Data Audit Code of Practice 

and Appendix A Pro-forma advice following client site visit
 

Purpose of Document
This document is intended to promote and develop fair, reasonable and consistent practices through which the members of the information industry can exercise contractual audit rights and obligations.

The Code of Practice is entirely voluntary. It is not intended to infringe or inhibit any existing rights or obligations. It has no binding force except as incorporated into contracts. This Code of Practice recognizes that contractual terms relating to data audits may vary considerably; auditing and audited parties may reserve all rights available to them under existing contracts.

It is intended to set out in general terms a minimum standard of good practice and cooperation between the parties to an audit. It is based largely on the practical experience of exchanges and vendors and on consultation with user representatives. For experienced audit teams, it contains nothing new. However, observance of the practices set out in the document would significantly increase the confidence in the audit process and set a basic standard of consistency for the industry.

The Code of Practice has been produced as far as possible by reference to professional audit concepts. However it must be noted that the process of audit referred to in this document is not a statutory audit as defined in various legal requirements. References or correspondence relating to the process of audit set out in this Code of Practice must not be represented or construed as any form of statutory audit opinion or regulatory activity on the part of the auditing party.

It is important to note that the code of practice applies across an extremely wide spectrum of audits from international vendors to single site users. It is not intended to be a detailed prescription or audit program. In some cases auditors and audited parties may wish to plan greater levels of detail or tighter time frames than the Code contains. They may also wish to record their agreement via some form of Service Level Agreement. This would be entirely consistent with the aims of the Code of Practice. In other cases the level of detail contained in the code, or its suggested reports, may be deemed inappropriate. Where this is the case, the underlying principles on which the code is based should still apply.

In the context of this document, best practice means that the contractual purpose of the audit is achieved with maximum efficiency and minimum disruption to all parties.

A. Principles of Best Practice

1. Overall Audit Approach
Audits should be planned and conducted as far as possible in accordance with regionally accepted professional auditing standards. Audited parties should provide adequate support and co-operation to enable the audit to be conducted efficiently.

2. Confidentiality
All books, records and systems inspected in the course of an audit and all audit work papers will be regarded by the auditors or designated representatives as strictly confidential. Their contents will not be used by the data provider or designated representative for any purpose other than audit and will not be circulated within the data provider except for audit review and administrative purposes. They will not be disclosed to any third party (unless they are parties to the contract), including the audit representatives of any other data provider, and will not be disclosed by an audit representative to any other data provider represented by the same auditor, without the prior written permission of the audited party.

3. Audit Purpose
The regular purpose of an audit will be to verify compliance with contract obligations and ensure that applicable fees are paid to the data provider. This may involve verification and assessment of controls over data at client sites.

The purpose of the audit should be to ensure compliance with contract terms. Any differences in contract interpretation should be identified by the audit and noted in the audit report.

4. Frequency Of Audit/Period Audited
The same location should not be audited more frequently than once per year unless there is cause to do so as determined by the data provider in accordance with the contractual provisions between the parties. Where locations have not been audited for several years the auditors may take into consideration changes in systems, procedures etc., when determining the period to be audited and the extent of documentation to be made available for audit.

In the normal course of a routine audit the audited party may be expected to make documents available for a period of several years, depending on the contractual rights of the auditing party.

B. Preparation

1. Prior Notice
Auditors must reserve the right to audit at the minimum notice periods specified per contract, but best practice may require longer notice periods, to allow for effective audit planning and preparation.

Auditors may audit at short notice where there is reason to suspect non-compliance or by agreement between the parties. Adequate advance notice will be given for routine audits, including verification of client site data feed controls and declarations. This may involve up to 90 days prior notice for complex audits involving both vendor and client sites.

2. Audit Planning
All parties to the audit should co-operate in a planning process (e.g. by exchange of correspondence and/or meetings) to ensure that:

• period, timing, and location(s) subject to audit are identified and reasonable
• records necessary for the audit are identified and made available for inspection
• adequate resources and time are allowed for the audit by both the audited party and the auditors
• audit staff understand the relevant operations of the audited party and the impact on those operations of proposed audit measures
• the location of relevant records is identified
• the audit team has sufficient access to relevant staff of the audited party
• audit enquiries are promptly addressed
• any further work identified in the course of the audit as necessary to investigate areas of potential exposure is discussed and arranged as soon as possible
• procedures for closing the audit are clearly understood
• areas of possible contract interpretation differences are identified and discussed.

