is received into the

scheme bank account.

Verified for a sample of schemes that

cashflows are monitored, either monthly

or quarterly depending on the scheme by

the cashflow administrator, a cashflow is

completed by the scheme administrator

and peer reviewed and the approval of the

Trustee is received before an investment

or disinvestment transaction is executed.

No exceptions noted

Scheme expenses are not processed unless authorised

by the relevant authoriser on the invoice, by email or on

SharePoint. The cashflow administrator also needs to be

aware of the payment.


and Processing Transactions

No exceptions noted



5. Monitoring Compliance

The procedures for contributions monitoring are

followed. The credit is logged and at the same time

processed on the accounting system. Cheques are

banked on the same day unless a query arises. A

scanned copy of the latest Schedule of Contributions

is held on SharePoint. The amounts due are entered

on the contributions monitoring spread sheet and

monitored. Any unusual differences are investigated.

The contributions monitoring spread sheet is reviewed

on 15th of each month and any outstanding

contributions usually received by that date are

followed up. The receipt of outstanding contributions

is monitored. Any late contributions are notified to

the client manager. They are recorded on the

breaches log which is on the agenda at the quarterly

board meetings.

Tested as part of section 2, Authorising and

Processing Transactions. For the sample

selected, obtained evidence that any late

contributions or late signing of accounts had

been appropriately recorded in the

compliance breaches log and had been

brought to the attention of the relevant

actuary or trustees

No exceptions noted

Service level agreements (“SLAs”) are reported to the

trustees in Stewardship Reports. The administration

team aim to carry out services and tasks accurately

and efficiently and to meet SLAs.

Ensured for a sample of schemes that signed

SLAs are in place between Dalriada and the

schemes selected.

No exceptions noted



A workflow system is in place for all tasks carried out

by the administration team. As soon as a task is

initiated it is recorded on the workflow system by the

administrator (the owner). Each task has a SLA that

is clearly defined from when the task begins and

when it ends.

Reports can be run off the workflow system so that

SLAs and statutory deadlines can be monitored. The

administrator and the administration manager

monitor each task against the service standards and

disclosure deadlines so as to highlight any instances

where service standards are being breached. Service

standards are always shorter than disclosure

deadlines and therefore disclosure breaches should be

avoided unless extenuating circumstances arise.

Stewardship reports' contents and frequency are

agreed by the scheme trustees. They will contain a

report from the workflow system detailing the tasks

undertaken during the relevant period and whether

the SLAs have been met. This allows the trustees to

monitor their performance.

Verified from a sample of workflows that

Dalriada have internal reporting deadlines

which are shorter than disclosure deadlines,

therefore minimising the number of service

standards being breached. Also verified a

number of tasks appearing in owners'

Outlook highlighting and acting as a

reminder of tasks to be completed

No exceptions noted

Procedures are followed for errors & omissions

whereby any transaction errors are notified

immediately by the administrator to their line

manager and the client manager. Details of the error

or omission are entered in the appropriate section in

the ‘Regulatory Breaches Log’ and consideration is

given to the need for any further action that may be

required. All errors and omissions are notified to the

board of directors as part of the internal management

information reporting process. The client manager will

determine if any further action is required and notify

the relevant parties to implement.

We could not test this control as there were

no errors recorded during the year.

No exceptions noted



6. Reporting to Clients

A report of members reaching normal retirement date

in the next 12 months is produced as part of the

stewardship report. Any other movement requiring

trustee approval is also recorded and detailed on the

stewardship report. Stewardship reports are provided

for each scheme as determined by the client

manager. The reports contain membership details

provided from our administration database and a

reconciliation of membership is carried out. They also

contain details of any member movements for the

period of the report. When the scheme administrator

has checked the report it is forwarded to the Trustee

as and when required.


selected that quarterly stewardship

reports are prepared detailing member

movements, reconciled to ensure accuracy

and that the report is peer reviewed

before being issued in a timely manner.

No exceptions noted

For schemes that have active members a recurring

task is set up on the workflow system for pre renewal

schedules to be sent to each client site prior to the

renewal date. A checklist is updated throughout the

process. Once all the data has been returned the

administrator follows the annual renewal checklist

and updates members' salary and status data which

is reconciled against the data received from the

client. Any discrepancies are investigated and

resolved. The renewal is then processed and benefit

statements for each active member are produced. All

calculations and statements are checked by a senior

administrator.


selected that bulk members' data updates

and ad-hoc individual member updates

are reconciled on a regular basis,

differences are investigated and resolved,

checklists and annual membership

schedules are prepared and peer reviewed

before being sent to members.

No exceptions noted

Annual reports and accounts are prepared using the

accounts template which complies with the latest

Statement of Recommended Practice (“SORP”) for

pension schemes. Any changes to the standard

template are logged on a proposed amendments

spread sheet. As part of the drafting process annual

reports are peer reviewed by another fund accountant

in the team prior to audit. Evidence of peer review is

maintained through SharePoint. A report and

accounts project is set up to record completion of

each task by the statutory deadline.

The draft report will be passed to the client manager

for review.

Verified that a standard reporting format

was in place for the creation of annual

reports and accounts and that this format

has been updated as a result of the most

recent changes to SORP. Verified for a

sample of annual reports prepared, that

they have been checked by a second

member of staff to confirm their

completeness and accuracy, and signed by

both the trustees and auditors within the

statutory reporting deadline.

No exceptions noted



Initially a timetable is set for signing within five

months. Bi-weekly meetings are scheduled to monitor

progress of the report and accounts projects against

the statutory deadlines. Following the meeting a

report is circulated to the consultancy team.

Procedures are followed for regulatory breaches which

sets out the statutory deadlines applicable. The

administrator and the administration manager

monitor tasks on the workflow system to ensure that

cases that are approaching the statutory deadline are

highlighted and followed up. Where a case

approaches the statutory deadline the administrator

informs the client manager. Any breach is notified by

the administrator to the administration manager, the

client manager and the scheme actuary as soon as

he/she becomes aware of the breach. Details of any

breach are entered in the relevant section of the

‘Regulatory Breaches Log’. All compliance breaches

are notified to the board of directors as part of the

internal management information reporting process.

The client manager should determine if a regulatory

report is required.

Verified the existence of procedures for

regulatory breaches and obtained a copy

of the breaches log for the period. The

client manager and actuary were informed

of the breaches and they were reported to

the board of directors.

