Overview (table of contents)
The external system statement pursuant to paragraph 7
The full text of the notice of system audits in the data centres
Under section 199, paragraph 11, and § 373, paragraph 4, of the financial business Act, see. lovbekendtgørelse nr. 885 of 8. August 2011, fixed: scope and definitions
§ 1. The notice shall apply for common data centres, see. paragraphs 2 to 4, as in not insignificant extent performs the it operational functions for several financial companies, financial holding companies or subsidiaries of such undertakings.
(2). A common data central is a company whose main activities either include 1) execution referred to in paragraph 1, the it operations tasks, including posting, registration and clearing tasks, or 2) execution of the in no. 1 tasks referred to as well as the development and maintenance of systems to affiliated companies.
(3). The notice shall apply only for common data centres when these 1) essentially is owned by several financial companies, financial holding companies or subsidiaries of such undertakings in association, or 2) is an association whose members are mainly financial companies, financial holding companies or subsidiaries of such undertakings.
(4). The notice shall not apply for data centres, which are subsidiaries of a financial group.
(5). Audits for the purposes of this Ordinance revision of 1) General it controls in the company, 2) it-based user systems, as data depositories offers affiliated financial companies, financial holding companies or subsidiaries of such undertakings, and 3) it systems offered for the exchange of data with the data centres connected to financial companies, financial holding companies or subsidiaries of such undertakings as well as other data centres.
(6). By system-, data-and reliability for the purposes of this Decree the following: 1) System security is the result of the policies, procedures and controls designed to ensure reliable systems, including systems is documented, approved, tested and protected against unauthorized alteration.
2) Data security is the result of the policies, procedures and controls designed to ensure a reliable and confidential registration, storage, protection and use of data, as well as to amendment, deletion, physical or logical access to or use of the data is validated and documented.
3) operational safety is the result of the policies, procedures and controls designed to ensure a reliable implementation of data processing and handling of errors and shortcomings with a view to systems and data are available as necessary.
(7). By affiliated companies for the purposes of the financial companies, financial holding companies and subsidiaries of such undertakings, as a common central performs the data referred to in paragraphs 1 and 2 tasks.
The external audits
§ 2. In the data centres referred to in paragraph 1 the general Assembly selects at least one approved auditor (external audits) to perform the tasks referred to in sections 3-7. In data centres, where the top authority is not a general Assembly shall be carried out at the choice of the highest authority. The individual external system auditor must perform its tasks through an authorised audit company, see. law on approved Auditors and audit firms. Datacentralen shall bear the costs of system audit.
(2). The external audits are elected for one year at a time. By the Board of Directors must ensure that new elections there no later than one month after the elections happening review thereof to the Danish FSA. Due to the shift of external audits specific situations, see section 199, paragraph 5, of the financial business Act apply mutatis mutandis.
(3). The provisions of the law on the approved Auditors and audit firms on auditor's term of Office, in businesses that are subject to supervision by the FSA, as well as reporting and independence shall apply mutatis mutandis for the external audits in the data centres.
(4). The provisions of the law on public limited companies and private limited companies on the Board of Directors and the Executive Board's obligation to provide auditor information, access to carry out investigations and ensure that the auditor will have the information and the assistance that the Auditor considers necessary for the performance of his duties, shall apply mutatis mutandis for the external audits.
(5). The provisions of the law on public limited companies and private limited companies concerning auditor's right and duty to be present and to answer questions at a company general Assembly shall apply mutatis mutandis for the external audits on a data Central's general meeting or meeting of the highest authority.
§ 3. The external audits to be carried out in section 1, paragraph 5 referred to system audit in accordance with good auditor usage, including ensuring about 1) reassuring control and safeguard measures are met adequately through the development, maintenance and operation of the data center's systems that are related to the affiliated financial companies, and (2)) the data centre business processes related to connected companies, organised and acts with integrity.
(2). The external audits must contribute to a coordinated system audit efforts with affiliated companies in revision 1), 2) system review in other data centres, subject to the provisions of this Ordinance, as well as 3) system review in central securities depositories.
The external system audit Protocol
§ 4. To use for the data center's Board of Directors, the external audits lead a separate system audit Protocol. To be in the system audit Protocol sets out the systems audit carried out during the year, which can form the basis of audit partial conclusions. System audit report to be presented at any Board meeting, and any protocol injection must be signed by the entire Board of Directors, and system audit manager.
