Skip to main content
Image coming soon

The Index and Ratings Provider Internal Audit Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Index and Ratings Provider Internal Audit Playbook

Build an internal audit cycle that holds up to index methodology, ESG ratings, and client-data controls in one engagement plan.

Your last methodology-change audit concluded "controls operating effectively" on the strength of screenshots. The audit committee chair is asking sharper questions and the client-asset managers are sending vendor due diligence questionnaires that demand specific evidence by control. The next engagement plan has to do more than re-run the prior cycle.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

An internal audit function inside an index, ratings, and analytics provider sits across a control universe that no generic IIA template fits. Methodology change governance is not change management. ESG ratings is not credit ratings. Benchmark regulation is not securities regulation. Calculation agent SOC 1 controls overlap with index methodology controls but the workpapers are written by different teams. Client data flowing to asset managers, banks, and insurers is governed by contracts that the data owners have not read since signing. Vendor due diligence questionnaires from licensee clients now ask for specific evidence on all of it: methodology-change committee minutes, ESG input source attestations, rebalance exception reports, sub-custodian access reviews on the analytics platform. The audit committee chair reads the close-out memo, asks a sharper question than last quarter, and the answer has to already be in the workpapers.

What you walk away with

  • A risk universe segmentation that treats methodology, calculation, distribution, and client data as four distinct audit streams with their own testing rhythm.
  • A methodology change workpaper template that evidences EU Benchmark Regulation Article 4 governance without inventing controls that do not exist.
  • An ESG ratings testing approach that gives input source traceability and rating committee composition evidence the supervisory regime will accept.
  • A clean SOC 1 control crosswalk between your calculation agent attestation and your internal audit assurance, so neither team duplicates the other.
  • A client data privacy and access testing pack that satisfies licensee vendor due diligence questionnaires before they arrive.

The 12 modules

Module 1. Risk Universe for an Index, Ratings, and Analytics Provider
Map the control universe across four streams: methodology governance, calculation and rebalance operations, distribution and licensing, and client and reference data. Each stream gets its own owner, regulator, key controls, and audit rhythm. The output is a risk and assurance map the audit committee chair can read in two minutes and that holds up to a regulator who wants to see how the four streams interact when a methodology change ripples into rebalance and into client-distribution at the same time.
Module 2. Engagement Planning Under the EU Benchmark Regulation
Walk through Article 4 governance, Article 5 control framework, and Article 11 input data requirements as audit objectives, not just policy hooks. The module converts each regulation article into a tested-control assertion, a sample size that survives challenge, and a workpaper section heading. Includes a planning memo that reads cleanly to a JFSA, FCA, or ESMA reviewer asking what your assurance actually covered.
Module 3. Methodology Change Governance Testing
The single hardest audit area in the provider. Test that proposed methodology changes ran through the methodology committee with the documented minimum quorum, that impact analysis was performed on the full client base, that client consultation timelines were met where the policy or regulation requires them, and that the change-log entry matches what actually went live. Includes the workpaper template that the last engagement was missing.
Module 4. Calculation Agent Controls and SOC 1 Crosswalk
Map the calculation agent SOC 1 Type 2 report controls against the internal audit risk and control matrix. Identify the gaps where SOC 1 stops and internal audit must continue, the overlaps where you can rely on the service auditor and document the reliance properly, and the four to six controls where you must test independently regardless of what the SOC 1 says. Includes the reliance memo language.
Module 5. ESG Ratings Input Source Attestation and Rating Committee Evidence
Test the chain from raw ESG data source through the analyst override and into the published rating. Walk through input source traceability evidence the supervisory regime now expects, rating committee composition and conflict of interest controls, and the analyst note workpaper showing the published rating was supported by the documented inputs. Includes the specific data lineage screenshots that count as evidence and the ones that do not.
Module 6. Rebalance and Index Maintenance Operations Audit
Test the operational controls around scheduled and unscheduled rebalances, corporate action processing into index constituents, exception handling when reference data fails validation, and the four-eyes approval on overrides. The module covers the sample selection approach that captures the rare exception events without ballooning hours, and the workpaper sections an audit committee chair specifically looks for after a public rebalance error.
Module 7. Licensing and Distribution Controls
Audit the contract-to-feed pipeline. Test that licensed clients are only receiving the data products they are entitled to, that usage reporting reconciles to billing, that ceased clients are de-provisioned within the contract terms, and that audit clauses in client contracts are actually being met when invoked. Includes the workpaper template that closes the loop between Sales contracts and the entitlement system.
Module 8. Client Data, Privacy, and Cross-Border Transfer Testing
Test the controls around client portfolio data, beneficial ownership data where applicable, personal data of asset manager users on the analytics platform, and cross-border transfers under GDPR Article 46 and equivalents. The module gives the sampling approach that captures both the bulk transfer and the long-tail one-off transfer, and the evidence file structure that satisfies a licensee vendor due diligence questionnaire on the first request.
Module 9. Third-Party Risk and Sub-Custodian-Equivalent Access
Audit third-party access to the analytics, index calculation, and rating production platforms. Test access reviews, privileged access management, joiner-mover-leaver controls for vendor personnel, and the contract clauses that allow you to test what you need to test. Includes the workpaper sections that survive a regulator asking how the provider knows that the offshore data team only sees what the contract says they should see.
Module 10. IT General Controls Specific to a Calculation and Publication Environment
ITGC testing tuned to the production environments that calculate, publish, and distribute. Change management around model and methodology code, segregation of duties between the methodology team and the production engineering team, backup and recovery evidence that has actually been tested, and the disaster recovery workpaper that holds up when a real publication failure happens. Includes the specific sample selection that catches the rushed change.
Module 11. Audit Committee Reporting and the Close-Out Memo
Write the close-out memo and the committee paper. The module covers the specific language an audit committee chair at an index or ratings provider responds to: what the assurance opinion actually means, what residual risk looks like, which findings are management actions and which are governance escalations, and what the licensee clients will see if they ask. Includes a memo template that has landed cleanly with chairs who read the document twice.
Module 12. Annual Plan Integration and Continuous Assurance
Convert the twelve modules into a rolling three-year plan with quarterly checkpoints, the specific regulator focus per cycle, and a continuous-assurance overlay using analytics on the rebalance log, methodology change log, and entitlement system. The module closes the loop on how each engagement feeds the next, how the audit committee dashboard updates between meetings, and how the plan flexes when a new benchmark family or rating product goes live mid-year.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The next methodology change audit lands and the workpapers actually evidence Article 4 governance instead of restating the policy.
A licensee vendor due diligence questionnaire arrives and the evidence pack is already assembled from the last engagement.
The audit committee chair asks the sharper question and the answer is on page two of the close-out memo, not in the auditor's head.
The annual plan refresh has a defensible three-year roadmap that explains why each engagement is sized the way it is.