No exceptions noted



7. Restricting access to systems and data

The business operates across five office sites, Belfast,

Bristol, Glasgow, London and Manchester. The

Physical and Environmental Process (Process 11)

outlines physical controls, securing offices, rooms,

facilities, protecting against external and

environmental threats, working in secure areas,

public access, delivery and loading areas, equipment

security, power supplies, cabling security, equipment

maintenance, secure disposal or re-use of equipment,

removal of property.

The primary IT infrastructure resides at a secure, ISO

27001 certified, world class, off-site data centre. A

biometric hand entry system is in place and access to

the lobby is via a full height turnstile. Photographic ID

is required and data halls are accessed/lifts are

controlled by passcards.

The Disaster Recovery infrastructure is located in

office premises and physical access is restricted to

authorised keyholders. The on-site server rooms are

equipped with air-conditioning systems which are

maintained on a regular basis. A system is in place to

control the temperature and humidity and fire

extinguishers are located nearby.

The Belfast office is manned by security during office

hours and is locked outside office hours. Only staff

who require access outside office hours are given

keys as approved and issued by the Business Support

team who maintain a list of key holders. Opening and

closing procedures for each location have been issued

to all staff and awareness training has been

conducted. A key fob is required for entry to the

Glasgow office building so is issued to all staff.

Staff inform the Business Support team if keys or key

fobs are lost. Access to the main office is restricted to

entry by a keypad code in Belfast and a key fob in

Glasgow which is only provided to staff. Access to

storage areas in the Belfast office is restricted to staff

in possession of a key fob. Storage facilities in the

Glasgow office are locked by individual staff. Other

authorised personnel (e.g. temporary staff and

cleaners) are issued with key pad codes and key fobs

providing access to the main office only but not to

restricted areas.

As pension administration activity is

largely performed from the Belfast office,

our testing was limited to this location.

Verified for the Belfast office that access

to the office is secure, the office has an

alarm system installed and that only

authorised business support staff can

access the secure documentation room

and server room where a visitors log is

completed upon entry and exit.

No exceptions noted



Any visitors are recorded in the visitors’ books and

are issued with a pass which contains their name,

company, who they are visiting, and the time and

date of entry. Passes are returned to reception on

leaving.

Windows laptops are configured by an automated

build to have password protection and data

encryption is enforced. Encryption for Windows

laptops is managed via Active Directory as the

Bitlocker key for the internal hard drive synchronises

with the Active Directory entry for each Windows

Laptop on the domain. When MacBooks are set up by

IT Support the MacBook is encrypted with FileVault

encryption and a password is set for the user and

user is then asked to change this during first use.

Access Control Process (Process 9)

Verified that only authorised personnel

and the outsourced provider of IT services

have access to change passwords via

active directory.

No exceptions noted

The company enforce a clear desk and clear screen

policy. This is enforced through the Security and

Confidentiality Policy. Security Training and

awareness sessions are run periodically for all staff.

Any client correspondence or documentation

containing client information left on any desk or on

the printers at the end of each day is disposed of in

the confidential waste. Individual staff members are

accountable. An Information Security Focus Group

manage all security weaknesses and vulnerabilities

and meet quarterly and /or when required to review

risks, vulnerabilities, treatment, corrective and

preventive plans. All security events / weaknesses are

analysed for root cause and business impact reviewed

and issues escalated to Board for further action.

Documentation is either stored electronically on the

network or in paper form.

Documentation in paper form is stored off-site in a

secure storage facility with Doxbond (local to the

Belfast office). When there is a need for paper

documentation to be stored in the office it is kept in

our secure storage areas in accordance with our clear

desk policy

Verified that paper form documentation is

held in the secure documentation room in

filing cabinets and off-site with the off-site

storage company.

Reviewed incident log and internal audit

issues log and a sample of minutes from

the quarterly Information Security Focus

Group meetings and verified review and

ownership assignment for actioning of

logged security events/weaknesses.

The offsite third party secure storage now

covers all offices and a SLA with the

provider was signed at the end of 2014.

No exceptions noted



As part of the Human Resources Security Process

(Leavers Process, 40) upon termination of

employment, all access rights are disabled and any IT

assets e.g. Laptop, mobile phone, keys or fobs are

returned and codes are changed.

For a sample of leavers during the period

being tested, ensured their access rights

were disabled and any IT assets returned.

No exceptions noted

All access to computer equipment and systems is

protected by passwords. Passwords expire after 42

days and users are prompted to change them. The

domain security policy requires that passwords must

be complex, at least 15 characters in length, alpha

numeric. This is detailed in the companies Security

and Confidentiality Policy for staff and backed up by

the Access Control Process (Process 9).

All data must be stored on the corporate network and

no data is permitted to be stored locally on laptops.

Access to data stored on the network is restricted

using appropriate permissions. Functional groups of

users are maintained each with appropriate levels of

access permissions based upon their job function.

Only the outsourced IT provider and authorised IT

Technician can amend an individual’s permissions.

Access rights are reviewed and amended as

necessary i.e. when roles change or new members of

staff join the company. Details of the restrictions in

place on the network are documented. Most of the

application software used is not restricted to

authorised individuals however, some applications

that are specific to a job function, for example cash

management, pension administration, etc., are

restricted to only those who have the associated

privilege. User access is approved by line managers

and actioned by the IT Technician or outsourced IT

provider. (Access Control Process 9)

Reviewed the password policy and change

control request process and ensured that

users are periodically prompted to change

their passwords.

No exceptions noted

Verified for a sample of new joiners and

changes in roles that the line manager

authorises the access rights of individual

users before the outsourced IT provider or

IT manager adds or amends an

individual’s permissions.

No exceptions noted



8. Providing integrity and resilience to the information processing environment,

commensurate with the value of the information held, information processing performed

and external threats.

Access to the administration system is controlled by

windows authentication or two factor authentication

on the relevant web browser. Segregation of duties

and rules are enforced by security profiles built into

the administration system. Profiles are assigned to

authorised individuals and aligned to their roles and

responsibilities. Associated with each administrator is

a security profile which determines schemes to which

they have access, functionality they can access,

member records they can access, whether they are

permitted to amend data or view data only.

The audit trail facility records changes made to the

data, including who made the changes and when,

providing integrity and resilience to the information

processing environment, commensurate with the

value of the information held, information processing

performed and external threats.

Confirmed that there is segregation of

duties built into the roles of administrators

and that only administrators have access

to the administration database.

Verified for examples during the period

the existence of audit trails showing the

changes made to data, by whom and

when and that Sharepoint retains previous

versions of the data.

No exceptions noted

All IT processing is carried out on laptops and desktop

PCs in real time.

Verified that the pension administration

system has built in audit functionality and

that all changes to data are recorded. Key

stages of processing are evidenced on a

log with staff sign offs and date of

processing.