C. On Site

1. Audit Queries
Auditors will attempt to resolve audit queries on site. Any unresolved queries will be presented at an exit meeting as described in D1 below.

2. Audit Findings
The auditor must have documentation to support audit findings and any financial claims arising from them. The lack of documentation to support the figures reported to a data provider does not, in itself, indicate a reporting error, but may constitute a failure to comply with the terms of the agreement with the data provider and is a valid audit finding.

The lack of documentation to support the figures reported to a data provider should be included where appropriate in the auditor's report. It may result in additional inquiries, validation tests, client site visits or other investigation to assess the completeness and accuracy of reported figures. The failure of a vendor to obtain information as required from a user to support the numbers reported may also result in a requirement (subject to contract) for the vendor to take additional actions (e.g. obtain evidence or disconnect the user concerned).

The auditor and the audited party should work together in good faith to resolve any differences in opinion arising from the audit and in any cases where there is evidence of non-compliance but the loss to the data provider cannot be clearly quantified. Any liability claimed as a result of an audit should be calculated in accordance with the contract.

3. Client Site Visits
Review of data feed control questionnaires or access declarations may assist in selection of client sites for audit visits. Any sites selected for visits by the data feed provider should be notified in advance, where possible.

Clients may request that auditors confirm where applicable that client site controls have been reviewed and found to be operating effectively. Auditors are under no obligation to provide or accept this confirmation. Both parties should recognize that any such confirmation is a strictly limited endorsement and must not be construed or interpreted as a formal or statutory audit opinion. A suggested pro-forma is attached as Appendix A.

Where a client receives advice from an auditor that a site visit had revealed evidence of effective controls, the client may bring this advice to the attention of any other data provider(s) who may have selected the same location for audit.

D. Audit Results and Reports

1. Exit Meeting
The auditor should convene an exit meeting, or series of meetings, upon conclusion of audit work at the site audited to:

• summarize preliminary findings and current issues outstanding
• provide a preliminary view of audit recommendations
• obtain feedback from the audited party on audit findings/recommendations
• establish an approach and time-frame for resolving outstanding issues (this may involve additional work for both parties and reference to senior management where necessary)
• propose a time-frame for issue of report and audit settlement.

Typically the time-frame should allow the audit report to be issued within three months of the final exit meeting.

2. Audit Report
The audit report should be issued as soon as possible after the audit. It should summarize audit findings and recommendations. Where relevant the report should include responses or summary responses from representatives of the audited party.

The audit report should aim to generate value for all parties to the audit process, for example by noting and promoting good practice or identifying areas where contract terms may need clarification.

The audited party should respond promptly to the audit report.

3. Audit Settlements
Any adjustments to reporting and fees paid as the result of an audit will normally be regarded as the final settlement for the data provider, period and locations covered by the audit. Any revisit of the audited period or location should be supported by an indication of material discrepancies or contract violations, or when the scope of the original audit was constrained by the inability or refusal of the audited party to provide relevant documentation (e.g. permissioning reports). In the latter case the audit report should clearly identify the problems incurred and the reasons for needing to repeat or expand the audit.

FROM: (Auditor)

In the course of our audit of (Vendor) we reviewed the systems and procedures for controlling distribution of market data at (client site) on (dates) for the period covering (       ).

Our audit was carried out in accordance with our contractual rights and obligations. We have used the standard data audit approach of (Data Provider), copies of which are available on request.

We believe this approach to be consistent with the FISD Data Audit Code of Practice and with best practice in the information industry. Please note that our review of your controls does not constitute any formal or statutory audit, and this letter must not be represented or construed as any form of statutory audit opinion. Our review indicated that there was evidence of effective controls for the period stated. We found no evidence of material misstatement of market data access reports submitted by (Client) for the site concerned.

This letter makes no representation as to the completeness and accuracy of any reports issues by (Client) to other data providers or vendors. (Data Provider) accepts no liability for losses, claims or damages arising from any act or omission referring to or based on this letter.

(Data Provider) authorizes (Client) to make this letter available to the auditor or audit representatives of any other Data Provider proposing to audit (client site) within the next 12 months. With this exception, no information about the results of our audit or controls review should be passed to any third party without the written permission of (Data Provider).

Yours faithfully,