prescient isae3402 report 31-03-2017 final · isae 3402 service organisation review type 2 report...

ISAE 3402

SERVICE ORGANISATION REVIEW

TYPE 2 REPORT

AS AT 31 MARCH 2017

THE PRESCIENT GROUP INCLUDES PRESCIENT INVESTMENT MANAGEMENT (PTY) LTD, PRESCIENT LIFE LTD, PRESCIENT FUND SERVICES (PTY) LTD AND PRESCIENT MANAGEMENT COMPANY (RF) PTY LTD

AND PRESCIENT FUND SERVICES (IRELAND) LTD

Prescient Group

CONTENTS

1 INDEPENDENT SERVICE AUDITOR’S ASSURANCE REPORT ON THE DESCRIPTION OF CONTROLS, THEIR DESIGN AND OPERATING EFFECTIVENESS .................................................................................................................................................................................. 4

2 STATEMENT BY THE SERVICE ORGANISATION ..................................................................................................................................................... 8

3 OVERVIEW AND SCOPE OF WORK ........................................................................................................................................................................ 11

3.1 Introduction ............................................................................................................................................................................................................... 11

3.2 Sampling methodology ............................................................................................................................................................................................. 11

3.3 Exceptions discovered during testing .................................................................................................................................................................... 12

3.4 Summary of control objectives tested and results of testing ............................................................................................................................... 13

4 PRESCIENT MANAGEMENT’S DESCRIPTION OF OPERATIONS AND INTERNAL CONTROLS ........................................................................ 17

4.1 Overview of Prescient ............................................................................................................................................................................................... 17

4.2 Control environment ................................................................................................................................................................................................. 17

4.3 Accepting Clients ...................................................................................................................................................................................................... 18

4.4 Authorising and processing transactions ............................................................................................................................................................... 19

4.5 Maintaining financial and other records ................................................................................................................................................................. 24

4.6 Cash management and segregation of assets ....................................................................................................................................................... 25

4.7 Monitoring Compliance ............................................................................................................................................................................................ 26

4.8 Reporting to Clients .................................................................................................................................................................................................. 26

4.9 IT General Control Environment .............................................................................................................................................................................. 27

5 CONTROL OBJECTIVES, CONTROL ACTIVITIES AND TESTING OPERATING EFFECTIVENESS OF CONTROLS ........................................... 32

5.1 Accepting Clients.......................................................................................................................................................................................................... 32

5.2 Authorising and processing transactions .................................................................................................................................................................. 40

5.3 Maintaining financial and other records ..................................................................................................................................................................... 53

5.4 Cash management and segregation of assets ........................................................................................................................................................... 68

5.5 Monitoring Compliance ................................................................................................................................................................................................ 69

5.6 Reporting to Clients ..................................................................................................................................................................................................... 72

5.7 IT General Control Environment .................................................................................................................................................................................. 73

6 MANAGEMENT’S COMMENTS THAT DO NOT FORM PART OF OUR OPINION ..................................................................................................... 86

4

1 Independent Service Auditor’s Assurance Report on the Description of Controls, their

Design and Operating Effectiveness To the Directors of Prescient Group Scope

We have been engaged to report on Prescient Group’s (“Prescient”) description of its investment management and administration system, as documented in Section 4 and the “Prescient Process” and “Prescient Control Activities” as documented in Section 5, as at 31 March 2017 (“the description”), and on the design and operation of controls related to the control objectives stated in the description. For the purpose of our engagement and this report, “Prescient” refers to Prescient Investment Management (Pty) Ltd, Prescient Life (RF) Ltd, Prescient Fund Services (Pty) Ltd, Prescient Management Company (RF) (Pty) Ltd and Prescient Fund Services Ireland (Pty) Ltd, as the investment management and administration system operates across all of these entities.

Prescient’s Responsibilities

Prescient is responsible for: preparing the description in Section 4 and the accompanying statement in section 2, including the completeness, accuracy and method of presentation of the description and the statement; providing the services covered by the description; stating the control objectives; and designing, implementing and effectively operating controls to achieve the stated control objectives.

Our Independence and Quality Control

We have complied with the independence and other ethical requirements of the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants, which is founded on fundamental principles of integrity, objectivity, professional competence and due care, confidentiality and professional behavior.

The firm applies International Standard on Quality Control 1 and accordingly maintains a comprehensive system of quality control including documented policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements

Service Auditor’s Responsibilities

Our responsibility is to express an opinion on Prescient’s description and on the design and operation of controls related to the control objectives stated in that description based on our procedures. We conducted our engagement in accordance with International Standard on Assurance Engagements 3402, “Assurance Reports on Controls at a Service Organisation” issued by the International Auditing and Assurance Standards Board. That standard requires that we plan and perform our procedures to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls are suitably designed and operating effectively.

An assurance engagement to report on the description, design and operating activities of controls at a service organisation involves performing procedures to obtain evidence about the disclosures in the service organisation’s description of its system and design and operating effectiveness of controls. The procedures selected depend on the service auditor's judgement, including the assessment of the risks that the description is not fairly presented, and that controls are not suitably designed or operating effectively. Our procedures include testing the operating effectiveness of those controls that we consider necessary to provide reasonable assurance that the control objectives stated in the description were achieved. An assurance engagement of this type also includes evaluating the overall presentation of the description, the suitability of the control objectives stated therein, and the suitability of the criteria specified by the service organisation and described in Section 2.

We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our qualified opinion.

5

Limitations of Controls at a Service Organisation

Prescient’s description is prepared to meet the common needs of a broad range of clients and their auditors and may not, therefore, include every aspect of the system that each individual client may consider important in its own particular environment. Also, because of their nature, controls at a service organisation may not prevent or detect all errors or omissions in processing or reporting transactions. Also the projection of any evaluation of effectiveness to future periods is subject to the risk that controls at the service organisation may become inadequate or fail.

6

Basis for Qualified Opinion

Reference Control objective Qualification on design/operating effectiveness

1 5.3.5.1 & 5.3.5.5

Controls provide reasonable assurance that investment management fees, performance fees are accurately calculated and recorded.

Prescient states that it has controls in place to meet this objective, including the fact that management packs are produced and reviewed monthly by a senior member of the finance team. However, for one of the months selected we were unable to inspect evidence that the management pack was reviewed by a senior member of the finance team. As a result of this exception, the operating effectiveness of the control failed and the control objective was not met

2 5.7.3.4, 5.7.3.5, 5.7.3.6 & 5.7.3.7

Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.

Prescient states that it has controls in place to meet this objective, however, a number of exceptions were noted in testing the controls related to this control objective: The following controls were not suitably designed to achieve this control objective: 1 Users are not assigned multiple accounts. We found however, multiple user

ID’s for 2 users on Eagle Access and 4 users on T-Cube. 2 Administrative access is restricted to appropriate personnel. We found,

however, that administrative access through the sharing of generic user accounts is granted on the T-Cube Database (DB) and Operating System (OS) as well as the Thinkfolio DB and OS

In addition the following controls did not operate effectively during the period 3 Users who terminate employment or transfer job functions are removed in a

timely manner from the application and database. We found, however, that the user accounts for 2 Eagle Access users who have left the organisation have not been locked and not been terminated.

4 A review of the appropriateness of access is performed for the Active Directory, T-Cube and Eagle Access application and database. We found, however, that evidence of the annual review of the user access to confirm validity and appropriateness of user access could not be obtained for the Eagle Access application

As a result of these exceptions the control objective was not met.

7

Qualified Opinion

Our opinion has been formed on the basis of the matters outlined in this report. The criteria we used in forming our opinion are those described in Section 2. In our opinion:

(a) The description fairly presents Prescient’s investment management and administration system as designed and implemented throughout the year from 1 April 2016 to 31 March 2017;

(b) Except for the effects of the matters described in 2 in the Basis for Qualified Opinion table above the controls related to the control objectives stated in the description were suitably designed and implemented throughout the year from 1 April 2016 to 31 March 2017; and

(c) Except for the effects of the matters described in 1 and 2 in the Basis for Qualified Opinion tabled above the controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively throughout the year from 1 April 2016 to 31 March 2017

Description of tests of controls

The specific controls tested and the nature, timing and results of those tests are listed in the “KPMG test procedure and results of testing” portion of Section 5.

Other Matter

Sections 2.1 and 6 includes supplementary information in the form of management comments on the exceptions identified in Section 5. This information is not covered by our opinion

Intended users and purpose

This report and the description of test of controls in Section 5 is intended only for clients who have used Prescient’s systems, and their auditors, who have a sufficient understanding to consider it, along with other information, including information about controls operated by clients themselves, when assessing the risks of material misstatements of client’s financial statements.

KPMG Services (Pty) Limited Per GC Krüger 1 Mediterranean Street Chartered Accountant (SA) Foreshore Director Cape Town 16 May 2017 8001

8

2 Statement by the Service Organisation The accompanying description has been prepared for clients who have used the investment management and administrative operations of Prescient and their auditors, who have a sufficient understanding to consider the description, along with other information, including information about controls operated by clients themselves, when assessing the risks of material misstatements of clients’ financial statements.

Prescient confirms that:

(a) The description of the investment management and administration system, documented in Section 4 and the “Prescient Process” and “Prescient Control Activities” portions of Section 5, fairly presents its controls related to investment management and administration operations as designed and implemented throughout the period 1 April 2015 to 31 March 2016. The criteria used in making this statement were that the accompanying description:

(i) Presents how the system was designed and implemented, and including:

The types of services provided, including, as appropriate, classes of transactions processed.

The procedures, within both information technology and manual systems, by which those transactions were initiated, recorded, processed, corrected as necessary, and transferred to the reports prepared for clients.

The related accounting records, supporting information and specific accounts that were used to initiate, record, process and report transactions; this includes the correction of incorrect information and how information was transferred to the reports prepared for clients.

How the system dealt with significant events and conditions, other than transactions.

The process used to prepare reports for clients.

Relevant control objectives and controls designed to achieve those objectives.

Controls that we assumed, in the design of the system, would be implemented by user entities, and which, if necessary to achieve control objectives stated in the accompanying description, are identified in the description along with the specific control objectives that cannot be achieved by ourselves alone.

Other aspects of our control environment, risk assessment process, information system (including the related business processes) and communication, control activities and monitoring controls that were relevant to processing and reporting clients’ transactions.

(ii) Includes the relevant changes to the service organisation’s system during the period 1 April 2015 to 31 March 2016.

(iii) Does not omit or distort information relevant to the scope of the system being described, while acknowledging that the description is prepared to meet the common needs of a broad range of clients and their auditors and may not, therefore, include every aspect of the system that each individual client may consider important in its own particular environment.

9

(b) The controls related to the control objectives stated in the accompanying description were suitably designed and operated throughout the period 1 April 2016 to 31 March 2017. The criteria used in making this statement were that:

(i) The risks that threatened achievement of the control objectives stated in the description were identified;

(ii) The identified controls would, if operated as described, provide reasonable assurance that those risks did not prevent the stated control objectives from being achieved; and

(iii) The controls were applied as designed, including that manual controls were applied by individuals who have the appropriate competence and authority, throughout the period 1 April 2016 to 31 March 2017.

Prescient Group

C Mockford Chief Operating Officer 16 May 2017

10

2.1 Comments by the Service organisation on exceptions noted in the Qualified Opinion

Reference Control objective Management response*

5.3.5 Controls provide reasonable assurance that investment management fees, performance fees are accurately calculated and recorded.

The month of November 2016 was an anomaly in that there were certain major operational and financial activities that resulted in the CFO’s review of the management pack being delayed. The management pack for the month of November was subsequently reviewed. The packs for the months prior to and subsequent to November 2016 were reviewed. Management packs are also distributed to the relevant executives, who review the management packs of their business units. It should also be noted that management packs contain comparative, year to date information for each month, meaning that subsequent months included November 2016 information.

5.7.3.4 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.

These are users that left the employ of Prescient during Feb 2017 and the accounts were only locked at the end of the following month, after the audit extract was retrieved, at which point it was verified that the users had not accessed the system since their last day of employment.

5.7.3.5 The two T Cube users (4 user ID’s) that have been duplicated are as a result of the original user account that was created which differed to that of the Active Directory user and therefore the user could not access the system. The one duplicated Eagle user (2 user ID’s) was as a result of the external user locking himself out because his PC was set to remember his password and was unable to clear the stored password and needed the information urgently. A new user was therefore created in the above instances. Important to note that there was no concurrent access by the users through their various accounts.

5.7.3.6 There was no documented annual review sign off since there is an ongoing review performed throughout the year as and when users are created or terminated. In future the control is to be updated to only cover a documented annual review of users with write access to Eagle.

5.7.3.7 The shared account is only available to 3 staff members who have been in Prescient’s employ in excess of 7 years. Even though the access is shared, the IP addresses of the machines connecting to these servers is logged and can be traced if required. We have recently appointed a dedicated Database Administrator (DBA). The DBA will administer these databases removing shared access.

* Refer also to section 6 for detailed exceptions and management comments

11

3 Overview and scope of work 3.1 Introduction

Our review was performed in terms of International Standard on Assurance Engagements (ISAE) 3402 “Assurance Reports on Controls at a Service Organisation”. Our fieldwork covered the period 1 April 2016 to 31 March 2017 and was conducted during the period of October 2016 and March to May 2017.

The scope of our review was based on criteria (control objectives) agreed with management of Prescient. These were agreed prior to the commencement of the review.

Our procedures included interviews with key personnel, inspection of documents and records, observation of Prescient’s activities and operations, structured walkthrough procedures and a combination of these procedures to determine the effective design and operation of the internal controls. In addition our procedures were limited to the period 1 April 2016 to 31 March 2017 and do not extend to any events subsequent to that period.

Controls that are performed by clients remain their responsibility and were not considered as part of this engagement.