No exceptions noted

OneShot and SecureShare are used as the electronic

means of communication in the business.

SecureShare is a bespoke platform for storing and

transferring information. All communications are

securely encrypted with industry standard encryption

and the system uses two-factor authentication for an

additional layer of security. The application has

successfully passed a rigorous third party security

audit and penetration test.

Any document that includes member specific

information is sent to the recipient via our OneShot

system, where possible.

Verified for a sample of external

communications that data sent is

password protected and peer reviewed

before being sent and is followed up by a

phone call to the recipient with the

password.

No exceptions noted



All external access to the network is outsourced to

ISO 27001 accredited IT experts Novosco Limited.

Remote access set up is authorised by the IT

Technician and connections can only be made through

Citrix Secure Desktop Software. The company deploys

a physical firewall (fort iGATE) to control port access

both in and out of the business. Firewalls are

deployed at the perimeter of the network to protect

the internal devices and also to control and protect

out-going traffic. All email traffic is routed by a third

party, Mimecast, who filter out any email threats i.e.

viruses/spyware & inappropriate content.

Inappropriate content also triggers a rules-based

alerting system that keeps staff members aware of

any trends requiring action. Trend Anti-Virus software

is installed on all servers, desktops and laptops and is

designed to keep users safe from viruses and other

forms of on-line malicious threats.

The deployment of Trend including updates is

centrally controlled and monitored by Novosco

Limited.

Verified the existence of firewalls and anti-

virus applications in place and confirmed

protection is up to date. A third party

company, IT Guarded, carried out IT

security testing during the year.

Administrator provided evidence that

protection is up to date showing us

software automatically scanning and

updating servers, desktops and laptops.

No exceptions noted

9. Maintaining and developing systems hardware and software

Our pension administration technologies have not

required migration or modification of data in recent

years. Any such process would follow our change

management procedures as described in Maintaining

and developing systems hardware and software.

For new scheme implementations please refer to

Accepting clients.

For periodic and ad-hoc data loads please refer to

Maintaining financial and other records.

Verified the existence of the Operational

Change Control procedure. For a sample

of projects that were undertaken during

the period, for example, the changeover

to offsite server, verified that the

Operational Change Control procedure was

followed.

No exceptions noted

Any changes to existing, or the implementation of

new, infrastructure and systems follows the

Operational Change Control process outlined in

Operations Security (Process 12).

Changes are classified as follows:

Major Change

Minor Change

Verified the existence of the Operational

Change Control procedure. For a sample

of projects that were undertaken during

the period verified that the Operational

Change Control procedure was followed

with authorisation by the IT sub-

committee or the Board depending on how

material the project was.

No exceptions noted



Major Change examples include:

Server OS upgrade/security patch

Server hardware upgrade/replacement

Implementation of new software package

Changes to system or network security

Changes to web site functionality or additional

modules

Project specific around infrastructure improvements

A major change will typically be a planned

implementation and this will be discussed at Managed

Service reviews with Novosco or ad hoc as required.

When a major change is required business impact is

reviewed and formal sign off and authorisation is

required. (Operations Security Process 12)

Dalriada has also adopted an effective Information

System Acquisition, Development, and Maintenance

process (Process 14).

Controls are in place to ensure the installation and

upgrading of operational software on each operating

system. In addition, user profiles are employed to

ensure that Novosco are the only authorised

individuals that can perform installations or upgrades.

Any maintenance is performed by authorised

representatives from the corresponding

software/support company and is pre-arranged.

Notice is given to staff members of any downtime to

the network that is required for the maintenance of

software.

Any software upgrades are performed only if there is

a requirement to do so, or suitably long enough after

the release, to ensure any bugs or vulnerabilities

have been ironed out. If new software potentially

introduces any element of risk, then the risk will be

assessed and its advantages of functionality will be

subject to continued monitoring and/or isolated.

Windows updates are rolled out periodically to all

computers on the network.

Development of systems is facilitated by an

appropriate rollback strategy.

Reviewed the Information Security

Aspects of Business Continuity

Management process (Process 17)

document and ensured that for examples

of changes or upgrades to operational

software, there was evidence of risk

assessment and authorisation prior to

commencement.

No exceptions noted



The pension database team is responsible for data

migration projects. A scheme installation checklist is

completed which follows the key stages of the

migration. Logs are maintained of all issues along

with details of their resolution. The results of sample

data checks and the reconciliation are reviewed by

the pension database team manager to ensure

procedures have been followed.

Verified for a sample of data migration

projects that a checklist is maintained,

risk assessment and mitigation of risks

performed, data reconciled to source, sign

offs are evidenced and an issue log

completed with actions taken to close.

No exceptions noted

10. Recovering from processing interruptions

Dalriada works securely within a virtual environment.

In the event of the failure of a server, functionality is

temporarily transferred to others servers via

automated dynamic resource allocation processes,

minimising interruption to business operations.

The IT infrastructure facilitates the continuation of

business operations from any location in the event of

multiple disaster scenarios.

Dalriada has engaged with Novosco on a Managed

Service contract which covers the maintenance of

equipment (hardware and software) which resides in

datacentre and in the secondary Disaster Recovery

(“DR”) site.

As part of the Managed Service contract Novosco

manage and maintain a DR solution which utilises two

separate technologies to offer multiple recovery

opportunities dependent on failure types.

Backup and Restore Technology

Veeam Backup and Replication technology is in use,

a “virtual only” backup solution which runs on a daily

basis and enables multiple restore options:

Full VM Restore

File Level Restore

Guest OS Level Restore

Veeam technology backs up to a disk based SAN

VNX3200 target in the primary data centre.

Both hardware and software provide local backup

whilst at the same time providing a faster and more

reliable recovery time in the event of a major

incident.

Verified the use of the Veeam Backup and

for a sample ensured daily backup had

been completed.

No exceptions noted



Veeam would most likely be used in a scenario where

data corruption has occurred with the solution

resulting in a roll back to previous backup.

Backups consist of any changes to the system, files

and folders. Veeam is a data reduplication

technology; which significantly reduces back up

windows by only storing unique daily changes while

always maintaining daily full back ups for immediate

single step restore. Reports are delivered on a daily

basis via email to IT staff as verification on all backup

jobs. Pro-active reports are also received via email on

a weekly and monthly basis on network and storage

integrity.

All data is saved to a SAN with RAID disk systems

(typically RAID 5) which significantly reduces the risk

of loss of data through media failure.

Replication and Recovery Technology

Dalriada have invested in Zerto Replication

technology, a VMware vSphere aware technology

which enables automated data recovery, failover and

failback of full or partial infrastructures dependent on

the failure type and recovery need.

