Title Page
-
Service Provider Name
-
Conducted on
-
Prepared by
Due Diligence
-
InfoSec Annual Review - Provide your infosec framework (Please email or add in platform)
-
InfoSec Annual Testing - Provide your latest specialist external testing of infosec (Latest Pen Test, SOC2 or ISO27001 Certification - Please email or add in platform)
-
BCP Testing - Provide formal report regime for BCP (Please email or add in platform)
-
Business Impact Assessment (BIA) of critical business processes and critical systems - Please provide your latest BIA
-
DR Testing - Provide DR Report- full documented scope, success criteria and outcomes (Please email or add in platform)
-
User Access Review (Please provide latest User access review)
Claims
-
Do you have documented claims processes and policies that are compliant with General Insurance Code of Practice (GICoP)?
-
Do you have current claims procedure manuals?
-
Do you have controls in place to capture the failure of any systems, processes, or controls?
-
Do you have systems and processes in place to monitor, measure and detect whether your employees are complying with the standards under GICoP in the provision of their relevant services?<br>This includes,<br>- ensuring employees are adequately trained,<br>- ensuring employees are experienced, and<br>- ensuring that relevant professional licenses are current?<br>
-
Do you have an effective file quality review process / quality assurance program?
-
Please provide report or evidence via email or on platform e.g Review question set
-
Do you have a current policy and procedure relating to fraud and anti-money laundering prevention?
-
Please provide report or evidence via email or on platform
-
If you have identified any customers experiencing vulnerability (CEV) have you followed your documented processes for managing these customers?
-
Please provide report or evidence via email or on platform e.g a link to your vulnerable customer policy
Complaints and Disputes
-
Do you have a process and controls in place to monitor your handling of complaints?
-
If applicable in the last 12 months, have you successfully submitted your IDR complaints data to ASIC?
Outsourcing
-
Do you intend to outsource any aspect of the services you will provide us?
-
Please details of the services being outsourced
Distribution Arrangements
-
Is your Australian Financial Services (AFS) Licence current?
-
Has your AFS Licence been restricted by Australian Securities and Investments Commission (ASIC)?
-
Have you reported any incidents/breaches against your AFS Licence to ASIC for the last 12 months?
-
Have you met all of your regulatory and legislative obligations in respect of your AFS Licence?<br>
-
Have you lodged company accounts with the Regulator (ASIC) over the last twelve months?<br>- ASIC FS70 Australian Financial Services Licensee Profit and Loss Statement and Balance Sheet<br>- ASIC FS71 Auditor’s Report for AFS Licensee
-
Do you have systems in place to identify, report, manage and monitor conflicts of interest?
-
Have you met your legal and regulatory obligations for record retention and disposal for the last 12 months?
Information Security
-
Have you maintained an information security framework and complied with the relevant legislation?
-
Has your Information Security Controls Framework been reviewed in the last 12 months?
-
Have you become aware of a material weakness in any of your information security controls in the last year?
-
Please provide further details
-
Have you complied with your Information Security Controls testing program?
-
If you became aware of a critical cyber security incident in the last period did you notify the Australian Cyber Security Centre within 12 hours?
-
Please provide further information about the nature of the incident
-
Have you maintained effective User Access Review Controls?
-
Do you use access profiling to ensure the appropriate segregation of duties?
Business Resilience
-
Have you completed a Business Impact Assessment (BIA) of critical business processes and critical systems in the past 12 months?
-
Do you have a Business Continuity Plan (BCP) for each of the critical business processes determined in your BIA which includes a recovery strategy/plan?
-
Do you have an IT Service Continuity Management (ITSCM) Plan with recovery time and recovery point objectives to align with the BIA?
-
As part of your ITSCM plan, do you have a Disaster Recovery Plan (DRP) for each of the critical systems determined in your BIA?
-
Have all core operating systems used in providing services to us, been continuously available during core business hours during the last 12 months?
Fraud and Corruption
-
Have you reported any suspected or actual misconduct in the last 12 months?
Training
-
Have staff received adequate training, and have the skills and qualifications to do their roles, and are those records of training are maintained?
-
Have you maintained the organisational competence to meet the required Financial Services (AFS) Licence and/or other legislation?
Incident Management
-
In the last 12 months did you receive any notices from regulators or Australian Financial Complaints Authority (AFCA) that pertain to services you intend to provide to SCC?
-
Please provide further information
-
Have you maintained an effective incident management process during the last 12 months?
Privacy
-
Have you taken all reasonable steps in the last 12 months to comply with all applicable privacy legislation?
-
Have there been any new processes/projects or changes to current processes that impact the handling and/or processing of personal information related to services you intend to provide SCC?
-
Please provide further information
-
Who is your designated privacy officer?
Modern Slavery
-
Do you have policies and processes in place to assist with the identification and eradication of modern slavery in your supply chain network?