Control objectives were split between business process and IT process objectives. For each of these processes, we gained an understanding of the operation of the process. We then assessed the adequacy of the design and implementation and operating effectiveness of those controls to achieve the stated control objectives. This assessment is reported in section 5 below.

3.2 Sampling methodology In terms of the frequency of the performance of the control by Prescient, we consider the following guidance when planning the extent of tests of control for specific types of controls.

Where a manual control is performed periodically or is recurring, the following guidelines are utilised:

Frequency of control procedure

Minimum samplesize

Quarterly 2 Monthly 2 Weekly 5 Daily 15 More than daily 25

Test of controls are based on the above sample sizes.

General IT controls may be manual, manual with an automated component or automated. Where the General IT control is manual or manual with an automated component, the guidelines above related to the extent of testing of manual controls are considered to determine the extent of testing of General IT controls. Where the General IT control is automated, we use our professional judgement, combined with the guidance above.

12

3.3 Exceptions discovered during testing The concept of effectiveness of the operation of controls recognises that some exceptions in the way controls are applied by Prescient may occur. Exceptions from prescribed controls may be caused by such factors as: changes to key personnel, significant seasonal fluctuations in volume of transactions and human error.

We use judgement in considering the overall operating effectiveness of the control by considering the number of exceptions detected, the potential significance of the financial statement effect, as well as other qualitative aspects of the exceptions such as the cause of the exception.

When we identify an exception for a periodic or automated control, we consider whether other controls may provide the evidence we require.

When we identify an exception for a recurring manual control, we consider whether:

to increase the extent of testing to be performed and/or

other controls may provide the evidence we require.

If we find a single deviation in our initial sample for a recurring manual control operating multiple times per day, when we did not expect to find control deviations, we consider whether the deviation is representative of systematic or intentional deviations.

If control deviations are found in tests of controls which operate daily or less frequently, the sample size cannot be extended and we assess such controls as ineffective.

13

3.4 Summary of control objectives tested and results of testing The table below summarises the various objectives that have been tested and the related exceptions, if any:

Control Objective

Number of controls tested

Results

Accepting Clients

5.1.1 Controls provide reasonable assurance that complete and authorised client agreements are operative prior to initiating investment activity. 4

Control objective met.

5.1.2 Controls provide reasonable assurance that accounts are set up and administered in accordance with client mandates and applicable regulations. 9


5.1.3 Controls provide reasonable assurance that clients’ take-on, including in-specie transfers, are monitored, documented and opening positions are accurately reported to clients.

9


Authorising and processing transactions

5.2.1 Controls provide reasonable assurance that the responsibility for generating proxy voting instructions is clearly established. 1


5.2.2 Controls provide reasonable assurance that the investment strategy is implemented in a timely manner. 1


5.2.3 Controls provide reasonable assurance that investment transactions are executed and allocated in a timely and accurate manner. 7


5.2.4 Controls provide reasonable assurance that investment and related cash transactions are completely and accurately recorded. 6


5.2.5 Controls provide reasonable assurance that corporate actions are processed and recorded accurately and in a timely manner. 6


5.2.6 Controls provide reasonable assurance that proxy voting instructions are generated and recorded and carried out accurately and in a timely manner. 2


5.2.7 Controls provide reasonable assurance that client new monies and withdrawals are processed and recorded completely and accurately and that withdrawals are appropriately authorised.

12


14

Control Objective


Results

Maintaining financial and other records

5.3.1 Controls provide reasonable assurance that investment income is recorded accurately, completely, and in the proper period. 4


5.3.2 Controls provide reasonable assurance that investments are valued using current prices obtained from independent external pricing sources or determined according to approved pricing policies and procedures for fair values in circumstances where independent sources are not available.

5


5.3.3 Controls provide reasonable assurance that investments are valued using market-related spreads and accurate yield curves. 1


5.3.4 Controls provide reasonable assurance that cash and investment positions are

completely and accurately recorded and reconciled to third party data.

7


5.3.5 Controls provide reasonable assurance that investment management fees and performance fees are accurately calculated and recorded. 11

Exceptions noted.

Control objective not met.

5.3.6 Controls provide reasonable assurance that issues and cancellations (including switches) of units are recorded completely and accurately, and positions are regularly reconciled.

3


5.3.7 Controls provide reasonable assurance that fund pricing is accurate and timely. 3


5.3.8 Controls provide reasonable assurance that expenses are accurately calculated and recorded in accordance with the requirements of the fund and on a timely basis.

3


5.3.9 Controls provide reasonable assurance that fund distributions are accurately calculated, authorised and recorded, and distributed in a timely manner. 5


15

Control Objective


Results

Cash management and segregation of assets

5.4.1 Controls provide reasonable assurance that client money is segregated. 3 Control objective met.

Monitoring Compliance

5.5.1 Controls provide reasonable assurance that client portfolios are managed in accordance with investment mandates.

1


5.5.2 Controls provide reasonable assurance that transactions (including mandate breaches and deal amendments) are rectified promptly and accurately.

2


5.5.3 Controls provide reasonable assurance that pricing and distribution rate errors are rectified in a timely manner.

4


Reporting to Clients

5.6.1 Controls provide reasonable assurance that client reporting in respect of portfolio transactions, holdings and performance, commission and voting is complete and accurate.

2


IT General Control Environment

5.7.1 Controls provide reasonable assurance that physical access to computer networks, equipment, storage media and program documentation is restricted to authorised individuals.

3


5.7.2 Controls provide reasonable assurance that the physical IT equipment is maintained in a controlled environment.

2


5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access by administrators to applications, databases, systems and networks, are restricted to authorised individuals via information security tools and techniques.

7

Exceptions noted. Control objective not met.

16

Control Objective


Results

5.7.4 Controls provide reasonable assurance that segregation of incompatible duties is defined, implemented and enforced by logical security controls in accordance with job roles.

1


5.7.5 Controls provide reasonable assurance that data transmissions between the service organisation and its counterparties (Eagle (accounting system)) are complete, accurate, timely and secure.

2


5.7.6 Controls provide reasonable assurance that appropriate measures are implemented to counter the threat from malicious electronic attack (e.g. firewalls, anti-virus etc).

4


5.7.7 Controls provide reasonable assurance that development and implementation of new systems, applications and software, and changes to existing systems, applications and software, are authorised, tested, approved and implemented.

1


5.7.8 Controls provide reasonable assurance that data and systems are backed up

regularly, retained offsite and regularly tested for recoverability.

2


Explanation of control numbering in the detailed control tables which appear under sections 5.1 to 5.6:

The detailed controls and results of testing for each control (excluding IT controls) are set out in the body of the report, which spans sections 5.1 to 5.6. The relevant controls are tabulated and numbered/ referenced sequentially under each control objective e.g. 5.1.1.1, 5.1.1.2, etc. However, to distinguish between controls performed by Prescient Fund Services Ireland (PFSI), Alternative Administration and all other domestic (South Africa) business units, “a” and “b” are inserted at the end of the control reference. Where controls references end with an “a”, this is to denote that it is a PFSI control. Where controls references end with a “b”, this is to denote that it is an Alternative Administration control. Therefore, the remainder of control reference which do not end in an “a” or “b” (e.g. 5.1.1.1), which represent the majority of the controls tabulated in this report, relate to all other domestic business units.

Prescient GroupISAE 3402 Type 2 report

31 March 2017

17

4 Prescient Management’s Description of Operations and Internal Controls This section has been produced by management to provide an overview of their operation and related internal controls.

4.1 Overview of Prescient Prescient was launched in 1998 as an investment management firm with the stock broking business following in 1999. Over the years, Prescient has evolved into a partnership of people and companies servicing a broad range of clients. Our business has been structured to efficiently and seamlessly meet the needs of our clients and the investing community. Being a trend-setter in various fields locally, we've spread our wings into sub-Saharan Africa, Europe and Asia.

What started as a quantitative investment management business has evolved to include an administration services division, a stock broking arm that has developed into a niche player, a wealth manager, retail product offerings, a linked life company and retirement products.

The investment management and administrative services are now offered by Prescient Investment Management (Pty) Ltd, Prescient Life (RF) Ltd, Prescient Fund Services (Pty) Ltd, Prescient Fund Services (Ireland) Ltd and Prescient Management Company (RF) (Pty) Ltd (collectively “Prescient Group”).

As we expand into new markets and grow the business, we strive to maintain the culture, work ethic and commitment to clients that have contributed to our success thus far. To manage the growth of the business, we ensure that we are ahead of the curve in terms of infrastructure, systems and people.

Prescient’s founding philosophy was and remains the creation of an organisation that embraces the positive spirit, growth and development that a partnership with full equity participation in the new South Africa produces.

4.2 Control environment The control environment is an essential component of an organisation’s governance structure and includes the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. The objectives of an internal control structure is to provide reasonable, but not absolute, assurance as to the integrity and reliability of the financial information, the protection of assets from unauthorised use or disposition, and that transactions are executed in accordance with management’s authorisation and client instructions. The management of Prescient has established and maintained an internal control structure that monitors compliance with established policies and procedures.

Prescient’s executive management are accountable for monitoring the system of internal control within the business. Prescient’s executive management have implemented an internal control system designed to facilitate effective and efficient operations. The control environment has been designed to enable management to respond appropriately to significant business, operational, financial, compliance and other risks. The system of internal control contributes to ensuring adequate control of internal and external reporting and compliance with applicable laws and regulations.

Prescient regards its internal control environment as fundamental to its business strategy. All business development initiatives are required to adhere to stringent control standards.


31 March 2017

18

The controls and their related operations are described in more detail in this section. In determining the controls and control objectives we took into account the following criteria:

The risks that threatened achievement of the control objectives stated in the description were identified;

The identified controls would, if operated as described, provide reasonable assurance that those risks did not prevent the stated control objectives from being achieved; and

The description of the controls and control environment does not omit relevant information.

4.3 Accepting Clients Following a successful presentation to a client, the following procedures occur to take-on a new client:

A mandate is drafted and signed by the client and Prescient. The mandate will normally include the granting of power of attorney over bank and scrip accounts to Prescient. Prescient opens a bank account for the client and a scrip account at the same bank. An e-mail is sent to the client with the bank account details for their own records.

In certain instances a client will prefer to open the account, in which case Prescient is notified (the details are, however, still included in the mandate).

Management fees are agreed with the new client when the mandate is signed by both parties. The management fee can be calculated in several ways depending on the specific client mandate. These include daily portfolio valuation, monthly portfolio valuation and performance fees.

On the initial joining of a client, a take-on checklist is completed. On this checklist, one of the sections is whether performance fees are applicable. Performance fees are only calculated if there is a mandate in place.

PFSI

Standard mandates, which are in line with Irish Central Bank requirements, are entered into and arrangements are made to open custodian accounts with BNY Mellon, in order to facilitate the take on of client scrip and cash.

Alternative Administration

Investors subscribe by completing the relevant subscription documents, this is signed as proof of acceptance and the capital is paid into the documented Fund bank account. All Net Asset Value (NAV) based fees, as defined in the legal agreements of the funds, are agreed with the Investment Manager upfront and designed into monthly fee calculator workbooks (which integrate into the accounting systems). The NAV based fees, (which include administration, management and performance fees) are then calculated monthly and are signed off with the Investment Manager as part of the monthly NAV signoff process.


31 March 2017

19

4.4 Authorising and processing transactions Transfer of funds/scrip

Transfer of funds/ scrip occurs as follows:

Notification is received by the client (e-mail) if a transfer has been made.

Upon notification, the administration department will review the bank and/or custody account to confirm that the transaction has occurred and positions are reconciled before any trading on that account commences.

Scrip transfers are checked against custody communications. In the case of Standard Bank and Nedbank this is done via online viewing of scrip balances, whereas for the other banks, balances are confirmed via fax from the custodians.

Once all transactions have been confirmed, approval is given by the administration department to the dealers that trading on the accounts may commence.

PFSI

Transfers of funds/ scrip occurs as part of the take on process and is agreed and managed in consultation with the investment manager and

custodian.


Transfers of funds/scrip are managed for these funds as part of the launch or go live of these structures to a detailed take on process, and agreed to the prior administrator book of records and, as applicable, to the investment manager.

Trading process

Orders for the purchase and sale of equities are initiated by the trading team and executed by the brokerage team. A manual deal sheet is completed by the trading team and signed by an authorised signatory. The deal sheet will stipulate the rate at which the deal is to be executed by the brokers. The deal sheet is then sent to the portfolio administration team who will upload the deal on Eagle. A copy of the deal sheet will then be sent to the brokers. The administration team will keep all the deal sheets for the day while they are being executed by the brokers. Once the trade has been executed the administration team will receive a copy of the brokers note and match these to the deal sheets. Any unmatched deals will be investigated by the administration team with the fund manager and/or counterparty and any differences in the trade details will be updated within Eagle or by the counterparty as necessary.

The administration team is responsible for reconciling swap agreements, broker notes and deal sheets. Settlement instructions are prepared and sent to the relevant custodians for settlement of the trade only once the trade has been reconciled and matched to the counterparty. The same control environment is in place for both purchases and sales. Standard Corporate and Merchant Bank, Rand Merchant Bank and BNP Paribas e-mails Prescient a daily booking report, which includes the current position of any derivative instruments held, previous day derivate positions and trades done. This report is reconciled to the positions on Eagle, updating the portfolio for any trades. The report is also compared to the deal slip for completeness and accuracy. An Excel spreadsheet is maintained to monitor and reconcile daily cash flows for mark-to-market and initial margin settlements are required with each bank for each account. This reconciliation reconciles Eagle daily calculated margin amounts against that received by the bank.