Zerto’s VMWare Replication is enterprise class

software which replaces traditional array based

replication therefore providing flexibility, scalability

and ease of use without compromising any of the

features and functionality required for protecting

mission-critical production applications.

Zerto management servers are installed in both

primary and secondary infrastructure locations. The

virtual estate is divided into Virtual Protection Groups

(“VPGs”) and these groups of virtual machines are

replicated from the data centre to the DR site using a

process of continuous data protection (“CDP”) or

journaling.

In a primary infrastructure failure scenario, Novosco

will use the Zerto recovery capability to recover all

virtual machines into the DR infrastructure with

Recovery Points Objectives (“RPO”) of under 60-120

seconds per server with Recovery Time Objectives

(“RTO”) of under 3 hours for the entire virtual estate.

As part of the annual Managed Service Contract

Novosco test the recovery to an isolated virtual

network on a quarterly basis.



The Business Continuity Plan (“BCP”) details

processes to enable recovery from loss of information

assets (which may be the result of, for example,

natural disasters, accidents, equipment failures, and

deliberate actions) and to minimise the impact of

incidents to an acceptable level through a

combination of preventive and recovery controls.

The critical business processes and information

security management requirements of business

(operations, Dalriada third party resourcing,

information / data hard copy and facilities) have also

been included.

The BCP provides a framework for responses to

specific areas of vulnerability and threat in the event

of incidents of catastrophic failure as well as other

unforeseen events.

Our BCP Team is ultimately responsible for designing

and maintaining the BCP, which is managed and

implemented by the BCP Manager and a deputy. A

command structure is in place to manage an incident.

We have adopted the Gold/Silver command structure,

as widely used elsewhere in contingency planning.

This ensures an effective division of duty between

command and control and operational recovery

responsibilities. Key Dalriada third party resources are

included in this command structure (Business

Continuity Management Process (Process 17);

Business Continuity Plan, Dalriada BCP Testing

Schedule and results 2011 to 2015)

Hard copies of the BCP and supporting documents are

held securely and confidentially off site by the BCP

Manager and Gold team members.

The BCP and supporting documents for the

Information Security Management System are in line

with ISO 27001 framework and guidelines taken from

the BS25999 part 2 Business Continuity Management

Standard.

All plans are based around a recovery point, time and

capacity objectives that have been agreed with the

business.

Maintenance of the plans is controlled as part of the

evaluation of each disaster recovery event.

Verified that there is a BCP in place. Gold

and Silver team members changed during

the period and the BCP was updated.

There were no incidents during the period,

however a 48 hour test of the BCP was

carried out.

No exceptions noted



Dalriada outsources the provision of IT services to

Novosco Limited. Documented service level

agreements are in place. Novosco operates a

helpdesk and calls are logged and assigned unique

reference numbers. The IT Technician can access the

helpdesk logging system and monitors the progress of

all calls raised.

(Organisation of Information Security Process 6)

Dalriada works securely within a virtual environment.

In the event of the failure of a server, functionality is

temporarily transferred to other servers via

automated dynamic resource allocation processes

minimising interruption to business operations.

The IT infrastructure facilitates the continuation of

business operations from any location in the event of

multiple disaster scenarios.

As part of the Managed Service contract Novosco

manage and maintain a DR solution which utilises two

separate technologies to offer multiple recovery

opportunities dependent on failure types.

Verified that a signed SLA is in place

between Spence & Partners and Novosco

Limited with an intercompany agreement

between Spence & Partners and Dalriada

to provide Dalriada with IT services.

Reviewed a sample of daily and weekly

backup reports and monthly helpdesk call

logs.

No exceptions noted

11. Monitoring compliance

Dalriada outsource the provision of IT services to

Novosco Limited. Documented service level

agreements are in place, covered by appropriate

contracts and monitored by the directors. Regular

governance and service review meetings are held

along with 3rd party audits conducted on a regular

basis. Dalriada also employ 3rd party penetration and

security experts IT Guarded to audit the network

infrastructure annually.

(Process 6 Organisation of Information Security and

Process 10 Cryptography )

Verified that quarterly governance and

service review meetings are held with

Novosco Limited by review of minutes of

meetings and that a signed SLA is in place

between Spence & Partners and Novosco

with an intercompany agreement between

Spence & Partners and Dalriada to provide

Dalriada with IT services.

No exceptions noted


Appendix 1 Letter of Engagement

A full list of Partners of RSM Northern Ireland is available at www.rsmni.uk

Registered to carry on audit work by the Institute of Chartered Accountants in Ireland. Authorised by the Institute of Chartered Accountants in Ireland (ICAI) to carry on investment business in Ireland. Chartered Accounts Ireland is the operating name of ICAI. RSM Northern Ireland is a member of the RSM network and trades as RSM. RSM is the trading name used by the members of the RSM network. Each member of the RSM network is an independent accounting and consulting firm which practices in its own right. The RSM network is not itself a separate legal entity in any jurisdiction

The Directors

Dalriada Trustees Limited

Chamber of Commerce House

22 Great Victoria Street

Belfast

BT2 7BA

18

th January 2016

Our ref: DAL1185/DSW/IM

To the Directors of Dalriada Trustees Limited Engagement Letter for Reporting Accountants

Dear Sirs

The purpose of this letter is to set out the basis on which we act as reporting accountants of the company and the respective areas of responsibility of the directors and of ourselves.

1. Responsibilities of directors

The Directors of the above company to which our report is to be provided (‘the Organisation’) are and shall be responsible for the design, implementation and operation of control procedures that provide an adequate level of control over clients’ assets and related transactions. The Directors’ responsibilities are and shall include:

acceptance of responsibility for internal controls;

evaluation of the effectiveness of the service organisation’s control procedures using suitable criteria;

supporting their evaluation with sufficient evidence, including documentation; and

providing a written report (‘Directors’ Report’) of the effectiveness of the service organisation’s internal

controls for the relevant financial period.

In drafting this report the Directors have regard to, as a minimum, the criteria specified within the Technical Release AAF 01/06 issued by the Institute of Chartered Accountants in England and Wales (‘the Institute’) but they may add to these to the extent that this is considered appropriate in order to meet clients’ expectations.

