Appendix 1

The external system audit declaration in accordance with Article 7 of the notice

Completion on the implementation of the system audit in joint data centers

In accordance with section 199 (4), 11, and Section 373 (3). 4, in the law of financial activities, cf. Law Order no. 885 of 8. August 2011 :

Scope and definitions

§ 1. The announcement shall apply to joint data centers, cf. paragraph 2-4, which does not insignificantly carry out IT operational tasks for several financial undertakings, financial holding companies or subsidiary undertakings of such undertakings.

Paragraph 2. A common data center is a business whose main activities include either encomps

1) execution of the referred to in paragraph 1. 1 mentioned IT operational tasks, including accounting, registration, and clearing tasks ; or

2) the execution of the in no. 1 the tasks and the development and maintenance of systems for the affiliated undertakings.

Paragraph 3. The announcement shall apply only to joint data centers when they are :

1) predominance is owned by several financial undertakings, financial holding companies or subsidiaries of such undertakings in association, or

2) is a association whose members are largely financial undertakings, financial holding companies or subsidiaries of such undertakings.

Paragraph 4. The notice shall not apply to data centers that are subsidiary undertakings of a financial group.

Paragraph 5. For the purposes of this publication, the review shall be the review of :

1) general IT checks in the enterprise,

2) IT-based user systems that the data centres offer the connected financial companies, financial holding companies or subsidiaries of such undertakings, and

3) IT systems that are offered for the exchange of data with data centers connected financial undertakings, financial holding companies or subsidiaries of such undertakings, as well as other data centers.

Paragraph 6. For the purposes of the system, data and reliability of the operation, the following information shall be understood as follows :

1) System security is the result of policies, business procedures and controls that must ensure reliable systems, including that systems have been documented, approved, tested and secured against unauthorized change.

2) Data security is the result of policies, business procedures and controls to ensure a reliable and confidential registration, storage, protection and use of data, and modification, deletion, physical or logical access to or use of data ; approved and documented.

3) Operational security is the result of policies, business practices and controls to ensure reliable implementation of data processing and the handling of errors and deficiencies in order to enable systems and data to be available as necessary.

Paragraph 7. For affiliated undertakings, the financial undertakings, financial holding companies and the subsidiary undertakings of such undertakings shall be taken as a single data centre to carry out the operations referred to in paragraph 1. The tasks of 1 and 2 shall be mentioned.

The external system audit

§ 2. In the data centres referred to in section 1, the General Assembly shall select at least one approved auditor (the external auditor) for the taking of the tasks in section 3 to 7. In data centers, where the highest authority is not a general assembly, the choice of the Supreme Authority shall be the choice of the Supreme Authority. The individual external auditor must perform its tasks through an approved audit activity, cf. the law of authorised auditors and auditors. The data entry will hold the costs of the system audit.

Paragraph 2. The remote system revision is selected for one year at a time. In the case of a new election, the Management Board shall ensure that within one month of the elections, notification shall be made to the Finance-sighted. The shift of the change to external systems in particular shall be subject to section 199 (4). 5, in the case of financial activities, shall apply mutatis mutis

Paragraph 3. The provisions of the statutory auditors and auditors of auditors for the auditor ' s functional period of establishments subject to the supervision of the SEC, and the reporting and independence shall apply mutatis muted to the external system audit ; shared data centers.

Paragraph 4. The provisions of the Law on liability of the company and of the Board of Directors on the obligation of the Management Board and the Governing Board to provide auditor information, access to investigations and to ensure that auditor receives the information and the assistance to which the auditor considers ; required for the performance of its duties, shall apply mutatis muted to the external system audit.

Paragraph 5. The provisions of the Law on the Company and the Anchor Company of the auditor's right and the obligation to be present and to answer questions at a company ' s general assembly shall apply mutatis muted to the external system audit in a data centre General Assembly or meeting of the top authority.

§ 3. The external system audit shall make it in section 1 (1). 5, mentioned system audits in accordance with good auditor practices, including on whether or not

1) adequate control and security measures shall be adequately taken into account in the development, maintenance and operation of the data centre systems that are related to the connected financial undertakings ; and

2) the business operators in the data centre that are related to connected undertakings are organised and operate in a reassuring manner.

Paragraph 2. The external auditing system must contribute to a coordinated system of auditing efforts ;

1) the audit in affiliated undertakings,

2) the system audit in other data centers covered by this notice, as well as :

3) system audit in stock-based stock-centers.

The external system audit protocol

§ 4. For the data center board of the data center, the remote system audit must conduct a separate system audit protocol. The system audit protocol shall be set out during the course of the year, the system audit carried out, which may form the basis for auditing part findings. The system audit protocol shall be presented at any board meeting and any protocol entry shall be signed by the overall management board and the system audit manager.