31 March 2017

20

Orders for the purchase and sale of money market instruments are initiated and executed by the trading team. A manual deal sheet is completed by the trading team and signed by an authorised signatory. The deal sheet will stipulate the rate and amount at which the deal is to be done. The deal will then be executed by the trading team with the counter party over the phone. The deal sheet is then sent to the portfolio administration team who will upload the deal on the investment system. If the money market instrument is a new instrument, then the trading team will create the instrument on Eagle. Dematerialised money market trades are reported to Strate for matching with the counterparty. The counterparty or Strate will contact the trading team if they find any discrepancies. The administration team will send a settlement instruction to the custodians to transfer money to the counter party as per the deal sheet once trade details have been matched at Strate. A signed settlement instruction will then be sent to the custodian for settlement for physical money market that is not in dematerialised form. All trades are sent to the custodian for settlement via Data Matrix tool using SWIFT. DataMatrix is an internal tool that tracks the status of the trades, identifies trades that are in a “Matched” state with Strate for money market trades and then upon review, the administrator acknowledges that SWIFT instructions for settlement to the custodian are ready to be sent forall trades that have met the matching criteria with the counterparty. A manually signed letter of instructions for settlement will be sent to the custodian for execution of physical money market positions that that are not in dematerialised form. The DataMatrix tool will identify traded money market positions whereby the security is not in dematerialised form. The administrator reviews the status on DataMatrix after importing the trade files and will generate manual letters for instruction to be reviewed and matched to the deal sheet before being signed by an authorised signatory before they are sent to the custodian for settlement.


The administration of the Hedge Funds typically follow two operating models, prime broker model or fund of hedge fund model.

Prime Broker model

Hedge Funds, via their assigned Investment Manager, designate a choice of prime broker(s) and trade via these accounts and any other platforms as defined in the Fund’s investment management agreement (referred to as the Portfolio Management Agreement for the Regulated Hedge Funds under Prescient Management Company (RF) (Pty) Ltd platform) with the assigned Investment Manager. The administration of the trading activity is matched and reconciled on a daily basis via the Accounting Systems used, excel daily workbooks, to both Investment Manager confirmed trade instructions and to information reported and accounted for, at the applicable Prime Broker(s).

Fund of hedge fund model

Hedge Funds, via their assigned Investment Manager, document an investment policy and liaise with the Administration Team to transact in compliance with the mandate relating to deals for the purchase and sale of underlying investments, which can include other hedge funds and various money market transactions. The administration of the trading activity is matched and reconciled on a daily basis via the Accounting Systems used, daily Excel workbooks, to both Investment Manager confirmed trade instructions and to information reported and accounted for, at the applicable underlying administrator or custodian of that underlying trade or transaction.

Bank reconciliations

An extract of the bank balances from Eagle is obtained and compared to the bank balance per the electronic banking system positions. For SCB, Societe Generale, FNB, Bank of New York, Citibank, Standard Bank, JP Morgan and Nedbank bank account balances are saved daily. The settled cash balances for each client account is sourced from Eagle and updated. Existing reconciliation templates per fund administrator are then automatically updated and exceptions are highlighted with the use of formulas stored in the file templates. The bank reconciliation is performed by each fund administrator on a daily basis. All reconciling items are investigated and reasons for reconciling items are noted on the reconciliation.


31 March 2017

21

Senior Prescient staff members review each fund administrator’s account on a weekly basis to ensure that long outstanding reconciling items are being attended to. Any exceptional outstanding items identified through this process are also taken to the Prescient group risk meetings which are held quarterly, for further review.


The administration of all bank accounts of each Hedge Fund is reconciled on a daily basis with a detailed reconciliation process performed at month end, agreed to third party statements and accounted for daily into the valuation of that Hedge Fund. The monthly reconciliation process is performed by the assigned Fund Administrator and reviewed by another Fund Administrator, both evidenced in a monthly checklist.

Scrip Reconciliations

The administration department reconciles the custodian statement to the portfolio holdings on a monthly basis. Any differences are followed up. The reconciliations are automated in the administration system – and the custodians positions are updated via SWIFT. The report is completed in Excel in order to bring in external data sources such as Finswitch record of client positions in order to reconcile Manco unit holdings. Each administrator investigates any reconciling differences and a review is performed by a senior team member.


The administration of all custodian accounts of each Hedge Fund is reconciled on a daily basis with a detailed reconciliation process performed at month end, agreed to third party statements and accounted for daily into the valuation of that Hedge Fund. The monthly reconciliation process is performed by the assigned Fund Administrator and reviewed by another Fund Administrator, both evidenced in a monthly checklist.

Price Feeds

Listed equity and bond prices are received from I-Net Bridge (I-Net) at 15h00 and fund pricing begins at 15h15. Prescient also receives the closing bond yields from BESA for bond instruments. A spreadsheet is maintained with links to I-Net that pulls in the closing prices directly from I-Net.

For listed bonds, money markets and credit linked notes, an Excel spreadsheet, with links to I-Net to import prices, is maintained. The prices are compared to the BESA prices for the same time stamp, and any differences will be followed up. Another check that is performed is to compare the I-Net prices per the Excel spreadsheet to the ICDF file sent by I-Net, to ensure that all prices agree. The same procedure will be followed for equities, and the closing prices on the spreadsheet will be compared to the I-Net ICDF file to ensure that the prices agree.

SAFEX and Yieldx prices are included on the I-Net feed, and the daily booking fee report from Standard Bank (the clearing member) is used to agree the prices imported from the I-Net feed, thereby ensuring that the daily mark to market calculation is correct.

For the unlisted money market securities, a clean price feeds daily from Fincad into Eagle. This happens automatically at 12 o'clock every day. Eagle will calculate the accrued interest on each money market security and add it to the clean price to get the all-in-market value.

The Fincad tool values all other unlisted instruments. Fincad is a valuation tool, with built in models, to value each type of instrument. Contract/deal information feeds automatically from Eagle into Fincad. Fincad then uses the daily SWAP curve, built by Prescient, together with deal information from Eagle, and other market related information from Bloomberg to get a clean price per instrument.


31 March 2017

22

For OTC derivative (Interest Rate Swap) a clean price feeds twice a day from Fincad into Eagle. This happens automatically at 12 o'clock and end of business every day. Eagle will calculate the accrued interest on each security and add it to the clean price to get the all-in-market value.

For Contract for Differences (“CFDs”) derivatives, these derivatives are based off equity underlyings with daily prices obtained from the I-

Net / Bloomberg closing prices feeds and used to price CFDs on a daily basis. These prices are uploaded into Eagle and reconciled back to Prime Broker data on a daily basis. The pricing of CFDs are then used to calculate daily mark to markets, which are valued in the underling funds.

For Fund of Hedge Fund investments, prices are agreed to monthly investment statements received from underlying administrator or

custodians. These unlisted securities are then setup in the Accounting System. The pricing is uploaded into Eagle on a daily basis, based on the latest available prices received.

Portfolio valuations are reviewed by the administration department and the fund managers on a daily basis for reasonability. A check

that is performed by the fund manager is to ensure that all portfolios within a composite should perform relatively the same. The reasonability check is performed by comparing today's prices to the previous day, to ensure that all significant movement in prices can be identified and explained. Fund price movements are compared to the benchmark movement as well as to movements in similar portfolios. An explanation is sought for large variations above 5% for equities and 0.1% for bonds.


Portfolio valuations are reviewed and signed off, based on the dealing frequency of the applicable Hedge Fund. The administration of all components of each Hedge Fund is reconciled on a daily basis (and evidenced in a daily reconciliation workbook), with a detailed reconciliation process performed at month end. The Portfolio valuations are accounted for on a daily basis in the Accounting Systems. The monthly valuation process is performed by the assigned Fund Administrator and reviewed by another Fund Administrator, both evidenced in a monthly checklist.

Corporate Events

Corporate events notifications, pending for processing, are fed into Eagle system via a Bloomberg data feed on a daily basis each night. This is validated with a second source such as a custodian event diary. The event is then approved in the system and the system will then generate the required journal entries for each client holding applicable. Every corporate event raised in the system is signed off by a senior staff member and event details are then kept on file. Event entitlements are raised to the client’s account on the ex-date of the event by the system automatically as part of the systems scheduled start of day run. Any unallocated income is identified via the bank reconciliation process.

An entitlement report is received from the custodian by the administration team for items (such as dividends) several days before settlement is expected. This report serves as a final confirmation that the income event is payable and will be settled shortly. The entitlement report is checked against the dividends raised on Eagle to ensure that the amount agrees, and also checked against the payment on settlement date.

Corporate actions on unlisted CFDs are verified to event slides and to Prime Broker records. This reconciliation is performed daily and as


31 March 2017

23

part of the monthly checklist process, the corporate actions on these “manufactured” dividends are checked for accuracy against event slides, against Prime Broker (PB) election and for completeness, against the Accounting Systems universe of underlying equity corporate event listings.

Elections regarding corporate events

If a decision regarding an election is to be made then the investment team will make the decision.

The administration department is informed of the decision and in turn notifies the custodian of the election decision via email. The administration department then monitors the expected receipt of any scrip/cash and ensures that it is included in the scrip holding report/ bank statement.

Investment Income

The daily bank reconciliation process identifies any interest and dividends received. The entitlement report will also highlight dividend/interest receipts to be expected.


System interest accruals are matched to month end third party accruals and statements, and are then adjusted appropriately to match those statements received, for month end valuation purposes.

Interest

Short term security information is provided by either the fund manager and is referenced with what is available on the JSE website to create and update instrument details, which determines the interest accrual method for each day.

SAFEX and Yield X derivatives are marked to market daily and agreed to the booking fee reports.

Bond interest is accrued for at the effective rate. Purchased interest is debited against the interest account, and cumulative interest on the bond is credited to the interest account daily (thus leaving a net credit of accrued interest in the account). The accrual for bond interest is calculated at a combination of the coupon rate and a pull-to-par rate (the difference between the book yield when purchased and the coupon rate).

Dividends

Dividend cents per share are obtained from the corporate events spreadsheet maintained by the administration department (updated from the custodian event advices daily). The dividend will be agreed to the entitlement report obtained from the custodian.

Dividends are accrued for on the portfolios at ex-date.

The bank statements are inspected regularly to ensure that the dividends are received timeously.

24


31 March 2017

Yield curves

Fincad has been programmed to import yield curves from the specific network folder, where these curves are saved, on a daily basis. The programme can be altered to instruct it to import daily yield curves from a different network location, however, this can only be done by an authorised staff member. Furthermore, access to programme changes are limited to the Fincad terminal.

4.5 Maintaining financial and other records Performance Fees

Performance fees are calculated by the fund administrator and/or finance team based on the mandate. The administrator will prepare a calculation spreadsheet and place the performance criteria on file, along with the date of calculation. The calculation is reviewed by a more senior staff member. Performance fees are sent for review to the Fund Manager, who is ultimately responsible for validating that the fee calculation method is appropriate. After they have reviewed the calculation, they will give their authorisation to be billed via email.

Management Fee

At month-end, before the management fees are calculated, Prescient ensures that the following processes have been performed:

All trades have been captured;

All income has been raised;

All corporate events have been attended to;

All cash has been applied; and

Securities have been valued.

The calculation of the management fee is maintained in Excel, and the spreadsheet is updated with the management fee percentage as per the mandate. Once the portfolios have been updated as per above, the market values are captured into the excel spreadsheet. The management fee is calculated using an Excel formula, within the password protected spreadsheet.

The finance team prepares a management fee analysis report which forms part of the monthly management accounts.

For a small percentage of clients who do not pay the management fee from their portfolios, the invoice will be sent by email, fax or post.

The management fee will be amended if there are changes to the client's fee arrangements. The Compliance team is the custodian of this process, and is responsible for ensuring that the finance team is aware of any changes to client mandates (with respect to fees). This ensures that client fees are always levied at the correct rate.

25


31 March 2017

PFSI

All NAV based fees are calculated in Eagle and accrued in the NAV of each fund on a daily basis. The monthly total is reviewed by the Fund Accounting Manager and a summary and calculations are sent to each manager for their review. In addition, all performance fee calculations are sent to the relevant Manager for their review. Once the fees are approved by the Investment Manager a payment is set up to pay the fees from the fund, and this is then authorised by the Head of Operations. The fee settlement is posted in Eagle by the Fund Accountant, which is reviewed as part of the daily Fund review process.


All NAV based fees, as defined in the legal agreements of the funds, are agreed with the Investment Manager upfront and designed into monthly fee calculator workbooks which integrate into the accounting systems. The NAV based fees (which include administration, management and performance fees) are then calculated monthly and are signed off with the Investment Manager as part of the monthly NAV signoff process.

4.6 Cash management and segregation of assets Prescient maintains day to day bank accounts with Nedbank, SCB, SCMB, Societe Generale, Nedbank Namibia, BNY, BNP Paribas, JP Morgan, Citi and FNB. The authorised administrator completes an online authorisation before payments are released from the bank accounts. Bank balances are reconciled on a daily basis and inspected for any unusual movements. Bank reconciliations are prepared weekly and reviewed by a more senior staff member.

EFT and non-EFT transactions are only authorised after supporting documentation has been inspected (e.g. deal slip, booking fee report, and invoice). Subsequent settlement of these transactions is monitored through daily bank reconciliations.

EFT payments

Online system platforms are used by Prescient for all EFT payments as authorised by the client except for Societe Generale where only fax instruction is available. Capture of EFT transfers are made by the administration department. It is possible for the same person to capture and verify/audit an EFT payment, but the person who captures and or verifies a payment will be unable to authorise a release of the final payment. Two authorised signatories are required for all EFT transfers (authorised signatories per company resolutions). User profiles are set up with these controls and restrictions by the banking institutions. They cannot be amended without required authorisation and required banking protocols.

Non-EFT payments

Societe General clients receive non EFT payments instructions, as well as clients that have elected for Prescient to send manual instruction letters to the bank to initiate cash transfers for settlement.