(2). At the end of each calendar year, in a årsprotokollat explaining the nature and extent of the audit work performed and the conclusion of this. Including the external audits must list votes auditor declarations concerning system audit, which has not been made under section 7, as well as provide information about the content of any reservations or additional information in these. In a separate section in årsprotokollatet to the external audits summarize all comments, as the system audit has given rise to make over of the Board of Directors of system audit Protocol. The summary must contain a balance sheet relating to the comments that have been made concerning the year in question, as well as the status relating to the comments that emerged as open standing in årsprotokollatet on the previous year. The summary may contain references to comments in the statement of assurance to be provided in accordance with paragraph 7. Where references to the statement of assurance shall be submitted to the data centre and the Board of Directors of the Declaration itself, most recently at the meeting in which the Board treats årsprotokollatet.
(3). The external audits should be in a separate section in årsprotokollatet inform about the execution of any assistance or advisory tasks within the scope of the Executive order.
§ 5. Has an internal system audit datacentralen complying with the provisions of §§ 9-15, can the external systems audit agreement with system audit manager, see. section 10, paragraph 1, that the listing of Auditor statements pursuant to section 4, paragraph 2 2. paragraph, as well as the statements pursuant to section 4 (2), (3). and (4). point, only emerges from the internal system audit årsprotokollat. The agreement to that effect should be reflected in the system audit agreement without prejudice. § 14.
§ 6. It must be stated, about 1 årsprotokollatet) in the external audits meet the law's requirements for auditor independence, and 2) the external audits have received all the information that is requested.
(2). In årsprotokollatet to the external audits confirm that the declarations referred to in article 7 is submitted to the affiliated companies. Any reservations or additional information should be reproduced in the hearing.
(3). In data centres, which have internal audits, it should in årsprotokollatet reported about 1) according to system audit agreement without prejudice. § 14, agreed tasks are completed, as well as on the internal systems audit functions satisfactorily, and 2) the external audits are agree with the content of all the internal system audit Protocol inputs relating to the calendar year, and if this is not the case, in which disagreement remain.
(4). A copy of the external system audit årsprotokollat must of datacentralen sent to FSA each year before 15. February together with a copy of the declarations made pursuant to section 7.
(5). Statements and information in accordance with paragraphs 1 to 3 shall, if they are made without reservations or additional information, rendered after the Executive order on wording.
§ 7. The external audit shall annually before a with datacentralen agreed time, see. However, paragraph 6 make statements about system-, data-and reliability concerning the previous calendar year for use of the affiliated companies, which are the subject of the financial business Act.
(2). Declarations conclusions pursuant to paragraph 1 shall be submitted in accordance with Executive order annex 1, if verbatim statements are cast without reservation or additional information. Declarations shall be drawn up in accordance with the rules of other declarations of security in the Danish Commerce and companies agency Declaration Ordinance.
(3). It should be apparent from the statement of conclusion as to whether the auditor believes that the Center's total system, data and operating safety is reassuring.
(4). If the external audits are aware of issues relating to data centre general it controls, it-based systems as well as systems for the exchange of user data, which is in conflict with the law relating to financial companies, the external audits must disclose this information in a separate section.
(5). Declaration in accordance with paragraph 1 and 2, as well as system audit manager's declaration according to § 8, of datacentralen without undue delay after their donation will be sent to the Executive Board in the companies concerned for submission to the Board. For groups can datacentralen, unless it would be contrary to the provisions of the financial business Act for disclosure of confidential information, agreement with the parent company, that the statements alone is sent to the parent company's Executive Board, which in this case should ensure that relevant group companies ' executive boards receive copies for submission to these companies.
(6). The external audits shall make the Declaration referred to in paragraph 1 in respect of a period that ends on December 31 at the earliest. October of the calendar year in question. If the given statement concerning a different period than a calendar year, the external audits at the end of the year also give an additional declaration to the affiliated companies covered by the financial business Act on the overall system, data, and reliability have been and worked with integrity in the period up to the end of the year.
§ 8. Has an internal system audit datacentralen complying with the provisions of §§ 9-15, the internal system audit manager in a separate document, to be used for the companies that are covered by the financial business Act state whether this is in agreement with the external system statement.
(2). System audit manager's statement shall contain a short description of the performed audits as well as the conclusion of this.
(3). Any reservations or additional information must be clearly stated in the Declaration.