2. Responsibilities of reporting accountants

It is our responsibility to form an independent conclusion, based on the work carried out in relation to the control procedures of the Organisation’s administration, accounting and information technology functions carried out at the Belfast business unit of the Organisation as described in the Directors’ report and report this to the Directors.

http://www.rsmni.uk/

3. Scope of the reporting accountants’ work

We conduct our work in accordance with the procedures set out in AAF 01/06 issued by the Institute. Our work will include enquiries of management, together with tests of certain specific control procedures which will be set out in an appendix to our report. In reaching our conclusion, the criteria against which the control procedures are to be evaluated are the internal control objectives developed for service organisations as set out within the AAF 01/06 issued by the Institute. Any work already performed in connection with this engagement before the date of this letter will also be governed by the terms and conditions of this letter. We may seek written representations from the Directors in relation to matters on which independent corroboration is not available. We shall seek confirmation from the Directors that any significant matters of which we should be aware have been brought to our attention.

4. Inherent limitations

The Directors acknowledge that control procedures designed to address specified control objectives are subject to inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Such procedures cannot guarantee protection against fraudulent collusion especially on the part of those holding positions of authority or trust. Furthermore, the opinion set out in our report will be based on historical information and the projection of any information or conclusions in our report to any future periods will be inappropriate.

5. Use of our report

Our report will, subject to the permitted disclosures set out in this letter, be made solely for the use of the Directors of the Organisation, and solely for the purpose of reporting on the internal controls of the Organisation, in accordance with these terms of our engagement. Our work will be undertaken so that we might report to the Directors those matters that we have agreed to state to them in our report and for no other purpose. Our report will be issued on the basis that it must not be recited or referred to or disclosed, in whole or in part, in any other document or to any other party, without the express prior written permission of the reporting accountants. We permit the disclosure of our report, in full only, to customers of the Organisation using the Organisation’s pension trustee services (‘customers’), and to the auditors of such customers, to enable customers and their auditors to verify that a report by reporting accountants has been commissioned by the Directors of the Organisation and issued in connection with the internal controls of the Organisation without assuming or accepting any responsibility or liability to them on our part. To the fullest extent permitted by law, we do not and will not accept or assume responsibility to anyone other than the Directors as a body and the Organisation for our work, for our report or for the opinions we will have formed.

6. Liability provisions

We will perform the engagement with reasonable skill and care and acknowledge that we will be liable to the Directors as a body and the Organisation for losses, damages, costs or expenses (‘losses’) suffered by the Directors as a body and the Organisation as a result of our breach of contract, negligence, fraud or other deliberate breach of duty. Our liability shall be subject to the following provisions:

We will not be so liable if such losses are due to the provision of false, misleading or incomplete

information or documentation or due to the acts or omissions of any person other than us, except

where, on the basis of the enquiries normally undertaken by us within the scope set out in these terms

of engagement, it would have been reasonable for us to discover such defects;

We accept liability without limit for the consequences of our own fraud or other deliberate breach of duty

and for any other liability which it is not permitted by law to limit or exclude;

Subject to the previous provisions of this Liability paragraph, our total aggregate liability whether in

contract, tort (including negligence) or otherwise, to the Directors as a body and the Organisation,

arising from or in connection with the work which is the subject of these terms (including any addition or

variation to the work), shall not exceed three times the relevant engagement fee.

To the fullest extent permitted by law, the Organisation agrees to indemnify and hold harmless RSM Northern Ireland and its partners and staff against all actions, proceedings and claims brought or threatened against RSM Northern Ireland or against any of its partners and staff by any persons other than the Directors as a body and the Organisation, and all loss, damage and expense (including legal expenses) relating thereto, where any such action, proceeding or claim in any way relates to or concerns or is connected with any of RSM Northern Ireland work under this engagement letter. The Directors as a body and the Organisation agree that they will not bring any claims or proceedings against any of our individual partners, members, directors or employees. This clause is intended to benefit such partners, members, directors and employees who may enforce this clause pursuant to the Contracts (Rights of Third Parties) Act 1999 (‘the Act’). Notwithstanding any benefits or rights conferred by this agreement on such partners, members, directors or employees by virtue of the Act, we and the Directors as a body may together agree in writing to vary or rescind the agreement set out in this letter without the consent of any such partners, members, directors or employees. This engagement is separate from, and unrelated to, our audit work on the financial statements of the Organisation for the purposes of the Companies Act 1985 (or its successor) or other legislation and nothing herein creates obligations or liabilities regarding our statutory audit work, which would not otherwise exist.

7. Quality of service

We aim to provide you with a fully satisfactory service and David Watters as engagement partner will seek to ensure that this is so. If, however, you are unable to deal with any difficulty through him and his team please contact David Gray. We undertake to look into any complaint carefully and promptly and to do all we can to explain the position to you. If we do not answer your complaint to your satisfaction you may of course take up the matter with the Institute of Chartered Accountants in Ireland by whom we are regulated for audit purposes.

8. Agreement of terms

We shall be grateful if you could confirm in writing your agreement to these terms by signing and returning the enclosed copy of this letter, or let us know if they are not in accordance with your understanding of our terms of engagement.

Yours faithfully

RSM

We agree to the terms of this letter and the additional terms and conditions

____________________________________________________________________________________

Signed for and on behalf of Dalriada Trustees Limited

Name: ______________________________________________

Position: ______________________________________________

Date: ______________________________________________

RSM Northern Ireland

STANDARD TERMS AND CONDITIONS OF BUSINESS

Standard T&C (NI)

These additional terms and conditions of engagement should be read together with the accompanying letter from RSM which identifies the engagement to which they relate (the engagement letter).

1. Applicable Law

These engagement documents, the schedule of services and our standard terms and conditions of business are governed by, and should be construed in accordance with Northern Ireland law. Each party agrees that the courts of Northern Ireland will have exclusive jurisdiction in relation to any claim, dispute or difference concerning this engagement letter and any matter arising from it. Each party irrevocably waives any right to object to any action being brought in those Courts, to claim that the action has been brought in an inappropriate forum, or to claim that those Courts do not have jurisdiction.

2. Our Responsibilities

We will provide the services described in our engagement letter (or such variations as may subsequently be agreed between us) with reasonable skill and care in accordance with the professional standards expected of us, and in a timely manner. The nature of any advice we provide will necessarily depend on the amount and accuracy of information provided to us and the time scale within which the advice is required. If general advice is required, the applicability of this will depend on the particular circumstances in which it is to be used by you (of which we might not be aware) and should be viewed accordingly. In relation to any particular transaction, specific advice should always be sought and all material information provided to us. If, at your request, we provide our advice in an abbreviated format (i.e. other than a full written report), you acknowledge that you may not receive all the information you would otherwise have done. Whilst our reports and advice may be a factor to be taken into account when deciding whether or not to proceed with a particular course of action, you remain responsible for any commercial decisions that you make, and regard must be had to the restrictions on the scope of our work and to the large number of other factors, commercial and otherwise, of which you and your other advisers are, or should be, aware by means other than our work.