In all cases, the administration department monitors and follows up with banks on all transfers that have been made each day.

PFSI

PFSI maintains Fund bank accounts with BNY Mellon and shareholder bank accounts with Citibank. All payments are made manually and must be authorised by a second person. Users of the BNYM and Citi online system must be authorised by the Head of Operations, who also defines the permissions for each user.

26


31 March 2017

All bank accounts are reconciled daily, and the bank reconciliations are also reviewed on a daily basis. Alternative Administration All banking rights are setup to the particular bank accounts of the Hedge Fund, and as defined as per the user rights included in the Administration Agreement and Power of Attorney documents agreed and signed as part of the take on.

As part of the investment decision of the assigned Investment Manager for each Hedge Fund, bank, custodian and prime broker accounts are setup in the name of that Hedge Fund. The administration team is responsible to transact and reconcile, as defined upfront. All bank accounts, custodian accounts and prime broker accounts, as applicable to the particular hedge fund, are in the name of that Hedge Fund and contracted on, based on the separate legal agreements to each Hedge Fund.

4.7 Monitoring Compliance Monthly validation checks are performed on all product models to ensure that the client’s investments are being managed in accordance with client mandates. All compliance breaches will be flagged by the StatPro system and will be followed up by the legal and compliance department.

All applicable regulations (which include Regulation 28 for Pension Funds, Regulation 30 for Medical Schemes and Notice 80 of the Collective Investment Schemes Control Act) are monitored and reported on by Prescient.

PFSI

As part of its obligations as UCITS Manager and Alternative Investment Fund Manager, PFSI is responsible for monitoring compliance with investment restrictions. Funds are loaded in the StatPro system which is run by the Prescient group’s compliance department in Cape Town, and all breaches are notified to the Compliance Officer in Dublin. Funds are also monitored separately in an Excel spreadsheet, with all breaches reported to the Investment Manager and Trustee. PFSI follows up all outstanding breaches to ensure timely resolution.


Monitoring compliance is not included as an administration function for Hedge Funds, other than the Regulated Hedge Funds under Prescient Management Company (RF) (Pty) Ltd. These hedge funds are monitored by Compliance on a daily basis to the mandate compliance requirements, per the applicable Portfolio Management Agreement and to regulatory requirements, as defined in Board Notice 52 of the Collective Investment Schemes Control Act.

4.8 Reporting to Clients Prices, units held and market value information is sent to the authorised recipient(s) at each client. The content of daily price / market value reporting is determined in the client acceptance phase and can be amended by client request from time to time.

Daily transactions reports are sent to authorised client recipients for review.

Monthly administration reports are sent to clients detailing, among other items, a portfolio summary for the month. These reports are prepared based on the needs of the client; in some instances clients prefer quarterly or annual reports.

Regulation 28 and Regulation 30 reports are generated for clients and are distributed based on the requirements of these regulations.

27


31 March 2017

PFSI Daily and monthly client reporting is driven by client needs. All clients receive daily NAV reports and if required, additional portfolio reports are distributed, either on a daily or monthly basis.

PFSI also reports to the Central Bank of Ireland on a monthly and quarterly basis in line with regulatory requirements. Regulatory reports are prepared by a Fund Accountant and reviewed by the Fund Accounting Manager or Head of Operations before being filed.


Monthly reporting packs are sent to authorised client recipients for review before monthly price and market value reporting is sent to the investors of the applicable Hedge Fund. Such reporting is determined in the client acceptance phase and can be amended by client request from time to time.

Regulatory reporting is not included as an administration function for the Alternative Funds, other than the Regulated Hedge Funds under Prescient Management Company (RF) (Pty) Ltd. Such regulatory reporting is performed by Compliance as required and as defined in Board Notice 52 of the Collective Investment Schemes Control Act.

4.9 IT General Control Environment System Environment

The T-Cube application is administered by Prescient IT personnel and hosted in the data centre in Cape Town.

The ThinkFolio application is administered by Prescient IT personnel and hosted in the data centre in Cape Town. ThinkFolio is currently utilised by Regarding Capital Management (Pty) Ltd (ReCM) as a front office modelling, order management system and compliance solution. Prescient performs administration services on Eagle for ReCM, including the administration of ThinkFolio and remote access to the solution. ThinkFolio Interfaces with Eagle application (portfolio management system).

The Eagle application is hosted offshore (USA) and a separate ISAE 3402 report is available for the IT controls surrounding the Eagle application which covers the period 1 October 2015 to 30 September 2016. Selected IT controls are performed by a separate division in Ireland.

Service Providers

Based on the risk assessment performed by the service organisation, the activities performed by Eagle Access LLC, Zubat Nine and the ThinkFolio vendor as per the table below do not sit within Prescient Management control and have been carved out.

Service Providers Services provided Control activities

Zubat Nine T-Cube problem and incident management.

T-Cube program change control including technical testing of

Incidents and problems are analysed, monitored and resolved by Zubat Nine.

Zubat Nine will send through releases for system upgrades/changes to Prescient. The technical testing and approval relating to the releases are

28


31 March 2017

Service Providers Services provided Control activities

releases and patches. performed by Zubat Nine.

Eagle Access LLC Password Configuration settings. Multiple and Unique user ID’s.

Super user access to the Eagle database and Operating System.

Segregation of Duties.

Change Control management. …….

Eagle problem and incident management.

Password configuration settings, Multiple, Unique and generic user ID’s have been tested as part of the Eagle Access LLC SOC 1 report.

Super user access to the Eagle database and Operating system is tested as part of the Eagle Access LLC SOC 1 report.

Segregation of Duties is tested as part of the Eagle Access LLC SOC 1 report.

Change Control to the Eagle application, database and operating system is tested as part of the Eagle Access LLC SOC 1 report.

Eagle incident and problem management is tested as part of the Eagle Access LLC SOC 1 report.

ThinkFolio vendor ThinkFolio problem and incident management.

ThinkFolio program change control including technical testing of releases and patches.

ThinkFolio Segregation of Duties

Incidents and problems are analysed, monitored and resolved by ThinkFolio.

ThinkFolio will send through releases for system upgrades/patches to Prescient. The technical testing and approval relating to the releases are performed by ThinkFolio. Segregation of Duties is controlled by the external third parties that utilise the application and not by Prescient.

Physical Access Controls

Restricted Access

Access to Prescient’s buildings is controlled via a biometric access control system at the automatic gate to the building. Visitors are required to report to reception. Visitors are accompanied into the building by a Prescient staff member.

New employees are required to sign the IT policy, after which they are given biometric fingerprint access to required sections of the building including the server room. Employees’ access is controlled via groups on the access control system, which includes a specific group for contractors.

Only authorised IT department employees are permitted access to Prescient’s server room. Access to the server room is authorised by the Head of IT and the Head of IT infrastructure. Access to the server room is controlled via biometric scanners. Logs are maintained of all people

29


31 March 2017

who have entered the server room.

Controlled Environment

The data center is housed in a controlled environment that has CCTV cameras, air conditioning, smoke detectors, fire suppression equipment, raised server racks, fireproof walls and doors and a concrete roof.

The building is maintained by the letting agents. SLAs are in place between the letting agents and the parties responsible for maintenance (including maintenance of the CCTV cameras, air conditioners, fire extinguishers, generators, smoke detection). The UPS and Fire suppression system, smoke detectors and Air conditioning is maintained by Prescient, and is serviced and tested bi-annually. The generator is maintained by Prescient and is serviced and tested annually.

Logical Access Controls

Information Security

The responsibility for the information security function has been formally assigned to the Information Systems Security Officer. A formal IT security policy and IT & Usage policy have been reviewed annually and approved by the Head of IT and the Head of Legal of Prescient management. Each new staff member is required to sign an acknowledgement that they have read and understand the IT security and IT usage policy which details the user access policies. In addition, the policies are available on the intranet.

Authentication

Prescient operates on a Windows IT environment. Access to T-Cube and ThinkFolio is authenticated through Active Directory (AD). Users have a unique Active Directory account and password. Windows authentication is integrated with Active Directory. Access to the appropriate applications is controlled via Active Directory security groups.

Passwords complexity is enforced by Active Directory. In line with Prescient’s policy, passwords expire after 42 days and are required to be 8 characters as a minimum length, and accounts are locked after 5 failed login attempts for 30 minutes. Password complexity is built in Microsoft standard and includes at least 3 of the following: one uppercase, one lowercase, one digit and one special character.

The Eagle application is hosted offshore (USA) and a separate ISAE 3402 report is available for some of the IT controls, including password configuration settings. The report covers the period 1 October 2015 to 30 September 2016. User administration

In order for new users to gain access to the financial applications Eagle and T-Cube, (application and databases) the Head of the Department (HOD) approves the access. A request for access is logged as a ticket on the Prescient service request application. Changes to user access rights follows the same process.

For internal access to ThinkFolio, a request for access is logged as a ticket on the Prescient service request application. The request is approved by the Business Analyst. The Business Analyst will create the necessary accounts and permissions and notify central IT to create the Active Directory account and security group access.

For terminations of user access, the Head of Department or Business Analyst for ThinkFolio, is required to send an email notification to IT to

30


31 March 2017

terminate a user’s access setting and the access to be revised, disabled or removed. IT submits a User Exit form to the HOD for completion and evidence of approval. For ThinkFolio, the Business Analyst will notify central IT to remove the user’s Active Directory account and permissions. ThinkFolio access is removed thereafter.

Review of access rights

Reviews of the validity and appropriateness of user access permissions for AD, T-Cube and Eagle are performed annually. User access validity and appropriateness is not reviewed and approved for ThinkFolio.

Administrative access rights

Access to privileged accounts within the operating system is limited to the appropriate personnel for the T-Cube application. The T-Cube application has built in segregation of duties controls. Only four IT Manager and a T-Cube developer have direct access to the T-Cube database through a shared generic user account. Multiple users have administrative access rights to the Eagle application, however, the “business group” controls what a user is able to see on the relevant accounts. If a user is an admin user and the user is not linked to a business group, the user cannot affect changes on any entity or portfolio that is not linked to the respective business group. The User groups assign the associated user rights to the user, further limiting the user rights.

Multiple users have administrative access rights to the ThinkFolio Application. However, the ThinkFolio application has built in segregation of duties controls. Prescient ThinkFolio administrators have full user rights to the system. Only IT staff and the ThinkFolio Administrator have administrative access to the ThinkFolio database. All IT support staff log into the database server through a shared generic user account. The password is only known by IT staff. The ThinkFolio Administrator uses Active Directory credentials to access the database.

Segregation of duties

The T-Cube applications had built in segregation of duty controls that prevents a user from capturing and authorising their own transactions.

Information Processing

Automated transmission logs detailing transmission failure or success, are available for client review within the Eagle PACE and Eagle STAR applications to allow for monitoring of data transmission activity. Monitoring is performed through notification emails that are sent through to the Operations Team and actioned if necessary. Transmission status is automatically noted in the logs.

Web traffic is filtered through a proxy server. In addition, threat websites are published on the proxy server and prevent certain websites from being accessed. A redundant Firewall has been implemented to control all internal and external communication. Public-facing servers are hosted within a demilitarised zone (DMZ). In the event of failure on the primary Firewall the backup Firewall will take over responsibility for securing the network.

An anti-virus solution has been implemented on servers, laptops and workstations. A SysLog server has been implemented to allow for security logging and analysis. These logs are reviewed on an ad-hoc basis and are not formally reviewed on a regular basis.

Program changes

A formal change control policy and procedure is in place. Any changes to the financially significant applications are logged via email with the third party developers.

Changes to T-Cube are approved by the Head of IT. Once the changes have been developed by the respective third parties, the changes are

31


31 March 2017

loaded into the Prescient test environment and business and IT signs off on the test procedures performed.

Internal development work is sometimes required to be performed by the Business Analyst in terms of upgrading the integration layer of the system to cater for enhancements from the ThinkFolio vendor. There is no documentation or change control process followed for these internal builds.

Eagle changes, including development is handled by Eagle systems (LLS). This is included in the Eagle systems ISEA3402 review performed.

Backup and replication

There is a standard backup’s procedure document in place.

Full backups are taken on a daily basis and the IT department receives an automated email notification of any backup fails. Prescient replicates off-site to a Disaster Recovery site in Bellville on a daily basis.

A backup checklist is completed on a daily basis as evidence of monitoring backups and replication. The Head System Engineer and Head of IT sign this off. Restoration testing

Restoration testing is completed during the annual DR test that is performed. Restoration takes place from the replicated data to the DR site. Incidents

There is no formal incident management policy document in place with predefined SLA guidelines for incident resolution.

T-Cube incidents are handled by Zubat Nine (an external third party). An email is sent to Zubat Nine via the Business Analyst. The developer will reply and the necessary action will be undertaken.

Eagle incidents are handled by Eagle systems (LLS). This is included in the Eagle systems ISEA 3402 review performed.

Incidents are monitored in an informal IT meeting on a weekly basis wherein IT related matters is discussed, including incidents. Minutes of these meetings do not state the detail of the incident discussions.

ThinkFolio incidents are logged on the ThinkFolio customer website. It was noted that clients using ThinkFolio are not PIM or PFS employees, they are external clients of ReCM.

Business Continuity

Formal Business Continuity and Disaster Recovery Plans are in place. The plans are periodically tested and updated accordingly.

32


31 March 2017

5 Control objectives, control activities and testing operating effectiveness of controls

5.1 Accepting Clients

5.1.1 Controls provide reasonable assurance that complete and authorised client agreements are operative prior to initiating investment activity.