Paragraph 2. At the end of each calendar year, the nature and extent of the audit work carried out and the conclusion of the audit work shall be accounted for in an annual protocol. The external system audit shall list the auditors ' auditors ' declarations which have not been submitted in accordance with section 7 and provide information on the content of any reservations or additional information contained in these. In a separate section of the annual protocol, the external auditor shall sum up all the observations made by the system audit to the Board of Directors in the system audit protocol. The summary shall contain a status of the remarks made concerning the year in question and the status of the comments which appeared as apparent in the annual protocol on the previous year. Summaries may include references to comments in the Statement of Assurance to be issued pursuant to section 7 of the notice. If references to the Statement of Assurance are used, the declaration itself shall be submitted to the data centre ' s management board by the meeting on which the Management Board is processing the annual protocol latet.

Paragraph 3. The external audit system shall indicate in a separate section of the annual protocol that any assistance or advisory role shall be carried out within the scope of the notice.

§ 5. Does the data centre have an internal audit system that meets the provisions of section 9-15, the external system revision agreement with the system audit manager may see it in. ~ 10 (1)) 1 that the list of auditors ' declarations as referred to in Article 4 (2) shall be that : TWO, TWO. ptangle, and the statements as referred to in Article 4 (4). TWO, THREE. and 4. pkt., alone, appears in the internal protocol for the internal system audit protocol. The agreement on this must be included in the system revision agreement, cf. § 14.

§ 6. It must be reported in the annual protocol on :

1) the external system audit meets the requirements of the legislation of the auditor, and

2) the external audit system has received all of the requested information.

Paragraph 2. The external auditing platform shall confirm that the declarations made in paragraph 7 are made to the affiliated undertakings in section 7. Any reservations or additional information shall be given in the Minutes in this context.

Paragraph 3. In the data centers that have internal audits, the information centre must be reported in the area of the year ' s protocol ;

1) according to the system revision agreement, cf. section 14, agreed upon tasks completed and the internal auditing system functions satisfactorily, and

2) the external auditing system agrees with the contents of all internal system audit protocol entries on the calendar year, and where this is not the case in which the agreement is made.

Paragraph 4. A copy of the remote system audit annual protocol for the data centre must be sent to the Financial supervision each year by 15. In February, together with copies of the declarations made pursuant to section 7.

Paragraph 5. Statements and information provided for in paragraph 1. 1-3 if they are given without reservation or supplementary information, shall be rendered in accordance with the order of the notice.

Declarations

§ 7. The external auditing system must each year before a data center agreed time, cf. however, paragraph 1 6 place declarations on the system, data and reliability of the preceding calendar year for the purposes of the connected undertakings subject to the law on financial activities.

Paragraph 2. Declarations of statements pursuant to paragraph 1. 1 shall be given in accordance with Annex 1 in the order of the notice, if the declarations are rendered without reservation or supplementary information. These declarations shall be drawn up in accordance with the rules relating to other declarations of security in the declaration by Errecruitment and the Declaration of the Corporate Management Board.

Paragraph 3. It must be stated in the statement by the declaration whether auditors estimate that the system's entire system, data and reliability is reassuring.

Paragraph 4. If the external auditing is familiar with the data center general IT controls, IT-based user systems and systems for the exchange of data that is in breach of the financial undertakings legislation, it shall : external audits shall inform the Commission in a separate section.

Paragraph 5. The declaration in accordance with paragraph 1. The statement by the data center without undue delay after their submission shall be sent to the Governing Board of the Management Board (s) of the data centre, as well as the system audit director's declaration, in accordance with Article 8. In the case of groups, the data centre may, unless it is against the provisions of the Act on the disclosure of confidential information, agreement with the parent company, that the declarations are only sent to the parent company ' s Governing Board, which, in such cases, shall be sent ; shall ensure that the directors of the relevant group companies receive copies for the submission of the boards of these companies.

Paragraph 6. The external auditing system shall be subject to the declaration of paragraph 1. 1 for a period not ending at the earliest of the 31. October in the calendar year in question. If a declaration is made over a period other than a calendar year, the external auditing period shall also make additional declaration to the associated undertakings subject to the financial activity of the overall financial undertaking ; system-, data and reliability of data have been and worked comforting for the period up to the end of the year.

§ 8. If the data centre has an internal audit system that satisfies the provisions of section 9-15, the internal system audit manager shall, in a separate document, be required to declare whether or not they agree to the financial undertaking by the undertakings subject to the law of financial activities ; external system audit declaration.