3. Your Responsibilities

In relation to all our work for you it is the responsibility of the Dalriada Trustees Limited staff to provide us with complete, accurate and timely information where we have requested this and to carry out any other obligations ascribed to the Dalriada Trustees Limited. We will not be responsible for any consequences which may arise from any delay or failure by Dalriada Trustees Limited to do so and these may also result in additional fees for which invoices will be raised.

4. Money Laundering

As with other professional services firms, we are required to identify our clients for the purposes of the UK anti-money laundering legislation. We may request from you, and retain, such information and documentation as we require for these purposes and/or make searches of appropriate databases. If we are not able to obtain satisfactory evidence of your identity within a reasonable time, there may be circumstances in which we are not able to proceed with the appointment. We have a duty under s330 of the Proceeds of Crime Act 2002 (“POCA”) to report to the Serious Organised Crime Agency (“SOCA”) if we know, or have reasonable cause to suspect, that you, or anyone connected with your business, are or have been involved in money laundering. Failure on our part to make a report where we have knowledge or reasonable grounds for suspicion would constitute a criminal offence.



Standard T&C (NI)

The offence of money laundering is defined by s340(11) of the POCA and includes concealing, converting, using or possessing the benefits of any activity that constitutes a criminal offence in the UK. It also includes involvement in any arrangement that facilitates the acquisition, retention, use or control of such a benefit. This definition is very wide and would include such crimes as:

deliberate tax evasion (for example through deliberate understatement of income or stocks or overstatement of expenses);

deliberate failure to inform the tax authorities of known underpayments or excessive repayments;

fraudulent claiming of benefits or grants; or

obtaining a contract through bribery. We are obliged by law to report any instances of money laundering to SOCA without your knowledge or consent. In fact we may commit the criminal offence of tipping off under s333 of the POCA if we were to inform you that a report had been made. In consequence, neither the firm’s principals nor staff may enter into any correspondence or discussions with you regarding such matters. We are not required to undertake work for the sole purpose of identifying suspicions of money laundering. We shall fulfil our obligations under the POCA in accordance with the guidance published by the Consultative Committee of Accountancy Bodies.

5. The Bribery Act 2010 We are subject to the Bribery Act 2010 and therefore prohibited from receiving or making any payment of money or anything of value, directly or indirectly to any private individual or corporate body, any government official, political party, or candidate for political office for the purpose of obtaining or retaining business. We have a zero tolerance of bribery and corruption. This policy extends to all the firm’s business dealings and transactions in all the countries in which we operate. This policy is backed up by the existence of procedures that are proportionate to the risk of bribery faced by the firm. Procedures are monitored and revised as necessary to capture changes in law, reputation demands and changes in the business.

6. Client Money

We may, from time to time, hold money on your behalf. Such money will be held in trust in a client bank account, which is segregated from the firm’s funds. The account will be operated, and all funds dealt with, in accordance with the Clients’ Money Regulations of the Institute of Chartered Accountants in Ireland.

In order to avoid an excessive amount of administration, interest will only be paid to you where the amount of interest that would be earned on the balances held on your behalf in any calendar year exceeds £25. Any such interest would be calculated using the prevailing rate applied by the Bank of Ireland for small deposits subject to the minimum period of notice for withdrawals. Subject to any tax legislation, interest will be paid gross.

If the total sum of money held on your behalf exceeds £10,000 for a period of more than 30 days, or such sum is likely to be held for more than 30 days, then the money will be placed in a separate interest-bearing client bank account designated to you. All interest earned on such money will be paid to you. Subject to any tax legislation, interest will be paid gross.



Standard T&C (NI)

7. Commissions and Other Benefits

In some circumstances we may receive commissions or other benefits for introductions to other professionals in respect of transactions in which we arrange for you. Where this happens we will notify you in writing of the amount and terms of payment and receipt of any such commissions or benefits. . We will not be liable to pay you any such commission paid to us but we may take it into account in determining our fee. The provisions of the preceding paragraph will not apply to any referrals within the RSM International network.

8. Confidentiality

Communication between us is confidential and we shall take all reasonable steps to keep confidential your information except where we are required to disclose it by law, regulatory bodies, our insurers or as part of an external peer review. Unless we are authorised by you to disclose information on your behalf this undertaking will apply during and after this engagement.

We reserve the right, for the purpose of promotional activity, training or for other business purpose, to mention that you are a client. As stated above we will not disclose any confidential information.

9. Investment Advice (Including Insurance Mediation Services) Investment business is regulated under the Financial Services and Markets Act 2000. If, during the provision of professional services to you, you need advice on investments, including insurances, we may have to refer you to someone who is authorised by the Financial Services Authority or licensed by a designated Professional Body as we are not.

10. Conflicts of Interest

We will inform you if we become aware of any conflict of interest in our relationship with you or in our relationship with you and another client, which, in our opinion cannot be managed. Where conflicts are identified which cannot be managed in a way that protects your interest then we regret that we will be unable to provide further services.

If there is a conflict of interest that is capable of being addressed successfully by the adoption of suitable safeguards to protect your interests then we will adopt those safeguards. We reserve the right to act for other clients whose interests are not the same as or are adverse to yours subject of course to the obligations of confidentiality referred to above.

11. Data Protection

In providing the Services to you or otherwise in connection with the Services, we may need to collect, hold and use information (e.g. contact details) about identifiable individuals (“Data Subjects”). We may also use such information as part of our client account opening and general administration process (e.g. in order to carry out anti-money laundering and conflict checks). Should your officers or employees enquire, please inform them that we may hold information relating to them for these purposes. In providing some of the Services to you we may be processing information about Data Subjects on your behalf and thus act as a “Data Processor” for the purposes of the Data Protection Act 1998. In these circumstances, we will (i) only process personal data in accordance with your lawful and reasonable instructions; and (ii) comply with security obligations equivalent to those imposed on you, as Data Controller, by the seventh principle of that Act.



Standard T&C (NI)

The eighth data protection principle provides that personal data shall not be transferred to a country or territory outside the European Economic Area (“EEA”) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The firm may from time to time use cloud based data sharing, for example Drop Box, and cloud based accounting software where servers are located outside of the EEA. In accordance with ICO guidelines, RSM may transfer personal data outside the EEA, provided we:

conduct a risk assessment into whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects; or

if you do not find there is an adequate level of protection, put in place adequate safeguards to protect the rights of the data subjects, possibly using Model Contract Clauses or Binding Corporate Rules; or

consider using one of the other statutory exceptions to the Eighth Principle restriction on international transfers of personal data.