Reference Prescient Processes Prescient Control Activities KPMG test procedure and results of testing

5.1.1.1 Domestic operations

All new portfolio management agreements comply with the FSB guidelines. All the agreements are signed by the client and an authorised Prescient signatory as per the list of authorised signatories. Bank accounts can only be opened in the name of the client once the signed authorisation and FICA documents have been received from the client.

New client agreements are signed by the client and an authorised signatory, which includes compliance with all regulatory requirements. There is a list of authorised signatories which contains both “A” and “B” signatories.

Inspection

For a selection of new clients, inspected the agreement for evidence of the client's signature as well as the signature of either an “A” or “B” authorised Prescient signatory.

No exceptions noted.

5.1.1.1a PFSI

All new portfolio management agreements comply with the Central Bank requirements. All the agreements are signed by the client and an authorised PFSI signatory, as per the list of authorised signatories. Only original signed mandates are accepted - no copies are accepted. Bank accounts can only be opened in the name of the client once the fund has been authorised by the Central Bank.

Standard client agreements are used which are signed by authorised signatories only. Agreements are reviewed by the legal advisor to ensure compliance with central bank requirements. A list of authorised signatories is maintained.

Inspection

For a selection of new clients, inspected the agreement for evidence of the client's signature as well as the signature of an authorised Prescient signatory.


33


31 March 2017

5.1.1 Controls provide reasonable assurance that complete and authorised client agreements are operative prior to initiating investment activity.


5.1.1.2 Prescient Investment Management (“PIM) Mandates

A client take-on checklist is maintained for all teams (including: compliance, admin, finance, performance, marketing and portfolio management). A member of the compliance team retains a copy as evidence that all teams have been notified. Client money is invested into set portfolios - the client chooses where they want their money to be invested from a list of portfolios. Mandate parameters are set up on StatPro. The compliance team member sets up the details on StatPro, which is then reviewed by a senior compliance team member.

Client management: a checklist is kept, which has been reviewed by all the teams and by a senior compliance team member.

Inspection

For a selection of new clients, inspected the completed signed checklist for evidence of authorisations and review.


5.1.1.2b Alternative Administration

A client take-on checklist is maintained for all teams (including: compliance, admin, finance, performance, marketing and portfolio management. A signed administration agreement is placed on file, signed by the new client and by designated Prescient staff.

Standard client agreements are used which are signed by authorised signatories only.

Inspection

For a selection of new clients, inspected the agreement for evidence of the client's signature as well as the signature of an authorised Prescient signatory.


34


31 March 2017

5.1.2 Controls provide reasonable assurance that accounts are set up and administered in accordance with client mandates and applicable regulations.


5.1.2.1 Prescient Fund Services (“PFS”) (external/ third part managers)

A client take-on checklist is sent to all relevant admin teams and a member of the relevant team signs as evidence of having completed each section as required.

Asset Admin: a signed checklist is kept after successfully loading the fund onto Eagle as evidence of completing the procedures. A new client cannot be loaded on Eagle without a completed take-on checklist.

Inspection




A client take-on checklist is sent to all relevant admin teams and a member of the relevant team signs as evidence of having completed each section as required.

Asset Admin: a signed checklist is kept after successfully loading the fund onto Eagle as evidence of completing the procedures. A new client cannot be loaded on Eagle without a completed take-on checklist.

Inspection



5.1.2.2 StatPro produces daily breach reports which are sent by the compliance team to the relevant portfolio managers.

The portfolio managers respond to the compliance team via email explaining how they have corrected the breaches. As a breach report is run daily any breaches which have not been cleared will be identified the next day.

Inspection

For a selection of days and breach reports inspected that an email had been received by the compliance team member from the portfolio manager, indicating how any issues raised in the breach report have been resolved.


5.1.2.2a PFSI Certain UCITS funds are not suitable for monitoring on StatPro and therefore these are monitored by PFSI outside of StatPro on a daily basis.

The administrator performs daily compliance monitoring on the relevant funds which are not suitable for monitoring on StatPro.

Inspection

Inspected a selection of daily monitoring checks for UCITS funds. Inspected the incident/ breach log for the selected sample.


35


31 March 2017

5.1.2 Controls provide reasonable assurance that accounts are set up and administered in accordance with client mandates and applicable regulations.


5.1.2.3 StatPro maintains a log of all breaches and changes to compliance parameters.

The logs produced by StatPro are reviewed by a compliance team member on a daily basis.

Inspection

For a selection of days inspected that a log had been maintained of all breaches and that all breaches had been reviewed by a compliance team member.


5.1.2.4 Access to StatPro is limited to the compliance team and two other senior members of staff.

Access to StatPro is limited, via unique usernames and passwords, to the compliance team and two other senior members of staff.

Observation

Attempted to log into StatPro using unauthorised log-in details.


Refer also to 5.7.1 and 5.7.3 for additional IT access controls.

5.1.2.5 Daily breach reports are discussed at the risk committee meetings. Material breaches will be discussed at the audit committee meetings. A summary of the breach logs are included as an annexure to the minutes of the risk committee meeting.

Daily breach reports are discussed at risk committee meetings which are held monthly.

Inspection

For a selection of minutes of the risk committee meeting, inspected evidence of the breach reports being discussed.


5.1.2.6 Any changes to mandates will be treated as new mandates. The addendum to the agreement will be signed by the client and an authorised signatory at Prescient.

The addendum to the agreement will be signed by the client and an authorised signatory at Prescient.

Inspection

For a selection of mandate changes, inspected whether the addendum to the agreement had been signed by both the client and Prescient.


36


31 March 2017

5.1.2 Controls provide reasonable assurance that accounts are set up and administered in accordance with client mandates and applicable regulations


5.1.2.7 PIM Mandates

A checklist, similar to what is required for a new take-on, is sent to all the relevant teams if there has been a change to a mandate.

Each team loads the relevant client changes and signs the checklist (which includes a section dealing with changes to mandates) once the changes have been loaded.

A compliance team member then receives the checklist, once it has been completed and signs it as evidence of review.

Inspection For a selection of mandate changes, inspected that a take-on checklist (section dealing with mandate changes) had been completed and reviewed by a compliance team member as evidence of review of the checklist to the system.


37


31 March 2017



5.1.3.1 Life Portfolios

A take-on checklist is completed and signed as evidence of having completed each section required in respect of loading new life portfolios clients. A policy number is then assigned to the client.

A policy number is assigned by the administration team member after receiving the completed, signed take-on checklist from all the relevant teams.

Inspection

For a selection of new clients, inspected that a policy number was assigned after a signed take-on checklist was completed.


5.1.3.2 Segregated Portfolios

For new segregated portfolio clients, the client will transfer money and send an email instruction noting the exact amount transferred.

The administration team will reconcile the amount per the bank statement to the amount indicated by the client and record, on Eagle, all new segregated clients that have transferred money into the bank account.

Inspection

For a selection of new clients, inspected that the amount per the email agrees to what was captured on Eagle.



The administration team will provide the custodians with a list (received from the client and loaded onto Eagle) of scrip in the new portfolio. Any differences identified in the scrip reconciliation are discussed with the client and the portfolio is only activated by Eagle for trading once the differences have been resolved.

Correspondence with the custodian is maintained confirming that their records agree to the share transfer.

Inspection

For a selection of new client scrip take-on, inspectedthe email confirmation from custodian confirming therecords agree to the share transfer .



Bank reconciliations are performed on a daily basis by an administration team member.

A comment and date is inserted next to each reconciling item on daily Excel workbook versions. This serves as evidence of follow-up and the number of days for which the reconciling item has been outstanding.

Inspection

For a selection of days, inspected reconciling items that a comment and date had been inserted and there was a comment as evidence of follow up.


38


31 March 2017



5.1.3.5 Collective Investment Schemes

For all new clients, a signed application form is received via a central email box/fax number.

The signed application form is then processed by a member of the administration team and the application forms is stored in the unit registry system once complete.

Inspection

For a selection of new clients, inspected that there was an application form that had been sent to the central mailbox and that the application form had been stored in the unit registry system by the administrator team member as evidence of being processed.


5.1.3.5a PFSI

For all new clients, a signed application form is completed. In specie transfers are coordinated with the investment manager.

A standard application form is used along with a checklist to ensure all necessary steps are completed by a senior team member on the unit registry system.

Inspection

For a selection of new clients, inspected completed application forms and the use of the take take-on checklist



Signed application forms

Cash is received into the Management Company (Manco) inflow account for new take-ons and transfers.

The signed application form is then processed by a member of the administrator team and signed as evidence of being processed and matched to amount received in the inflow account.

Inspection

For a selection of new clients, inspected that the application form had been signed by the administrator team member as evidence of being processed and was match to the amount received in the inflow account.



Unmatched cash

Cash is received into the Manco/inflow account for new take-ons and transfers.

Bank reconciliations are performed whereby any unmatched cash received Explanations are made next to all the Manco’s reconciling items indicating what they relate to and how they have been resolved – this serves as evidence of follow-up of the reconciling items.

Inspection

For a selection of days, inspected reconciling items, to confirm that notes had been made next to each item as evidence that the item had been reviewed and followed up.


39


31 March 2017



5.1.3.7a PFSI

Unmatched cash

Cash is received into PFSI’s inflow account, which is reconciled on a daily basis.

On a daily basis the inflow bank account is reconciled to identify any unmatched cash. Each item in the inflow account is aged and an explanation is provided of what the items relates to and how it is being resolved. This serves as evidence of follow-up of the reconciling items.

Inspection

For a selection of days, inspected the bank inflow account reconciliation to confirm that reconciling items are identified and actions are recorded next to each item.


40


31 March 2017

5.2 Authorising and processing transactions

5.2.1 Controls provide reasonable assurance that the responsibility for generating proxy voting instructions is clearly established.

Reference Prescient Processes Prescient Control Activities KPMG test procedure and finding


The responsibility for generating proxy voting instructions is clearly established through signed client mandates which stipulate whether Prescient will be given power of attorney to vote on behalf of their clients.

Mandates, which are signed by the client, stipulate that Prescient would be given the power of attorney to vote on behalf of the client.

Inspection

For a selection of mandates, inspected the mandate to confirm that it stipulated that Prescient has been given the authority to vote on behalf of the client.


41


31 March 2017

5.2.2 Controls provide reasonable assurance that the investment strategy is implemented in a timely manner.


5.2.2.1 StatPro produces daily breach reports which are sent to the relevant portfolio managers.

The portfolio managers respond to the compliance team member via email explaining how they have corrected the breaches. As a breach report is run daily any breaches which have not been cleared will be identified the next day.

(PFSI: refer to control 5.1.2.2a)

Inspection

For a selection of days, inspected that an email had been sent from the portfolio manager to the compliance team member explaining how the issues raised in the breach report have been resolved.


42


31 March 2017

5.2.3 Controls provide reasonable assurance that investment transactions are executed and allocated in a timely and accurate manner



When a trade is executed or a transaction occurs, an instruction is sent from the investment team to the administration team. The administration team will load the information on Eagle via DataMatrix, Excel upload or manual capture. The administration team will confirm the following day that what appears on Eagle agrees to the broker confirmations. An exception report in DataMatrix identifies unmatched items. If any discrepancies are noted, the administration team member will contact the investment team telephonically to rectify this.

When a trade is executed or a transaction occurs, the relevant information is loaded to Eagle via DataMatrix, Excel upload or manual capture. A separate member of the administration team inspects that the transactions loaded onto Eagle agrees to the brokers confirmation. The queue in DataMatrix will be cleared once the electronic matching has occurred.

Inspection

For a selection of days, inspected the DataMatrix queue to confirm that it has been cleared as evidence of review.


5.2.3.2 Trades are matched to the broker via SWIFT MT515 and triggers the settlement instruction to the custodian via SWIFT MT541/MT543 controlled via DataMatrix. Once the status on DataMatrix changes to “Processed” it indicates to Prescient that the custodian has received the settlement instruction/s.

Inspection

For a selection of trades,, inspected that the status on Datamatrix indicated “Processed”.


5.2.3.3 Custodians will notify PFS of any unmatched trades i.e. not matched within the market deadlines. Matching occurs daily. Where there are no unmatched trades an email will not be received.

Inspection

For a selection of days, confirmed if an email had been received or not and corroborated this with the inspection of the DataMatrix queue to confirm that it has been cleared as evidence of review and follow up.

5.2.3.4a PFSI

Trades are updated through a combination of automated uploads through Thinkfolio and manual processes.

This involves receiving a trade file from the broker and uploading it to Eagle and the custodian’s nominated system, for settlement.

The administrator reviewing the fund will compare the Eagle transactions listing with the transaction listing from the broker, after loading it. In addition, the trades loaded to the custodians system are authorised by a separate person and this includes a check of trades loaded against the trade file.

Inspection

Obtained the list of authorised users and compared it to an Instruction Capture Report from the Custodian's portal ("WorkBench"). Inspected that the trades were authorised by a separate person.


43


31 March 2017



5.2.3.5 For all domestic clients

Scrip reconciliations are performed by the administration team on a monthly basis for all local and foreign assets.

A monthly scrip reconciliation report is generated out of Eagle, once positions have been matched against SWIFT MT535 positions, as received from custodians an email is sent to all relevant staff members to confirm that the exception reconciliation report was produced and is available for review by the account administrator. A senior operations team member will review that explanations have been provided by the account administrator to address the differences identified, by the end of the month.

Inspection

For a selection of months, inspected email correspondence from a senior member in the administration team noting review of the reconciling items in the scrip reconciliation.


5.2.3.6a For PFSI clients

PFSI carries out scrip reconciliations (Eagle versus custody records) on a daily basis. These reconciliations are reviewed by a separate person as part of the process to review the funds on a daily basis.

Daily scrip reconciliations are performed and are reviewed as part of the daily fund review process, by a senior person.

Inspection

For a selection of days, inspected the scrip reconciliation performed, to confirm that the daily fund review was performed by a senior person.