Paragraph 2. The statement of the system audit certificate shall include a short description of the audit carried out and the conclusion of this.

Paragraph 3. Any reservations or additional information shall be clearly stated in the declaration.

The internal system audit

§ 9. The Management Board of a data center can determine the creation of an internal system audit, cf. however, paragraph 1 2.

Paragraph 2. In data centers, performing essential IT operations tasks, including accounting, registration and clearing tasks for financial institutions, an internal system audit must be created.

Paragraph 3. If a board of directors in accordance with paragraph 1. 1 determines the creation of an internal auditing system, the provisions relating to the internal system audit shall apply.

§ 10. The internal system audit is led by a system audit manager. Employment and dismissal of the system audit report can only be made by the data centre's board of directors.

Paragraph 2. The system audit director shall be involved in practical auditing work for at least 3 of the preceding 5 years.

Paragraph 3. The Management Board may appoint one or more vicesystaschefer.

Paragraph 4. The Management Board may appoint a VRA of the system audit manager as proxy.

Paragraph 5. The provisions of paragraph 1. 1 and 2 as well as sections 11 and 12 concerning the system audit manager shall apply mutatis mums, including deputies.

§ 11. When a system-audit manager accesdes, this must be reported to the Financial supervision within one month after accession.

Paragraph 2. The Management Board shall provide the Agency for the Employment of the System Audit Report when reporting to the Finance Board, making a statement that the system audit manager meets the requirements of section 10 (3). 2.

Paragraph 3. When a system audit manager is made redundant or severed, the Management Board and the system audit manager shall send each statement to the Financial supervision of the background to the Financial supervision of the reasons for this.

§ 12. The system audit manager shall have access to all information necessary for the implementation of the system audit, including the Management Protocol.

Paragraph 2. The system audit manager and employees in the internal auditing system must not participate in any other work in the data center than audit.

§ 13. In data centers that have an internal auditing system, a function description approved by the management board must be available. The function description must at least contain provisions for :

1) the general powers, responsibilities and functions of the internal system auditing ;

2) Qualifications of employees,

3) the appointment or approval of the staff of the internal auditor must be carried out or approved by the system auditing director and that the training of employees must be approved by the system audit report,

4) the internal system audit budget and that this is approved by the Data Center's Board of Directors, and

5) information on agreements between the management centre ' s data centre and the internal system audit for the execution of special audit tasks. Transitional tasks and tasks of a temporary nature need only appear in the internal system audit protocol.

Paragraph 2. The people in paragraph 3. 1, no. 5. The tasks referred to must not affect the fact that the system audit commander comes into a situation where he / she declares or provides information on the conditions or documents of the system audit director or staff of the internal system audit ; For.

§ 14. In data centers that have an internal auditing system, the audit work must be carried out in accordance with good auditing practices and under a system audit agreement between the external system audit and the system audit system. The system revision agreement must contain at least :

1) a general description of the system audit tasks to be performed and which of these tasks incumperts to the external system audit and the internal auditing system,

2) guidelines for the cooperation between the external system audit and internal auditing, including the work carried out by the external auditing system in connection with the verification of the work of the internal systems audit ;

3) a description of how and to what extent the exchange of information is exchanged between the internal system audit and the external system audit for the system audit carried out,

4) guidelines for cooperation with

a) internal and external audits in connected undertakings,

b) internal and external systems auditing in other data centers covered by this notice, and

c) internal and external systems auditing in ad valentres.

The internal system audit protocol

§ 15. For the management of the data center board, the internal auditing system must conduct a system audit protocol. The system audit protocol shall be set out during the course of the year, the system audit carried out, which may form the basis for auditing part findings. The system audit protocol shall be presented at any board meeting, and any protocol entry shall be signed by the total board.

Paragraph 2. For each calendar year the completion of the completed system audit report and the conclusion of this report shall be accounted for in an annual protocol to the conclusion of the annual protocol. In this case, the internal auditing declarations shall be made by the internal auditor declarations relating to the auditing and the content of any reservations or additional information contained in these. In a separate section of the annual protocol, the internal auditing section shall sum up all the observations made by the system audit to the Management Board in the system audit protocol. The summary shall contain a status of the comments made concerning the year in question and a status of the comments which appeared in the minutes of the Protocol on the previous year.

Paragraph 3. As a minimum of the annual protocol latet in a separate paragraph, the system audit manager shall confirm that the system audit commander has not arrived in a situation in which they declare themselves or illus the conditions or documents of the DAS ; or employees of the internal auditing system have drawn up the basis for, cf. Section 13 (1). 2.

Paragraph 4. For the year protocol, it must be reported whether the internal audit system has received all the information requested.

