The Auditor-General, Kevin Brady, has presented his report on the New Zealand Superannuation Fund to Parliament yesterday, recommending its Guardians do further work to complete the fund's IT strategy among other recommendations.
Overall, however, the fund's IT achieved a solid pass in the report, which found ICT risk was being managed well. The Auditor-General's five high priority recommendations were not ICT related.
"The Guardians have a comprehensive Master Custody Agreement and service level agreement in place to govern their relationship with the Custodian," the report says. "The agreement requires the Custodian to provide data securely and confidentially through its internal systems, with sufficient availability to not impede business as usual. It also commits the Custodian to a high level of processing integrity."
The report says information technology general controls applied by the Custodian, Northern Trust, are sound and reliable, in the Auditor-General's opinion. The ICT aspects of a transition to a new Custodian was also well managed. "In our view, the risks for outsourced information technology processes are significant. However, they are adequately controlled through the provisions of the Custodian service level agreement and procedures performed by the Guardians to validate the reliability of the Custodian's processes," the report says. It also notes the Guardians' access to real-time fund information and analysis through a web portal provided by the Custodian and the development of a knowledge management framework: "The Guardians are committed to implementing a way to collect institutional knowledge, and have started working on a knowledge management framework," the report says. "The core of the framework will be an intranet linking all institutional data from a single reference point. A knowledge management project team has been formed from representatives throughout the business to ensure that all knowledge is identified and collected." Both the Guardians' and the Custodian's business continuity also got a pass mark, with the report noting the "Custodian has an extensive business continuity management structure including a hot site, three global operating locations with capacity to support the loss of one site, and a detailed business continuity plan." "One of the benefits of outsourcing for the Guardians is gaining access to a larger and more sophisticated information technology infrastructure," the report says. "Further, the physical spread of the Custodian's operations in three geographically separate locations provides assurance that business continuity risks are adequately managed."