44


31 March 2017




The administration team carries out scrip and cash reconciliations (Eagle versus bank, custodian and prime broker records) on a daily basis. In addition the administration team matches to Investment Manager trades on a daily basis as part of the daily NAV reconciliation process.

On a monthly basis these reconciliations are reviewed by a separate person as part of the process to review the funds.

Daily reconciliations are performed with monthly reconciliations reviewed as part of the fund review process, by a separate person.

A comment and date is inserted next to each reconciling item. This is an indication of evidence of follow-up and the number of days for which the reconciling item has been outstanding.

The Fund Administrator is responsible for sending a monthly email to the Hedge Fund’s underlying designated Investment Manager for approval of the Funds’ valuation, which incorporates the above controls.

Inspection

1. For a selection of days inspected the daily reconciliations for reconciling items and comments and dates inserted.

2. For a selection of months inspected the email sent to the underlying investment manager as evidence of approval.


45


31 March 2017

5.2.4 Controls provide reasonable assurance that investment and related cash transactions are completely and accurately recorded.



Bank reconciliations are reviewed on a daily basis by an administration team member.


Inspection

For a selection of bank reconciliations, inspected reconciling items to confirm that a comment and date had been inserted as evidence of follow up.


5.2.4.2 Scrip reconciliations are performed by the administration team on a monthly basis for all local and foreign assets.

A monthly scrip reconciliation report is generated out of Eagle, once positions have been matched against SWIFT MT535 positions, as received from custodians an email is sent to all relevant staff members to confirm that the exception reconciliation report was produced and is available for review by the account administrator. A senior operations team member will review that explanations have been provided by the account administrator to address differences identified by, month end.

Inspection


No exception noted


Each member in the administration team is responsible for their own portfolio of bank reconciliations.

A member of the administration team maintains a spreadsheet of all bank reconciliations. A second team member, the fund administrator, reviews the bank reconciliation by documenting the reason for the reconciling items.

Inspection

For a selection bank reconciliations, inspected the bank reconciliation for reconciling items that a comment had been inserted as evidence of follow up.


5.2.4.4 A senior team member will review the reconciliations on a weekly basis.

The senior administration staff member reviews all bank reconciliations on weekly basis and signs off as evidence of review.

Inspection

For a selection of weeks, inspected that there was evidence of review of the daily reconciliations by inspection of signature of the senior admin team member.


46


31 March 2017

5.2.4 Controls provide reasonable assurance that investment and related cash transactions are completely and accurately recorded.


5.2.4.5a PFSI

Bank reconciliations are performed on a daily basis between Eagle and the relevant bank account(s). All reconciliations are prepared in one workbook and therefore are reviewed together.

Daily cash/bank reconciliations are performed and reviewed by a separate reviewer.

Inspection

For a selection of daily bank reconciliations, inspected the reconciliation for comments inserted as evidence of the reconciliation having been performed and reviewed.


Refer also to 5.2.3 for additional controls over recording of investment and cash transactions.






The Fund Administrator is responsible for sending a monthly email to the Hedge Fund’s underlying designated Investment Manager for approval of the Fund’s valuation, which incorporates the above components.

Inspection


2. For a selection of months inspected the email sent to the underlying investment manager as evidence of approval


47


31 March 2017

5.2.5 Controls provide reasonable assurance that corporate actions are processed and recorded accurately and in a timely manner.


5.2.5.1 Election of corporate events

Eagle receives a notification (“call”) from Bloomberg which will notify the administration team of any corporate events which will take place in the following week. The administration team will then compare the corporate events diary with the Bloomberg call.

The portfolio manager makes the corporate event election and sends an e-mail instruction to the administration team.

An election form is completed and signed by an “A” and “B” signatory.

Inspection

For a selection of elective corporate actions, inspected email evidence of the instruction received from the portfolio manager indicating election of the corporate event and signed by an A and B signatory.


5.2.5.2 Eagle will receive a “call” from Bloomberg at the end of each week which will indicate the corporate events that occur in the following week, and identifies any shares which Prescient or its clients hold.

Inspection

For a selection of weeks, inspected a “call” received by Eagle and confirmed it was sent by Bloomberg.


5.2.5.3 The administration team will compare the Bloomberg “call” to the corporate events diary. The corporate event election is reviewed by the administration team and signed as evidence of review.

Inspection

For a selection of elect ive corporate events that had been loaded on Eagle, inspected that the events had been reviewed and signed as evidence of review.


5.2.5.4a PFSI

PFSI receives a daily custodian report detailing any corporate events. The chosen option is communicated to the investment manager via email. PFSI enters the chosen option on the custodian’s portal.

The option chosen is authorised on the custodian’s portal by a second person, who checks that the correct option has been selected.

Inspection

For a selection of dates, inspected that the corporate action selection was authorised by a separate administrator on the custodian portal.


48


31 March 2017

5.2.5 Controls provide reasonable assurance that corporate actions are processed and recorded accurately and in a timely manner.


5.2.5.5a PFSI

Income/ dividend reconciliations are performed on a daily basis. Data is received from Bloomberg and booked into Eagle.

Daily income/ dividend reconciliations are performed to check positions against custodian records.

Inspection

For a selection of days, inspected the income/ dividend reconciliation to check that it was performed.





Daily income/ dividend reconciliation to check amounts against bank, custodian and prime broker records.



Inspection




49


31 March 2017

5.2.6 Controls provide reasonable assurance that proxy voting instructions are generated and recorded and carried out accurately and in a timely manner.


5.2.6.1 The administration team will complete the proxy voting instruction (yes, no or abstain) based on information received from the investment team. This instruction will detail how the investment manager intends to vote at the relevant meeting. The instruction is signed by both "A" and "B" signatories as evidence of review before it is sent to the custodian.

The instruction is signed by both "A" and "B" signatories as evidence of review before it is sent to the custodian.


Inspection For a selection of corporate actions, inspected email evidence of the instruction received from the portfolio manager indicating election of the corporate event and signed by an "A" and "B" signatories.



In addition to 5.2.6.1, for any corporate actions relating to prime broker created derivatives, the administration team carries out reconciliations (as part of a daily NAV reconciliation workbook, consisting of reconciliations from Eagle versus bank, custodian and prime broker records) on a daily basis to identify such corporate actions and related proxy voting nominations.


Prime Broker nominations with the underlying investment manager is typically captured directly onto the Prime Broker records. Therefore daily income/ dividend reconciliation is performed against bank, custodian and prime broker records, to capture the correct corporate action.

Daily income/ dividend reconciliations are performed to check positions against bank, custodian and prime broker records.


The Fund Administrator is responsible for sending a monthly email to the Hedge Funds’ underlying designated Investment Manager for approval of the Funds’ valuation, which incorporates the above controls.

Inspection




50


31 March 2017

5.2.7 Controls provide reasonable assurance that client new monies and withdrawals are processed and recorded completely and accurately and that withdrawals are

appropriately authorised



A contribution (top-up form) is sent by the client to purchase additional units.

For the purchase of additional units, a signed top-up form and/or email notification of inflows is received from the client.

Inspection

For a selection of contributions (top-ups), inspected the email notifications and/or the signed top up forms received from the clients.


5.2.7.2 The clients must deposit the purchase consideration prior to sending the request for additional units.

Clients attach proof of payment along with the top-up form.

Inspection

For a selection of contributions (top-ups), inspected that the proof of payments were attached to the emails received from clients.


5.2.7.2.a PFSI

A standard subscription application and checklist is completed. The checklist is signed by the reviewer/approver. Monies are deposited into the PFSI inflow account.

Subscription checklists are completed to ensure all relevant steps completed. The checklist is reviewed by a second person.

Inspection

For a selection of subscription transactions, inspected the completion of the subscription checklist and evidence of review by a second person (checklist authoriser).


5.2.7.2.b Alternative Administration

A standard subscription application and checklist are completed. The checklist is signed by the reviewer/approver. Monies are deposited into the PFS Alternative Administration inflow account.

For CIS Hedge Funds, the same process as listed above under “Collective Investment Schemes” is followed

Subscription checklists are completed to ensure all relevant steps completed. The checklist is reviewed by a second person.

Inspection

For a selection of checklist, inspected that the checklist has been completed and signed off as evidence of review and inspected the bank statement noting deposit of money.


51


31 March 2017

5.2.7 Controls provide reasonable assurance that client new monies and withdrawals are processed and recorded completely and accurately and that withdrawals are appropriately authorised


5.2.7.3 For any withdrawal of units, a signed redemption form is sent by the client to Prescient.

A redemption form is attached for all withdrawals of units.

Refer to 5.1.2.6 for controls over changes to any client details.

Inspection

Inspected, for a selection of withdrawals, that redemption forms were received from the clients, indicating the amount to be disinvested.


5.2.7.3a PFSI

A standard form and checklist is completed for all redemption requests.

A redemption checklist is used to ensure that all relevant steps are performed for withdrawals. The checklist is reviewed by a separate person.

Inspection

Inspected, for a selection of withdrawals, that a redemption checklist was completed and reviewed by the checklist authoriser.


5.2.7.3bi Alternative Administration

For any withdrawal of units, a signed redemption form is sent by the client to Prescient.

For CIS Hedge Funds, the same process as listed above under “Collective Investment Schemes” is followed.

A redemption form is attached for all withdrawals of units.

Inspection

For a selection of redemption forms inspected that the details are correct as signed off as evidence of review.


5.2.7.3bii Alternative Administration

A standard form and checklist is completed for all redemption requests.


A redemption checklist is used to ensure that all relevant steps are performed for withdrawals. The checklist is reviewed by a separate person.

Inspection

For a selection of redemption checklists, inspected that it was signed off as evidence of review.


52


31 March 2017

5.2.7.4 Clients are paid out via EFT for redemptions that have been received.

“A” and “B” signatories are required for the authorisation of any EFT payments.

Inspection

For a selection of redemption forms, inspected that both an "A" and "B" signatories authorised an EFT payment.


5.2.7.4a PFSI

Clients are paid out via EFT for redemptions that have been received.

The first person sets up the payment (first level signatory) and the second authoriser releases payment (second level).

Inspection

Inspected, for a selection of withdrawals, two person authorisation for the release of the EFT.


5.2.7.4b Alternative Administration:

Clients are paid out via EFT for redemptions that have been received.


“A” and “B” signatories are required for the authorisation of any EFT payments. The first person sets up the payment (first level signatory) and the second authoriser releases payment (second level).

For a selection of redemptions, inspected that all payments were authorised by A and B signatories to confirm authorisation of payment.


5.2.7.5 Bank reconciliations are performed by the administration members on a daily basis. A senior team member will review the reconciliations on a weekly basis.

The senior administration staff member reviews the total bank reconciliations on weekly basis and signs off as evidence of review.

Inspection

Inspected, for a selection of weeks, that there was evidence of review of the weekly reconciliations by inspection of the signature of the senior admin team member.


53


31 March 2017

5.3 Maintaining financial and other records

5.3.1 Controls provide reasonable assurance that investment income is recorded accurately, completely, and in the proper period.


5.3.1.1 A custodian statement is received on a daily basis and a member of the administration team reconciles the investment income per the custodian statement to the amounts per Eagle.

The administrator reconciles (by marking all coupon payments listed on the reconciliation) the investment income amounts per Eagle against the custodian statement.

(Note - The bank reconciliation process, as described in section 5.2.4 and 5.3.4.1, would identify any discrepancies between the cash settled amounts and amount per Eagle). These bank reconciliations are performed on a daily basis).

Inspection

For a selection of days, inspected evidence that the reconciliation was performed. For a selection of bank reconciliations, inspected that a comment and date had been inserted as evidence of follow up (as per sections 5.2.4 and 5.3.4.1) captured by the custodian.





Daily income/ dividend reconciliation to check amounts against bank, custodian and prime broker records.



Inspection




54


31 March 2017

5.3.1 Controls provide reasonable assurance that investment income is recorded accurately, completely, and in the proper period.


5.3.1.2

Election of corporate events

The portfolio manager makes the corporate event election on an election form.

An email instruction is sent by the portfolio manager to the administration team.

(PFSI: refer to 5.2.5.4a and 5.2.5.5a).

Inspection

For a selection of corporate events, inspected email evidence of the instruction received from the portfolio manager indicating the corporate event election.


5.3.1.3 Eagle receives a notification (“call”) from Bloomberg which will notify the administration team of any corporate events which will take place in the following week. The administration team will then compare the corporate events diary with the Bloomberg call.

The portfolio manager makes the corporate event election on an election form. An election form is signed by an “A” and “B” signatory.

Inspection

For a selection of corporate events, inspected a corporate event election form and noted that it had been signed by the relevant authorised signatories of Prescient.



There is a daily automated feed from Fincad to Eagle. Fincad provides prices for all unlisted money market and bonds instruments.

Pricing sheets in Fincad cannot be altered by unauthorised users.

Re-performance

Attempted to alter the pricing sheets in Fincad, noting whether it was possible to alter using the profile of an unauthorised user.


5.3.2.1a PFSI

For certain unlisted assets (e.g. credit linked notes), the investment manager provides the pricing data, which is obtained from Bloomberg.

As part of the overall pricing review, the reviewer will check the prices of unlisted assets against the data received from the investment manager. The reviewer also performs a reasonableness check during the process.

(A further control is described under 5.3.2.2a)

Inspection

For a selection of days, inspected the pricing movement files produced and reasonableness check performed.


55


31 March 2017

5.3.2 Controls provide reasonable assurance that investments are valued using current prices obtained from independent external pricing sources or determined

according to approved pricing policies and procedures for fair values in circumstances where independent sources are not available.



For certain unlisted assets (e.g. fund of hedge fund prices) the administration team sources those prices from the underlying fund administrator and performs a monthly reconciliation on the holdings and prices to the obtained monthly investment statements obtained.