The Information Commissioner has approved the following sets of model contract clauses, which we would draw to your attention. Set I controller-controller 2001 controller to controller Commission Decision 2001/497/EC, dated 15 June 2001 – in which the Commission approved model clauses for transfers from data controllers in the EEA to data controllers outside the EEA. Authorised by the Information Commissioner on 21st December 2001. Set I controller-processor Commission Decision 2002/16/EC, dated 27 December 2001 – in which the Commission approved model clauses for transfers from data controllers in the EEA to data processors outside the EEA.

Authorised by the Information Commissioner on 18th March 2003. Model contract clauses authorisation - controllers to processors authorisation 2003.pdf (Note – this set is no longer available for new users but continues to have effect in relation to arrangements put in place prior to 15th May 2010). Set II controller – controller 2004 controller to controller. Commission Decision 2004/915/EC, dated 27 December 2004 – in which the Commission approved an alternative set of model clauses for transfers from data controllers in the EEA to data controllers outside the EEA. Authorised by the Information Commissioner on 27th May 2005. Set II controller – processor 2010 controller to processor Commission Decision 2010/87/EU, dated 5th February 2010 – in which the Commission approved a new set of model clauses for transfers from data controllers in the EEA to data processors outside the EEA to replace the Set I controller to processor clauses. Authorised by the Information Commissioner on 17th May 2010 Controller to Processor Authorisation 2010 By using these clauses in our terms and conditions, and subsequent contract with you, we will not have to make an assessment of the adequacy of protection afforded to your rights as the data subject in connection with our transfer of your personal data.



Standard T&C (NI)

12. Disengagement

Should we resign or be requested to resign we will normally communicate with you in writing to ensure that our respective responsibilities are clear.

Should we have no contact with you for a period of 18 months or more we may write to your last known address and hence cease to act.

13. Electronic and Other Communication

Unless you instruct otherwise we may, where appropriate, communicate with you and with third parties via e-mail or other electronic means. The recipient is responsible for virus checking e-mails and any attachments. With electronic communication there is a risk of non-receipt, delayed receipt, inadvertent misdirection or interception by third parties. We use virus-scanning software to reduce the risk of viruses and similar damaging items being transmitted through e-mails or electronic storage devices. However electronic communication is not totally secure and we cannot be held responsible for damage or loss caused by viruses or changes made to communication which are corrupted or altered after dispatch. Nor can we accept any liability for problems or accidental errors relating to this means of communication especially in relation to commercially sensitive material. These are risks you must bear in return for greater efficiency and lower costs. If you do not wish to accept these risks please let us know and we will communicate by paper mail. Other than where electronic submission is mandatory. Any communication by us with you sent through the post or fax system is deemed to arrive at your postal address two working days after the day that the document was sent. Unless specifically agreed, any communication sent by post within the United Kingdom will be sent Royal Mail standard second class. As this method of delivery is not totally secure or reliable, we cannot be held responsible for damage or loss caused after we have dispatched the item and it has entered the Royal Mail system.

14. External Review As a firm of Registered Auditors, we are subject to external review by independent qualified accountants. In addition, we are subject to internal review under quality assurance requirements of RSM International, of which we are a member firm. Accordingly our client files may be reviewed by an external inspector who will be subject to a confidentiality agreement.

15. Fees and Payment Terms Our fees are computed on the basis of the time spent on your affairs by the partners and our staff and on the levels of skill and responsibility involved. Unless otherwise agreed, our fees will be billed at appropriate intervals during the course of each assignment and will be due on presentation.

If it is necessary to carry out work outside the responsibilities outlined in this letter it will involve additional fees. Accordingly we would like to point out that it is in your interests to ensure that your records etc., are completed to the agreed stage. If we provide you with an estimate of our fees for any specific work, then the estimate will not be contractually binding unless we explicitly state that that will be the case.



Standard T&C (NI)

Where requested we may indicate a fixed fee for the provision of specific services or an indicative range of fees for a particular assignment. It is not our practice to identify fixed fees for more than a year ahead as such fees quoted need to be reviewed in the light of events. If it becomes apparent to us, due to unforeseen circumstances that a fee quote is inadequate, we reserve the right to notify you of a revised figure or range and seek your agreement thereto. In some cases, you may be entitled to assistance with your professional fees; particularly in relation to any investigation into your tax affairs by HMRC. Assistance may be provided through policies you hold or via membership of a professional or trade body. Other than where such insurance was arranged through us you will need to advise us of any such insurance cover that you have. You will remain liable for our fees regardless of whether all or part are liable to be paid by your insurers.

Invoices are payable in full before the accounts are signed and made available for filing. Our fees are exclusive of VAT which will be added where it is chargeable. Any disbursements we incur on your behalf and expenses incurred in the course of carrying out our work for you will be added to our invoices where appropriate.

Unless otherwise agreed to the contrary our fees do not include the costs of any third party, counsel or other professional fees.

It is our normal practice to issue interim fees when dealing with continuous or recurring work. The payment terms for interim fees are the same as for invoiced fees.

We reserve the right to charge interest on late paid invoices at the rate of 3% above bank base rates under the Late Payment of Commercial Debts (Interest) Act 1998. We also reserve the right to suspend our services or to cease to act for you on giving written notice if payment of any fees is unduly delayed. We intend to exercise these rights only where it is fair and reasonable to do so.

If you do not accept that an invoiced fee is fair and reasonable you must notify us in writing, within 21 days of receipt, failing which you will be deemed to have accepted that payment is due.

If a client company, trust or other entity is unable or unwilling to settle our fees we reserve the right to seek payment from the individual (or parent company) giving us instructions on behalf of the client and you agree that we shall be entitled to enforce any sums due against the Group Company or individual nominated to act for you.

In the event that we cease to act as your auditors, we reserve the right to recover the actual costs of providing access to the information we hold in respect of the audit work we have carried out to an eventual successor auditor.

16. Implementation

We will only assist with implementation of our advice if specifically instructed and agreed in writing.

17. Intellectual Property Rights

We will retain all copyright in any document prepared by us during the course of carrying out the engagement save where the law specifically provides otherwise.



Standard T&C (NI)

18. Interpretation

If any provision of the engagement letter or these terms and conditions is held to be void, then that provision will be deemed not to form part of this contract.

In the event of any conflict between these terms of business and the engagement letter, the relevant provision in the engagement letter or schedules will take precedence.

