Part 7: Information systems

Guardians of New Zealand Superannuation: Governance and management of the New Zealand Superannuation Fund.
Key messages
  • The Guardians' information technology infrastructure is well managed.
  • The most significant information technology risks faced by the Guardians have been outsourced to the Custodian, and are managed through the Custodian's infrastructure and controls, and confirmed through reporting processes.
  • The internally retained information technology risks to the Guardians are minimal. Even so, the Guardians have followed good practice in implementing the Control Objectives for Information and related Technology control framework, although they are still to finalise their information technology strategy.

In this Part, we report on the Guardians' management of information systems. We set out our findings in relation to the Guardians':

  • information technology function and strategies;
  • management of risks relating to outsourced information technology; and
  • business continuity management.

Our findings

Information systems refer to the information infrastructure necessary for the Guardians to operate the Fund. Information technology infrastructure is maintained by the Custodian, and hardware, software, and information infrastructure is maintained by the Guardians in their Auckland and Wellington offices.

The Custodian plays a vital role in all aspects of the Fund's reporting. It manages the Fund's transaction processing infrastructure, which provides all monitoring and reporting of Fund performance.

The Guardians' internal information technology systems meet business requirements. The systems include an “off the shelf” operating system and software packages for accounting1 and financial forecasting, and the data warehouse (see paragraph 4.49). The data warehouse, a system developed in-house, has historically been the source for compliance reporting as well as investment policy research. In our view, the information infrastructure is appropriate for how the operations of the Fund are currently structured.

The Guardians also have direct daily access to all Fund transactional information provided by the Custodian. The outsourcing agreement allows the Guardians to access this information whenever required through a secure web-link to the Custodian's databases.

Information technology function and strategies

The Guardians' Information Technology team consists of one staff member supported by a business analyst and third party contractors when additional resources are required. The Guardians have outsourced management of information technology infrastructure to a third party who provides a fortnightly report on the system status and maintenance activities performed. The Guardians are assessing current provisions to support projected growth of the Fund.

The relatively small and simple nature of the Guardians' information technology systems means that security and change control processes are limited and informal, based on international COBIT standards. Back-up and disaster recovery processes are more formalised through outsourcing arrangements.

Originally, the data warehouse development was driven by the need to verify certain information provided by the Custodian. However, the need for increased capability was part of the business case for the switch to a new Custodian. In our view, the value of maintaining the data warehouse facility should be reviewed. The Guardians' view is that the data warehouse is an important part of the intellectual property of the Guardians. The Guardians are committed to retaining investment data in-house. Currently, this is achieved through the data warehouse.

The Guardians are improving the alignment of the information technology function activities, including projects, to the needs of the business. This will ensure that information technology development precedes the functionality needs of the business.

The Guardians are yet to set up formal processes to strategically align information technology with the changing needs of the business. Completion of the information technology strategy depends on the development of a broader operational strategy. In the current environment, the significance of the information technology strategy is low given that the main information technology infrastructure assets are owned and managed by the Custodian. However, the remaining information technology infrastructure of the business should be developed subject to a formal plan that is integrated with the broader business plan.

Recommendation 17
We recommend that the Guardians of New Zealand Superannuation develop a long-term information technology strategy and align it with an overall operational strategy.

Management of risks relating to outsourced information technology

The Custodian owns and manages most of the outsourced information technology. Investment Managers pass all transactions to the Custodian daily, and the Custodian processes and settles the transactions. This approach limits the risk of relying on the information technology of Investment Managers.

The Guardians have a comprehensive Master Custody Agreement and service level agreement in place to govern their relationship with the Custodian. The agreement requires the Custodian to provide data securely and confidentially through its internal systems, with sufficient availability to not impede business as usual. It also commits the Custodian to a high level of processing integrity.