The internal system audits
§ 9. The Board of Directors in a data-handling centre may provide for the establishment of an internal audit system, see. However, paragraph 2.
(2). In data centres which carry out essential it operations tasks, including posting, registration and clearing services for financial institutions, the establishment of an internal audit system.
(3). If a Board of Directors in accordance with paragraph 1 provides for the establishment of an internal audit system, the provisions concerning the internal system audit application.
§ 10. The internal system audit is managed by a system audit manager. Appointment and dismissal of the head of audit can only be carried out by the system data centre Board of Directors.
(2). System audit manager should know recruitment have attended practical system revisionsarbejde in at least 3 of the past 5 years.
(3). The Board of Directors may appoint one or more Deputy system audit managers.
(4). The Board of Directors may appoint a Deputy system audit Chief who is deputising for system audit manager.
(5). The provisions of paragraphs 1 and 2 and sections 11 and 12 relating to system audit manager shall apply mutatis mutandis to the Deputy system audit managers, including delegates.
§ 11. When a system audit Chief joins, this must be reported to the FSA within 1 month after accession.
(2). The Board shall, when reporting to the FSA about the recruitment of system audit manager make a statement about that system audit Chief meets the requirements under section 10, paragraph 2.
(3). When a system audit Chief dismissed or resigns, the Board and the system audit manager not later than 1 month after the termination of employment to send every report to the FSA about his background.
§ 12. System audit manager should have access to all information, as this consider necessary for system audits, including Board Protocol.
(2). System Audit Manager and staff in the internal audits may not take part in the second work in datacentralen than revision.
§ 13. In data centres, which have an internal system audit, must be the subject of a functional description, approved by the Board of Directors. Function description must at least provide for 1) the internal system audit General powers, responsibilities and duties, 2) qualifications, 3) to recruitment and dismissal of employees of the internal audits to be made or approved by system audit Chief, and that employees ' training must be approved by system audit head, 4) the internal audit budget system, and that this be approved by data centre management board, and 5) information about agreements between the data centre management and the internal audits on the performance of specific audit tasks. One-time tasks and duties of a temporary nature need only to indicate the internal system audit Protocol.
(2). In paragraph 1, no. 5, mentioned tasks must not cause the system audit boss gets into a situation where he or she declares herself or inform you of facts or documents which the system manager or the employees of the internal audit system of audit has prepared the basis for.
§ 14. In data centres, which have an internal audits, system revisionsarbejdet be carried out in accordance with good audit practice and in accordance with a system audit agreement between the external system audit and system audit manager. System audit agreement must include at least 1) a general description of the system audit tasks to be performed, and which of these tasks incumbent upon, respectively the external audits and internal audits, 2) guidelines for cooperation between the external audits and internal audits, including for the work of the external audits must perform in connection with the control of the internal system audit work, 3) a description of the how and to what extent, the exchange of information between the internal audits and the external audits of the systems audit, performed 4) guidelines for cooperation with a) internal and external audits in connected businesses, b) internal and external audits in other data centres, subject to the provisions of this Ordinance, as well as c) internal and external audits in central securities depositories.
The internal system audit Protocol
§ 15. To use for the data center's Board of Directors, the internal audits lead a system audit Protocol. To be in the system audit Protocol sets out the systems audit carried out during the year, which can form the basis of audit partial conclusions. System audit report to be presented at any Board meeting, and any protocol injection must be signed by the entire Board of Directors.
(2). At the end of each calendar year, in a årsprotokollat accounted for the performed audits as well as the conclusion of this. Including the internal system revision list votes auditor statements regarding audits as well as provide information about the content of any reservations or additional information in these. In a separate section in årsprotokollatet to the internal system audit to summarize all comments, as the system audit has given rise to make over of the Board of Directors of system audit Protocol. The summary must contain a balance sheet relating to the comments that have been made concerning the year in question, as well as the status relating to the comments, which appeared as open standing in the minutes relating to the previous year.
(3). System audit manager should, as a minimum, in årsprotokollatet in a separate section, confirm that system auditing the boss has not come up in a situation where he or she declares herself or inform you of facts or documents which the system manager or the employees of the internal audit system of audit has prepared the basis for regulation. section 13, paragraph 2.
(4). In årsprotokollatet, it must be stated whether the internal system audit has received all the information that is requested.
(5). A copy of the internal system audit årsprotokollat must of datacentralen sent to FSA each year before 15. February.