As part of the overall monthly price and position reconciliation process, the reviewer will check the prices and quantities of the unlisted assets against the price received from the underlying fund administrator and signed off on the monthly checklist.

Inspection

For a selection of months, inspected the monthly checklist for signature sign off as evidence of review.



A daily price reasonability check is performed on the portfolios by a member of the investment team by comparing the previous day’s price to the current day’s price. Appropriate benchmarks are used for each type of instrument.

A daily price reasonability check on portfolios is performed by a member of the investment team and all price variances are indicated in an email.

Inspection

For a selection of days, inspected, that there was an email sent by a member of the investments team noting review of the price variances of all portfolios.


5.3.2.2a PFSI

A pricing reasonableness test is performed on a daily basis.

The pricing reasonableness test compares asset pricing movements from one day to the next, against a pre-determined threshold.

Inspection

For a selection of days, inspected the pricing movement files produced and reasonableness check performed.


56


31 March 2017

5.3.3 Controls provide reasonable assurance that investments are valued using market-related spreads and accurate yield curves.


5.3.3.1 Yield Curves

Portfolios returns are reviewed on a daily basis to identify excessive/abnormal returns which would result from any unauthorised alterations of credit spreads or the yield curve.

An email is sent from the investment team member to the administration team member on a daily basis to confirm review of the portfolios returns to identify excessive/abnormal returns which would result from any unauthorised alterations of credit spreads or the yield curve.

Inspection

For a selection of days, inspected that there was an email sent by a member of the investment team as evidence of review of the price variances of all funds.


57


31 March 2017

5.3.4 Controls provide reasonable assurance that cash and investment positions are completely and accurately recorded and reconciled to third party data.



Bank reconciliations are performed on a daily basis by an administration team member.

A comment and date is inserted next to each reconciling item. This serves as evidence of follow-up and the number of days for which the reconciling item has been outstanding.

Inspection

For a selection of days, inspected reconciling items that a comment and date had been inserted as evidence of follow up.


5.3.4.2 Scrip reconciliations are performed by the administration team on a monthly basis for all local and foreign assets.

A monthly scrip reconciliation report is generated out of Eagle, once positions have been matched against SWIFT MT535 positions, as received from custodians an email is sent to all relevant staff members to confirm that the exception reconciliation report was produced and is available for review by the account administrator. A senior operations team member will review that the account administrators have noted resolutions to address differences identified, by month end.

Inspection

For a selection of months, inspected the monthly scrip reconciliation to confirm that an email had been sent as evidence of review of the reconciliation.


5.3.4.3 Derivative margin call positions are reconciled on a daily basis.

The banks send a daily statement of positions and this is reconciled by the administration team to the position per the Eagle system on a daily basis.

Inspection

For a selection of months, inspected the monthly scrip reconciliation to determine whether an email had been sent as evidence of review of the reconciliation.



Each member in the administration team is responsible for their own CIS bank reconciliation.

A member of the administration team maintains a spreadsheet of all bank reconciliations. A second team member, the fund administrator, reviews the bank reconciliation by documenting the reason for the reconciling items. (PFSI: refer to control 5.2.4.5a)

Inspection

For a selection of days, inspected the bank reconciliations to ensure that the reconciling items had a reason documented.


58


31 March 2017

5.3.4 Controls provide reasonable assurance that cash and investment positions are completely and accurately recorded and reconciled to third party data.


5.3.4.5 Segregated portfolios

Bank reconciliations are reviewed by the administration team members on a daily basis. A senior team member will review the reconciliations on a weekly basis.

Refer also to 5.2.3 for additional controls over recording of investment and cash transactions.

The senior administration staff member reviews all bank reconciliations on a weekly basis and signs off as evidence of review.

Inspection

For a selection of weeks, inspected that there was evidence of review of the reconciliations by inspection of signature of the senior admin team member.


5.3.4.6 For non EFT payment instructions, as well as clients that have elected for Prescient to send manual instruction letters to the bank to initiate cash transfers for settlement, a letter is sent to the bank for payment of SAFEX.

The letter sent to the bank is signed by authorised signatories and sent to the bank with payment instructions.

Inspection

For a selection of days, inspected that a signed letter was sent to the bank with the clients instructions.








Inspection


2. For a selection of months inspected the email sent to the underlying investment manager as evidence of approval.


59


31 March 2017



5.3.5.1 Management fees – Segregated funds

The management fee calculation schedule is prepared by a member of the finance team and included in the monthly management packs for review by a senior finance team member.

A senior member of the finance team reviews the monthly management packs and signs off on the hard copy or sends an email as evidence that the review has been done.

Inspection

For a selection of monthly management packs, inspected the signature on the hard copy monthly management packs or the email sent by a member of the finance team as evidence that the review has been done.

Exception noted

We found that the management packs had not been reviewed for the month of November 2016.

5.3.5.2 The management fee schedule is password protected.

Re-performance

Attempted to change the management fee calculation schedule and observed that it was password protected.


5.3.5.3 Performance fees

The performance fee calculation schedule is prepared by a member of the finance team and included in the monthly management packs which are reviewed by a more senior member of the finance team.

The performance fee calculation is reviewed for accuracy by a senior member of the finance team.

Inspection

For a selection performance fees inspected the performance fee calculation for evidence of the review by a senior member of the finance team.


60


31 March 2017




Subsequent to the review of the fees, the calculation of the fee is sent to an external consultant for confirmation.

The fee is sent to the external consultant for confirmation. The consultant will authorise the deduction of fees outstanding from the portfolio.

Inspection

For a selection of fees that were sent to external consultants, inspected that an email confirmation was received from the consultant confirming whether the fee is acceptable or not.



A list of performance fees is included in the monthly management reporting pack and reviewed by a more senior member of the finance team.

A senior member of the finance team reviews completeness of performance fees, as part of the review of the monthly management reporting pack and signs off the monthly management packs as evidence that the review has been completed.

Inspection

For a selection of months, inspected the monthly management packs for signature or email sent as evidence of the review of completeness of performance fees by a more senior member of the finance team.

Exception noted

We found that the management packs had not been reviewed for the month of November 2016.


The performance fee calculation methodology schedule is prepared by a member of the finance team and reviewed by a more senior member of the finance team.

As part of the take-on procedures of new clients, the finance team uploads the initial performance fee calculation methodology from the mandate which is reviewed by a more senior finance team member.

Inspection

For a selection of new clients, inspected evidence of review of the loading of performance fees by a more senior team member.


5.3.5.7a PFSI performance fees

For funds that attract performance fees, calculations are run on a daily and/or month basis, with the use of a standard spreadsheet, to identify whether a performance fee should be accrued/ posted.

Any performance fees posted are reviewed by a separate person, as part of the review of the funds. This includes an on-screen review of the standard spreadsheet, with additional noting to any data entered manually/capture. Formulae are contained in protected cells.

Performance fees are also reviewed by the investment manager and reported to the trustees (monthly).

Inspection

For a selection of performance fees, inspected evidence of review by the investment manager.


61


31 March 2017



5.3.5.8 For monthly management expenses, the fund manager calculates the expense and sends the calculation to their client for approval. Once approved by their client, the fund manager will send the admin team member a notice to go ahead and settle from the investment account.

The admin team will also perform a reasonability check for invoicing requirements to comply with the mandate requirements. The admin team sends the schedule to the fund manager to confirm that the management fee expense data is acceptable. Approval that there are sufficient funds will be given before debiting the client’s accounts in order to credit the fund managers’ corporate account.

The management fee expense is calculated by the fund manager and sent to the administration team via email for reasonability check.

Inspection

For a selection of months, inspected the email correspondence between the fund manager and a member of the administration team confirming that the management fee expense is acceptable.


5.3.5.8a PFSI

On a monthly basis the Fund Accounting Manager calculates and prepares the management fees and administration fees. Once approved by the Investment Manager, payments from the fund to the manager and administrator are then set up by the fund accountant or fund accounting manager. Details are forwarded to the Head of Operations who approves and releases the payments. Once the payments have been released, the fund administrator is provided with the relevant data to post the fees in Eagle.

All fees are approved by a senior person. The senior person sends an email to the fund administrator to confirm the review and approval of the fees.

Inspection

For a selection of months, inspected that the management fee calculation was reviewed by a second person as evidenced by a confirmation email.

No exception noted.

62


31 March 2017



5.3.5.9 The member of the administration team sends the management fee expense to the finance team member to capture the fee on Pastel. Pastel generates a sequentially numbered invoice and then invoice is sent to the fund manager.

The management fee expense is sent to the finance team for capturing on Pastel. Pastel generates a sequentially numbered invoice and the invoice is sent to the fund manager.

Inspection

For one client, inspected that a sequentially numbered invoice was generated by Pastel.



On a monthly basis the fund accountant calculates and prepares the administration, management and performance fees. Once approved by a senior member, these are then paid from the fund to the manager and administrator respectively. Once the payments have been released, the fund administrator is provided with the relevant data to post the fees in Eagle.

All fees are included in a detailed fee calculator, per fund and is calculated at a class and series level, as applicable. The Fund Administrator is responsible for preparing this calculator as part of the monthly valuation process.

The monthly valuation process is performed by the assigned Fund Administrator and reviewed by another Fund Administrator, both evidenced in a monthly checklist.

The Fund Administrator is responsible for sending a monthly email to the Hedge Fund’s underlying designated Investment Manager for approval of the Fund’s valuation, which incorporates the above controls.

Inspection

For a selection of months inspected the fee calculator for fees calculated at a class and series level and inspected the monthly checklist for review and sign off of these fees.


63


31 March 2017

5.3.6 Controls provide reasonable assurance that issues and cancellations (including switches) of units are recorded completely and accurately, and positions

are regularly reconciled.


5.3.6.1 Instructions which are not processed and for which cash has been deposited by the client will be identified during the bank reconciliation process.

If instructions are not processed, the cash deposited by the client into the inflow account will be identified during the bank reconciliation process.

Inspection

For a selection of bank reconciliations, inspected the bank reconciliation for comments and dates inserted confirming review of reconciling items.


5.3.6.2 For a client who wishes to redeem their investment, a signed redemption form needs to be received by the administration department before the disinvestment can be processed.

Before a disinvestment is processed and released from being “pending”, a member of the administration team will review what was loaded onto T-cube and reconcile this to the signed redemption instruction received from the client.

Inspection

For a selection of clients who redeemed their investment, inspected that a redemption form was signed by the client. Inspected for evidence of the review by the administration team member.


5.3.6.2a PFSI

For a client who wishes to redeem their investment, a signed redemption form needs to be received by PFSI before the disinvestment can be processed.

A redemption checklist is completed by the administrator and reviewed by a separate person to ensure that all redemption steps have been completed.

Inspection

For a selection of redemptions, inspected that redemptions checklists were properly completed and signed off.


64


31 March 2017

5.3.7 Controls provide reasonable assurance that fund pricing is accurate and timely.


5.3.7.1 Collective investment schemes

Funds are flagged on Eagle under the profile of a member depending on whether the pricing for it has completed or not.

Where pricing has not been completed for a particular day, a red flag will remain on Eagles’ Control Centre module/screen, under the profile of the relevant administration team member.

Eagle prevents the admin team member from releasing the fund unless it is flagged as green. The team member investigates any items flagged in red or yellow in order to reflect as green before progressing.

Inspection

For a selection of days, inspected whether funds had the ability to be flagged as either red or green depending on their status, and noted that all funds for that day were flagged as green (i.e. pricing complete).


5.3.7.2 A member of the investment team performs the daily pricing and sends an email to the various portfolio managers. The portfolio managers then send an email to the team member to indicate whether the pricing is reasonable or not.

The portfolio managers will review evidence of the daily pricing via email.

Inspection

For a selection of days, inspected the emails from portfolio manager as evidence that the daily pricing has been reviewed.


5.3.7.2a PFSI

The fund administrator per forms a dai ly pricing reasonableness check.

Refer to review of security pricing reasonableness control 5.3.2.2a. In addition, a NAV reconciliation screen is printed from Eagle indicating the reasons for the price movements. Each items is reviewed and signed off.

Inspection

For a selection of days, inspected the NAV reconciliation screen print out for evidence of review and sign off.


65


31 March 2017

5.3.8 Controls provide reasonable assurance that expenses are accurately calculated and recorded in accordance with the requirements of the fund and on a timely basis.


5.3.8.1 For monthly fund management expenses, the fund manager calculates the expense and sends the calculation to the admin team member. The admin team member will perform a reasonability check on the calculation prior to sending it to the finance team and sends the email to the fund manager that the management fee expense is acceptable.

The management fee expense is calculated by the fund manager and sent to the administration team for a reasonability check.

(PFSI refer to control 5.3.5.9a)

Inspection

For a selection of months, inspected the email correspondence with the fund manager and a member of the administration team that the management fee expense is acceptable.


5.3.8.2 The member of the administration team sends the fund management fee expense to the finance team member to capture the fee on Pastel. Pastel generates a sequentially numbered invoice and the invoice is then sent to the fund manager.

The management fee expense is sent to the finance team for capturing on Pastel. Pastel generates a sequentially numbered invoice and the invoice is sent to the fund manager.

Inspection

For a selection of months, inspected for one client that a sequentially numbered invoice was generated by Pastel.



On a daily basis the fund accountant processes any invoices received for payment. These invoices are approved by the designated Investment Manager. Thereafter payment is made from the Fund’s bank account based on the user rights setup for that account. Once the payments have been released, the fund administrator is provided with the relevant data to post the fees in Eagle.

All fees are included in a detailed monthly expense summary worksheet. The Fund Administrator is responsible for preparing this calculation as part of the monthly valuation process.

The monthly valuation process is performed by the assigned Fund Administrator and reviewed by another Fund Administrator, both evidenced in a monthly checklist.