19. Internal Disputes Within a Client

If we become aware of a dispute between two parties who own or are in some way involved in the ownership and management of the business, it should be noted that our client is the business and we would not provide information or services to one party without the express knowledge and permission of all parties. Unless otherwise agreed by all parties we will continue to supply information to the normal place of business for the attention of the directors. If conflicting advice, information or instructions are received from different directors/principals in the business we will refer the matter back to the board of directors/partnership and take no further action until the board/partnership has agreed the action to be taken.

20. Lien

Insofar as we are permitted to do so by law or professional guidelines, we reserve the right to exercise a lien over all funds, documents and records in our possession relating to all engagements for you until all outstanding fees and disbursements are paid in full.

21. Limitation of Liability

We will provide our services with reasonable care and skill. Our liability to you is limited to losses, damages, and expenses caused by our negligence or wilful default.

Exclusion of liability for loss caused by others

We will not be liable if such losses, penalties, surcharges, interest or additional tax liabilities are due to the acts or omissions of any other person or due to the provision to us of incomplete, misleading or false information or they are due to a failure to act on our advice or a failure to provide us with relevant information.

Exclusion of liability in relation to circumstance beyond our control

We will not be liable to you for any delay or failure to perform our obligations under this engagement letter if the delay or failure is caused by circumstances outside our reasonable control.

Exclusion of liability relating to the discovery of fraud etc

We will not be responsible or liable for any loss, damage or expenses incurred or sustained if information material to the service we are providing is withheld or concealed from us or misrepresented to us. This applies equally to fraudulent acts, misrepresentation or wilful default on the part of any party to the transaction and their directors, officers, employees, agents or advisers.

This exclusion shall not apply where such misrepresentation, withholding or concealment is or should (in carrying out the procedures which we have agreed to perform with reasonable care and skill) have been evident to us without further enquiry.



Standard T&C (NI)

Indemnity for unauthorised disclosure

You agree to indemnify us and our agents in respect of any claim (Including any claim for negligence) arising out of any unauthorised disclosure by you or by any person for whom you are responsible of our advice and opinions, whether in writing or otherwise. This indemnity will extend to the cost of defending any such claim, including payment at our usual rates for the time that we spend in defending it.

Limitation of aggregate liability We will perform the engagement with reasonable skill and care. The total aggregate liability to the Partnership and the Partners, as a body, of whatever nature, whether in contract, tort or otherwise, of RSM Northern Ireland for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall not exceed three times the relevant engagement fee.

22. Limitation of Third Party Rights

The advice and information we provide to you as part of our service is for your sole use and not for any third party to whom you may communicate it unless we have expressly agreed in the engagement letter that a specified third party may rely on our work. We accept no responsibility to third parties, including any group company to whom the engagement letter is not addressed, for any advice, information or material produced as part of our work for you which you make available to them. A party to this agreement is the only person who has the right under the Contracts (Rights of Third Parties) Act 1999 to enforce any of its terms.

23. Period of Engagement and Termination

The terms set out in this letter shall take effect immediately upon your countersigning this letter and returning it to us or upon the commencement of the audit, accounts or tax return for the previous period, whichever is the earlier.

Each of us may terminate this agreement by giving not less than 21 days notice on writing to the other party except where you fail to cooperate with us or we have reason to believe that you have provided us or HMRC with misleading information, in which case we may terminate this agreement immediately. Termination will be without prejudice to any rights that may have accrued to either of us prior to termination.

In the event of termination of this contract, we will endeavour to agree with you the arrangements for the completion of work in progress at that time, unless we are required for legal or regulatory reasons to cease work immediately. In that event, we shall not be required to carry out further work and shall not be responsible or liable for any consequences arising from termination.

24. Professional Rules and Statutory Obligations

We will observe and act in accordance with the bye-laws, regulations and ethical guidelines of the Institute of Chartered Accountants in Ireland and will accept instructions to act for you on this basis. In particular you give us the authority to correct errors made by HMRC where we become aware of them. We will not be liable for any loss, damage or cost arising from our compliance with statutory or regulatory obligations.

25. Reliance on Advice

We will endeavour to record all advice on important matters in writing. Advice given orally is not intended to be relied upon unless confirmed in writing. Therefore, if we provide oral advice (for example during the course of a meeting or a telephone conversation) and you wish to able to rely on that advice, you must ask for the advice to be confirmed by us in writing.



Standard T&C (NI)

26. Retention of Records

You have a legal responsibility to retain documents and records relevant to your tax and accounts affairs. During the course of our work we may collect information from you and others relevant to your affairs. We will return any original documents to you (if requested). Documents and records relevant to your affairs are required by law to be retained as follows:

Individual, trustees and partnership

with trading or rental income: 5 years and 10 months after the end of the tax year;

otherwise: 22 months after the end of the tax year;

Companies

6 years from the end of the accounting period;

Whilst certain documents may legally belong to you, we intend to destroy correspondence and other papers that we store which are more than seven years old, other than documents which we consider to be of continuing significance. If you require retention of any document you must notify us of that fact in writing.

27. Health and Safety

We acknowledge our statutory responsibility to co-operate with the Spence & Partners health and safety requirements, provided we are given notice of these. Whilst on the Spence & Partners premises our partners and staff shall be afforded by Spence & Partners the same protection for health and safety purposes as is due to its employees. If we are required by Spence & Partners to enter the premises of a third party it will procure that the third party also affords such protection to our partners and staff as is due to its employees.

28. Force Majeure Clause

No party to this agreement shall be held in any way responsible for any failure to fulfil its obligations under this Agreement if such failure has been caused (directly or indirectly) by circumstances beyond the control of the defaulting party. This shall include war, riot, acts of terrorism, industrial action, accident or equipment failure (except where such accident or equipment failure has been caused by the negligence of the defaulting party, its employees, sub-licensees, subcontractors, agencies or otherwise).

29. Our Staff

You undertake that during the course of this engagement and for a period of six months following its conclusion you will not: a) solicit or entice away (or assist anyone else in soliciting or enticing away) any member

of our professional staff with whom you have had dealings in connection with this engagement during the 12 months immediately prior to your approach; or

b) employ any such person or engage them in any way to provide services to you.

This undertaking shall not apply in respect of any member of our staff who responds to an advertisement placed by you or on your behalf without having been previously approached directly or indirectly by you. In the event of a breach of the terms of this undertaking, you will pay to RSM Northern Ireland, on demand, a sum equivalent to 50% of the total annual remuneration package paid by RSM Northern Ireland to the individual prior to his or her departure. You acknowledge that this provision is a fair and reasonable term intended to be a genuine assessment of the likely loss to us.

Assurance Report on Internal Controls (AAF 01/06...

Documents

Transcript of Assurance Report on Internal Controls (AAF 01/06...