As part of these arrangements, the Custodian is also subject to an independent SAS 70 report that the Guardians receive annually. The SAS 70 report is completed by the Custodian's auditor and looks at generic funds management processes for the Fund's transactions. Therefore, the SAS 70 report does not specifically focus on transactions occurring under the Fund's investment mandates. To address this, the Custodian's service level agreement allows the Guardians' internal auditors to review transaction processing.

The Guardians' internal auditors have not done a review in relation to the SAS 70 report since the new Custodian was appointed. From discussions with management, we understand that a review is expected to be completed in 2008.

We reviewed the information technology component of the SAS 70 report for the year ended 31 March 2007. We did not see any issues for information technology general controls that might affect administration of transactions or reporting for the Fund. In our view, the information technology general controls applied by the Custodian are sound and reliable.

The transition to the new Custodian was governed by a formal project structure, including representation from the Guardians, the previous Custodian, and the new Custodian. The Guardians participated primarily in an overseeing and validation role. Information technology risks were considered during the transition, and deliverables were assessed according to how well they filled the gaps identified during the vendor selection process.

In our view, the risks for outsourced information technology processes are significant. However, they are adequately controlled through the provisions of the Custodian service level agreement and procedures performed by the Guardians to validate the reliability of the Custodian's processes.

Access to external provider information

The Guardians have direct access to real-time Fund-specific data through the Passport Web Portal provided by the Custodian. This portal also provides the reporting tools necessary to rapidly analyse information from Investment Managers to ensure that risks and opportunities are addressed in a timely manner.

External data is obtained from Overlay Asset Management, Bloomberg, Morningstar, and WM/Reuters. This data is uploaded to the data warehouse primarily for the purpose of validation and reconciliation of the Custodian data.

The Guardians are committed to implementing a way to collect institutional knowledge, and have started working on a knowledge management framework. The core of the framework will be an intranet2 linking all institutional data from a single reference point. A knowledge management project team has been formed from representatives throughout the business to ensure that all knowledge is identified and collected.

In our view, the knowledge management framework is appropriate, given the outsourcing of Fund operations and the overseeing and strategy development role of the Guardians.

Business continuity management

The Guardians have a framework of high level policies for information technology continuity to support enterprise-wide business continuity management.

The Guardians have a cold site3 for the purposes of disaster recovery, as well as back-up tape management, and server testing and recovery services. The Guardians can transfer operations to the cold site if they cannot access their regular offices. This agreement is the primary way for the Guardians to recover their internal information technology systems. If there is a disaster, the Guardians' external information technology provider will support operations during server recovery.

The Custodian has an extensive business continuity management structure including a hot site4, three global operating locations with capacity to support the loss of one site, and a detailed Business Continuity Plan.

The Guardians' main business continuity risk is in relation to the Custodian. A failure of the Guardians' information technology systems would not have a fundamental effect on performance of the Fund or the Guardians' ability to manage investment risk. However, a failure of the Custodian's information technology systems would present a much greater risk.

One of the benefits of outsourcing for the Guardians is gaining access to a larger and more sophisticated information technology infrastructure. Further, the physical spread of the Custodian's operations in three geographically separate locations provides assurance that business continuity risks are adequately managed.

Our conclusions

The Guardians' information technology infrastructure is well managed. The most significant risks relate to the Custodian. Largely, the Custodian's infrastructure and controls mitigate those risks. This is confirmed through the Custodian's reporting under its service level agreement with the Guardians, the annual SAS 70 report on the Custodian by its auditors, and specific procedures performed by the Guardians.

The information technology risks to the Fund from the Guardians' information technology infrastructure are minimal. Notwithstanding this, the Guardians have followed good practice in implementing the Control Objectives for Information and related Technology control framework, although they are still to finalise an information technology strategy.

1: These systems are used to manage accounting for the Guardians. Accounting for the Fund is done by the Custodian.

2: An intranet is a private computer network that uses Internet protocols and network connectivity to securely share part of an organisation's information or operations with its employees.

3: A non-dedicated computer site available in the event of a disaster.

4: A dedicated computer site available in the event of a disaster.

page top