Paragraph 5. A copy of the annual data center of the internal system audit annual protocol shall be sent to the Finance surveillance each year by 15. Feb.

Common provisions

§ 16. The system audit shall ensure that the Financial supervision is immediately notified if it ;

1) must assume that the data centre ' s entire system, data and reliability in areas covered by this notice is not reassuring, or

2) will be aware that in the data centre, significant and longer-lasting IT operations problems related to the data center services are provided to the connected companies.

Paragraph 2. In the decision to grant the Financial supervision referred to in paragraph 1, the following shall be notified. 1, no. 2, must at least be included

1) the effects of the operational problems on the data centre exchange of data by other data centers and the related data processing ; and

2) the importance of the operational problems for the short-term financial management of the connected companies.

Paragraph 3. Confirms the external system audit or internal auditing relationship with respect to one or more of the connected companies ' s IT usage that is not reassuring in areas covered by data centre services for the enterprise, and it relates to matters which are expected to be attributable to the recipients of declarations in accordance with section 7 when making decisions on the system, data and reliability of the system, in order to ensure that the relationship without undue delay is notified in writing, the directors of the undertakings concerned. The relationship must be specified in the ongoing system audit protocol to the data center board.

§ 17. Section 74 (4). Paragraph 1 and 2, and paragraph 1. THREE, TWO. PC, in the Act of Finance, shall apply mutatis mutias to the participation of the external system audit system and the participation of the internal system auditing director and rights at board meetings.

Dissemination of information and supervision

§ 18. Confidential information which the external system audit, system audit manager and employees in the System Audit Department will receive from financial undertakings, financial holding companies or subsidiaries of such undertakings in force of their work is covered by § 117 (3). 1, in the law of financial activities.

§ 19. The Financial supervision may require the external system audit or the system audit manager and its representative to provide information on the conditions of the data centre.

20. The financial supervision may dispense with the provisions of this notice.

Transitional provisions

§ 21. The time limits for the external system revision period referred to in section 2 (2). The first choice of the external auditor shall be taken into account from the first choice of the external auditor in accordance with the order of the Financial 254 of 10. April 2005.

Penalty and entry into force

§ 22. The withdrawal of section 2 (2). 1 and 2, sections 3 and 4, sections 5, 2. pkt., section 6, section 9, paragraph 9. 2 and 3, section 10 (4). 1, 2, and 5, section 11, section 12, paragraph 12. 2, section 13-15, and section 21 shall be punished by fine.

Paragraph 2. Companies can be imposed on companies, etc. (legal persons) punishable by the rules of the penal code 5. Chapter.

-23. The announcement shall enter into force on the 31. December 2011.

Paragraph 2. Protocol transfers, including year-end protocols and declarations, are prepared in accordance with the notice and its entry into force.

Paragraph 3. At the same time, the Financial Regulation shall be repealed no. 1019 of 22. October 2008 on the implementation of the system audit in joint data centers.

§ 24. The announcement does not apply to the Faroe Islands.

---

Appendix 1

The external system audit declaration in accordance with Article 7 of the notice

It follows on Article 3 of the notice that the external auditor shall be carried out in accordance with good auditor practice. Good audit practice means that the audit is carried out in accordance with relevant auditing standards and declaration standards. This follows that the external system audit declaration to the connected companies on the system, data and reliability of the system, cf. Section 7 of the notice shall be issued in accordance with ISAE 3402 "Statements with security of controls at a service provider".

If the declaration cannot be concluded without reservation or additional information, it shall have the following wording :

' Our conclusion has been drawn up on the basis of the facts set out in this declaration. The criteria which we have used in drawing up the conclusion are the criteria described on page [ xx ] ; we believe that the criteria that are described are :

a) the description of the general IT controls that are relevant to the system, data and reliability of the data centre connected financial undertakings, as they were designed and implemented during the period [ this period will be specified for the period in question, cf. section 7 (7) of the notice. 6 ] in all essential respects is true, and

b) the checks, which relate to the control objectives set out in the description, in all essential respects as appropriate, in the whole period [ this is specified for the period in question, cf. section 7 (7) of the notice. 6 ]

c) the checks tested, which were the checks necessary to ensure a high degree of certainty that the control objectives in the description were achieved in all essential respects, has worked effectively throughout the period [ this period will be entered for the period in question, cf. section 7 (7) of the notice. 6 ].

As an addition to the abovementioned, we must declare, in accordance with the System Audit Order of the System Audit Order of the System Audit Order, the general IT controls that are relevant to the data centre's connected financial system's system, data and reliability in our view is reassuring and has operated comforting during the period [ this period will be entered for the period in question, cf. section 7 (7) of the notice. 6 ] ".