§ 16. System audit shall ensure that FSA immediately receive notification if the 1) must assume that data centre total system-, data-and reliability on the areas covered by this Ordinance is not reassuring, or 2) will be aware that in datacentralen arose significant and prolonged it-related operational problems relating to data centre services to affiliated companies.
(2). In determining whether there should be notification to the financial supervision pursuant to paragraph 1, nr. 2, must as a minimum be part 1) operational problems impact on data centre exchange of data with other data centres and the associated data processing, as well as 2) operational problems important for the affiliated companies ' short-term financial management.
(3). Note the external audits or internal audits matters relating to one or more of the affiliated companies it usage, are not reassuring on the areas covered by the data centre services to the company, and this concerns the fact that recipients of declarations under section 7 may be expected normally to attribute significance when making decisions about system, data and operational security, he or she must ensure that the relationship without undue delay shall be notified in writing to the Executive Boards of the undertakings in question. The relationship must be explained by the continuous system audit Protocol for data centre management board.
§ 17. section 74 (1) and (2) and (3), 2. point, in the financial business Act shall apply mutatis mutandis to the external auditors and the internal system audit system Commander's participation in and rights at Board meetings.
Disclosure of information and supervision
§ 18. Confidential information, such as the external audits, system audit manager and staff in system audit department receives from financial companies, financial holding companies or subsidiaries of such undertakings by virtue of their work, is covered by section 117 (1) of the financial business Act.
§ 19. The FSA can impose the external audits or system audit manager as well as his representative to provide surveillance information on data centre relationship.
§ 20. The Danish financial supervisory authority may grant derogations from the provisions of this Ordinance.
§ 21. The time-limits relating to the external system audit function period, referred to in § 2, paragraph 3, shall be counted from the first choice of external auditor system after the entry into force of the Danish FSA bekendtgørelse nr. 254 of 10. April 2005.
Penal provisions and entry into force
§ 22. Violation of section 2, paragraphs 1 and 2, sections 3 and 4, § 5, 2. PT., §§ 6-8, § 9, paragraphs 2 and 3, article 10, paragraph 1, 2 and 5, § 11, article 12, paragraph 2, sections 13-15, as well as section 21 are punishable by a fine.
(2). That can be imposed on companies, etc. (legal persons) criminal liability in accordance with the provisions of the criminal code 5. Chapter.
§ 23. The notice shall enter into force on the 31st. December 2011.
(2). Protocol inputs, including årsprotokollater and declarations shall be drawn up in accordance with the Ordinance as from its entry into force.
(3). At the same time repealed FSA bekendtgørelse nr. 1019 of 22. October 2008 for system audits in the data centres.
§ 24. The Ordinance shall not apply to the Faroe Islands.
The Danish financial supervisory authority, the 29. November 2011 Ulrik Nødgaard/Stig Nielsen
Annex 1 The external system statement pursuant to paragraph 7
It follows from paragraph 3, to the external audits must be carried out in accordance with good auditor usage. Good audit practice involves, among other things, that the review be carried out in accordance with relevant standards on auditing and assurance standards. It follows that the statement of assurance for the external system connected enterprises on system-, data-and the operational safety regulation. paragraph 7, shall be submitted in accordance with ISAE 3402 ' Statements with assurance check with a service supplier '.
If the Declaration's conclusion can be made without reservations or additional information, it shall have the following wording:
» Our conclusion is designed on the basis of the conditions set out in this statement. The criteria we have used in the design of the conclusion, is the criteria described at page [xx]. It is our opinion that a) the description of the General it controls with relevance to the system, data and reliability for data centre connected financial firms, as they were designed and implemented in the period [here specify the period in question, see paragraph 7, paragraph 6] in all essential respects is true and fair, and
(b)) the controls related to the control objectives stated in the description, in all essential respects was appropriately designed throughout the period [here specify the period in question, see paragraph 7, paragraph 6]
c) they tested the controls, as was the checks were necessary to provide a high degree of assurance that the control objectives set out in the description were achieved in all essential respects, has operated effectively throughout the period [here specify the period in question, see paragraph 7, paragraph 6].
In addition to the above, we must, in accordance with paragraph 7 and audit system based on (a), (b) and (c) declare that the General it controls with relevance for data centre connected financial enterprises system-, data-and reliability in our view is reassuring and has operated with integrity in the period [here specify the period in question, see paragraph 7, paragraph 6] '.