What you get with this course

  • Twelve written modules in the Art of Service learning environment, each with worked examples drawn from index, ratings, and analytics provider audits.
  • Downloadable workpaper templates: methodology change governance, ESG input source attestation, calculation agent reliance memo, licensing and distribution controls matrix, client data cross-border transfer log, audit committee close-out memo.
  • Worked sample selection memos for rebalance exceptions, methodology committee minutes, and licensee vendor due diligence response packs.
  • A risk universe and control matrix Excel pack pre-segmented across methodology, calculation, distribution, and client data streams.
  • A hand-built implementation playbook tailored to your current audit universe and the specific engagements on your next twelve months of plan.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Module one through three are designed to be worked in the first week alongside engagement planning.

Modules four through nine pace across the engagements themselves and are written to be consulted as workpapers are drafted, not read end to end.

Modules ten through twelve land in the closeout and annual plan refresh weeks.

Before and after

Before

Engagement plans inherited from prior years, methodology change audits that conclude on screenshots, SOC 1 reliance done by assumption, ESG ratings testing kept light because nobody wants to argue with the analysts, licensee vendor due diligence answered ad hoc.

After

An engagement plan segmented by the four streams, methodology change workpapers that evidence Article 4 governance, a documented SOC 1 reliance memo, ESG ratings testing that the supervisory regime would accept, and a vendor due diligence evidence pack ready before the first questionnaire lands.

What happens if you do not address this

An audit committee chair reads the next close-out memo, asks a sharper question than last quarter, and the audit function has to come back with a follow-up. A licensee asset manager sends vendor due diligence and the response misses a specific evidence item that competitors of the provider have ready. A regulator picks a benchmark family for a thematic review and the methodology change governance workpapers do not stand up. None of these are catastrophic individually. All of them together rewrite the role.

Who it is for

Internal audit manager at an index, ratings, or analytics provider, three to seven engagements deep into the plan, owner of methodology and product-line audits, presenting to an audit committee that has started reading the close-out memo twice. Comfortable with ISA 315 and the IIA standards. Less comfortable with the specific evidence shape that the EU Benchmark Regulation, IOSCO Principles for Financial Benchmarks, and the recent ESG ratings supervisory regime want to see in workpapers.

Who this is NOT for. External audit seniors signing off financial statements. SOX 404 testers in a non-index issuer environment. Generalist internal auditors who have never tested a benchmark calculation control. Compliance officers who own policy but not testing.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable workpaper templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Eight to twelve hours across the first week to absorb modules one to three and the risk universe pack. After that the modules are designed to be opened as you draft each engagement workpaper. Total active time across a full audit cycle is roughly thirty to forty hours, distributed across the engagements where it earns its keep.

Why $199 is the right number

Generic IIA practitioner training covers internal audit method. It does not cover the Benchmark Regulation, ESG ratings supervisory regime, or the calculation-agent SOC 1 overlap. Big4 advisory engagements solve specific audit areas at a multiple of this cost, repeatable only by re-engaging. A bespoke external consultant builds workpapers for one engagement but does not leave a transferable template behind. This playbook is the in-house version, owned by your function and reusable across engagements.

FAQ

Does this assume the provider is regulated under the EU Benchmark Regulation specifically?
The Benchmark Regulation modules are written for EU exposure but the underlying audit logic carries across IOSCO Principles for Financial Benchmarks and the equivalent supervisory regimes for index providers in the UK, Japan, and Singapore. The implementation playbook is tailored to your specific regulatory exposure.
We outsource calculation to a third party. Does the calculation agent module still apply?
Yes, and that is precisely the case it is written for. The module focuses on the audit reliance memo on the SOC 1 Type 2 report, the gaps your internal audit must continue to cover, and the four to six controls you should test independently regardless of the outsourcing arrangement.
How current is the ESG ratings supervisory content?
Built against the current regimes including the EU ESG ratings regulation and the UK FCA voluntary code of conduct. The implementation playbook flags any jurisdictional update specific to your provider footprint.
Can the implementation playbook reference our actual audit universe?
Yes. After purchase, the playbook is hand-built to your specific product lines, regulators, and engagement plan. Delivered within 24 hours of purchase alongside learning environment access.
Is there a refund window?
Yes. Thirty days from purchase, no questions asked.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!