Inspection

For a selection of months inspected the fee calculator for fees calculated at a class and series level and inspected the monthly checklist for review and sign off of these fees.


66


31 March 2017

5.3.9 Controls provide reasonable assurance that fund distributions are accurately calculated, authorised and recorded, and distributed in a timely manner.


5.3.9.1 A client will make an election on whether to reinvest their distributions or have these distributions paid out. This election is made on the signed application form.

The distribution election is made on t he signed application form.

Inspection

For a selection of clients who had chosen to reinvest their distribution per T-Cube, agreed the reinvestment choice to their signed application form.


5.3.9.2 All distributions are maintained on distribution calendars which are only accessible to the administration team.

Distribution calendars used to load distributions are saved on a shared drive which is accessible to the administration team.

Inspection

Inspected that the shared drive where the calendars are saved is only accessible to the administration team.


5.3.9.3 Distribution schedule calculations are performed by investment team members.

Distribution calculations are reviewed by a second staff member.

Inspection

For a selection of funds, inspected evidence of review of a distribution calculation.


5.3.9.4 Distributions are loaded on Eagle and on T- Cube and a reconciliation is performed.

Reconciliations are performed between distributions loaded on Eagle to distributions loaded on T-Cube. The reconciliations are reviewed by a second staff member.

Inspection

For a selection of funds, inspected evidence of the performance and review of a distribution reconciliation.


67


31 March 2017

5.3.9 Controls provide reasonable assurance that fund distributions are accurately calculated, authorised and recorded, and distributed in a timely manner.


5.3.9.5 The distribution calendars set out the distribution timeframe.

A formal timeframe is set for the recording and processing of distributions.

Inspection

Inspected that a formal timeframe is set for the recording and processing of distributions for a selection of distribution sheets.


68


31 March 2017

5.4 Cash management and segregation of assets

5.4.1 Controls provide reasonable assurance that client money is segregated.


5.4.1.1 Bank reconciliations (in respect of unit trust portfolios) are performed on a daily basis by an administration team member.

A comment and date is inserted next to each reconciling item. This serves as evidence of follow-up and the number of days for which the reconciling item has been outstanding.


Inspection

For a selection of days, inspected reconciling items that a comment and date had been inserted as evidence of follow up.


5.4.1.2 For all clients

Scrip reconciliations are performed by the administration team on a monthly basis for all local and foreign assets.

Scrip reconciliations are performed on a monthly basis by the administration team, and are reviewed by a more senior staff member. An email is sent to all relevant staff members to confirm that the review was performed.

(PFSI refer to control 5.2.3.6a)

Inspection









Inspection

For a selection days, inspected the reconciliations for comments and dates inserted next to reconciling items as evidence of preparation and review.

For a selection of months, inspected the monthly checklist for evidence of procedures performed and signed off as evidence of review as well as the email sent to the underlying investment manager as confirmation of approval of the funds’ valuation.


69


31 March 2017

5.5 Monitoring Compliance

5.5.1 Controls provide reasonable assurance that client portfolios are managed in accordance with investment mandates.


5.5.1.1 A client take-on checklist is completed for each section (including: compliance, admin, finance, performance, marketing and portfolio management). Client money is invested into set portfolios - the client chooses where they want their money to be invested from a list of portfolios. Mandate parameters are set up on Statpro. The compliance team member sets up the details on Statpro, which is then reviewed by a senior compliance team member.

Each department loads the new client and signs the checklist as evidence of completing the procedures in respect of the new client take-on. A new client cannot be loaded on Eagle without a completed take- on checklist, which has been signed off by all the relevant teams and reviewed by a senior compliance team member.

Inspection

For a selection of new clients inspected the completed signed checklist for evidence of authorisation and review.


70


31 March 2017

5.5.2 Controls provide reasonable assurance that errors and breaches, including mandate breaches, are rectified promptly and accurately.


5.5.2.1

Mandates

Any changes to mandates will be treated as new mandates. The addendum to the agreement will be signed by the client and an authorised signatory at Prescient.

The addendum to the agreement will be signed by the client and an authorised signatory at Prescient.

Inspection

For a selection of mandate changes, inspected whether the addendum to the agreement had been signed by both the client and Prescient.


5.5.2.2 A checklist, similar to what is required for a new take-on is completed if there has been a change to a mandate.

Each team notes the relevant client changes.

A compliance team member then notes the checklist and signs it as evidence of review.

Inspection

For a selected of mandate changes inspected that a take-on checklist had been completed and reviewed.


71


31 March 2017

5.5.3 Controls provide reasonable assurance that pricing and distribution rate errors are rectified in a timely manner.


5.5.3.1 There is a daily automated feed from Fincad to Eagle. Fincad provides prices for all unlisted money market and bonds instruments.

Pricing sheets in Fincad cannot be altered by unauthorised users.

Inspection

Attempted to alter the pricing sheets in Fincad, noting whether it was possible to alter using the profile of an unauthorised user.


5.5.3.2 A daily price reasonability check is performed on the portfolios by a member of the investment team by comparing the previous day’s price to the current day’s price. Appropriate benchmarks are used for each type of instrument.

A daily price reasonability check on portfolios is performed by a member of the investment team and all price variances are indicated in an email.

(PFSI: refer to controls 5.3.2.1a and 5.3.2.2a)

Inspection

Inspected, for one day, that there was an email sent by a member of the investments team noting review of the price variances of all portfolios.


5.5.3.3 Collective Investment Scheme NAV unit pricing is performed on a daily basis.

All unitised prices are reviewed by an independent administrator on T+1 for any significant day on day % changes. A comment will be sourced from the fund pricing administrator for each unit price change that breaks tolerance.

Inspection

For a selection of days inspected that there was a comment for each unit price change that breaks tolerance.


5.5.3.4 Income Distribution from Collective Investment Schemes are reviewed prior to distributions.

A schedule is prepared of all components that determine the income distribution rate per fund class. This schedule is reviewed by a senior staff member and signed off before an income rate is declared for distribution.

Inspection

For a selection of weeks, inspected the schedule for all components that determine the income distribution rate per fund class to confirm that it was reviewed by a senior staff member and signed as evidence of review.


72


31 March 2017

5.6 Reporting to Clients

5.6.1 Controls provide reasonable assurance that client reporting in respect of portfolio transactions, holdings and performance, commission and voting is complete and accurate.


5.6.1.1 Segregated portfolios

Each administrator electronically completes the month-end reporting checklist for tasks that fall within their scope. The administrators will provide commentary on the tasks assigned to them.

The administrator electronically documents each task for month-end reporting on a reporting checklist once completed.

Inspection

For a selection of electronic month end reporting checklists, inspected that each task has been marked as completed by the administrator assigned to each task.



Each administrator completes the month-end reporting checklist for tasks that fall within their scope. The administrators will provide commentary on the tasks assigned to them.

The administrator documents each task for month-end reporting on a reporting checklist once completed.

Inspection

For a selection of months inspected the monthly checklists and confirmed that each task had comments inserted.


73


31 March 2017

5.7 IT General Control Environment

5.7.1 Controls provide reasonable assurance that physical access to computer networks, equipment, storage media and program documentation is restricted to authorised individuals.


5.7.1.1 Computer Room and Building Access

Access to the server room and building is controlled via biometric fingerprint access.

Visitors are required to sign a visitor’s register when entering the server room.

Physical access to the server room is restricted to IT Department personnel only.

Inspection Performed a walkthrough of the server room and the building and observed that access controls were in place to secure computer networks, equipment, storage media and program documentation.


5.7.1.2 Review of server room access

Access logging to the server room is reviewed on an annual basis by the Head of IT and the Information Systems Security team member.

Access logs are reviewed on an annual basis by the Head of It and the Information Systems Security team member.

Inspection

Inspected evidence of the annual server room access review and confirmed that it was signed off by the Head of IT and the Information Systems Security team member.


5.7.1.3 Physical Access Administration

For physical access to the server room, only the Head of IT and the Head of IT Infrastructure can approve access. A request for server room access is logged as a ticket on the Prescient service request application.

Employee’s access to the server room is controlled by groups on the access control system and only IT employees have access to the server room.

Employees’ access is controlled via groups on the access control system, which includes a specific group for server room access. New server room access requests are approved by the Head of IT and the Head of IT Infrastructure.

Inspection

For a selection of new user access to the Prescient server room, inspected the logged tickets for evidence of approval.

Inspected the access group configuration settings to verify that access to the server room was restricted to IT department personnel only.


74


31 March 2017

5.7.2 Controls provide reasonable assurance that the physical IT equipment is maintained in a controlled environment.


5.7.2.1 Controlled Environment

The server room is housed in a controlled environment.

The server room has CCTV cameras, air conditioning, smoke detectors, fire suppression equipment, raised server racks, fireproof walls and doors, and a concrete roof.

Observation Performed a walkthrough and observed that environmental controls were in place in the server room.


5.7.2.2 Maintenance of Environmental Controls

The Generator is serviced and tested on an annual basis.

The Fire Prevention System, Smoke Detectors, Generator, UPS Systems and Air-conditioning system are serviced and tested on a bi-annual basis.

A Maintenance log is kept of services to CCTV cameras, the Fire Prevention System, Generator, UPS Systems and Air- conditioning system (IT equipment).

Inspection

Inspected maintenance records for the IT equipment to verify that the environmental controls have been serviced and tested for the period under review


75


31 March 2017

5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.


5.7.3.1 IT Security Policy and IT & Usage Policy

The IT Security policy and the IT & Usage Policy is reviewed on an annual basis and approved by the Head of IT and the Head of Legal of Prescient management.

The IT Security Policy and the IT & Usage Policy is available on the Intranet.

The IT Security Policy and the IT & Usage policy is updated on an annual basis and is approved by Prescient management.

Inspection

Inspected the IT Security Policy and the IT & Usage Policy and noted that the policies were reviewed and approved by the appropriate level of management during the period under review.

Performed a walkthrough and observed that the policies are located on the Intranet


5.7.3.2 AD authentication

Access to T-Cube and ThinkFolio is controlled via an AD group, and hence the AD password parameters apply.

User authentication takes places at first logon via Active Directory (AD).

Users are required to logon to access the applications. Password settings are enforced on Active Directory, T-Cube, and ThinkFolio.

Inspection

Inspected a screenshot of the password parameters for AD to verify that the password parameters were implemented per the control description.


Password parameters are enforced and include:

‐ Minimum password length (8 characters)

‐ Password expiry (every 42 days)

‐ Account lockout restrictions (after 5 invalid login attempts)

‐ History : 6

‐ Lockout duration: 30 minutes

Password complexity is built in Microsoft standard and includes at least 3 of the following: one uppercase, one lowercase, one digit and one special character.

76


31 March 2017

5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.


5.7.3.3 User access

An IT Security Policy which details the user access policies is in place.

T-Cube and Eagle

In order for new users to gain access to T-Cube and Eagle (application and database), the Head of Department approves the access. A request for access is logged as a ticket on the Prescient service request application.

The same process is followed for changes to access rights.

ThinkFolio

For internal access to ThinkFolio, a request for access is logged as a ticket on the Prescient service request application. The request is approved by the Business Analyst and actioned by the Business Analyst and the IT Team.

New and modified user access is approved prior to being granted on the system and is in line with job responsibilities.

Inspection

For a selection of new and modified users, obtained and inspected the User Access Request tickets and confirmed that the requests were approved by the Head of Department/Business Analyst.


77


31 March 2017

5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access

by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.


5.7.3.4 Termination of access

In order to terminate a user’s access, IT requires an email from the Head of Department (HOD), or Business Analyst for ThinkFolio, notifying the IT team of a staff member that will be leaving the organisation at a specific date. IT submits a User Exit form to the HOD for completion and evidence of approval. Once received, the access will be disabled or removed.

Immediately upon termination but rather changed to a default password known only to the IT department, and removed after 6 months. For those employees in sensitive job functions, access is removed immediately upon resignation/termination. A user is prompted to change their password on first login onto the system.

Users who terminate employment or transfer job functions are removed in a timely manner from the application and database.

Inspection

Obtain a list of all users whose access was terminated from Prescient for the period under review from HR and compare it to a list of all active users on the in scope applications to determine if any terminated users still have access and whether users were terminated in a timely manner.

Exceptions noted

The user accounts for two Eagle Access users who have left the organisation have not been locked and terminated.

78


31 March 2017




5.7.3.5 Multiple, Unique and Generic user ID’s

Users are assigned unique user IDs on Eagle, T-Cube and ThinkFolio.

Users are only assigned one user ID on Eagle, T-Cube and ThinkFolio.

No generic accounts are granted access unless authorised for all applications.

Users IDs are unique and users are not assigned multiple accounts. No generic user IDs are active, they are valid and have been authorized by management.

Inspection

Obtained a list of all users on the applications and inspected it for duplicated user IDs, multiple user IDs assigned to one person and generic user accounts.

Exception noted

2 multiple user ID’s (for 1 user) have been identified on the Eagle Access application and 4 multiple user ID’s (for 2 users) have been identified on the T-Cube application.

79


31 March 2017




5.7.3.6 Review of user access AD, T-Cube, Eagle

Reviews of validity and appropriateness of user access on Active Directory, Eagle and T-Cube are performed annually.

A review of the appropriateness of access is performed for the AD, T-Cube and Eagle application and database.

Inspection

Inspected the review of user access rights for AD, T-Cube and Eagle to verify that reviews of access rights were performed.

Exceptions noted

Evidence of the annual review of user access to confirm validity and appropriateness of user access could not be obtained for the Eagle Access application.

5.7.3.7 Administrative/Super Users and Database Administrator access rights

T-Cube application:

Appropriate personnel have administrative access rights to the T-Cube application.

T-Cube DB and OS: Only IT staff have administrative access to the T-Cube database server. All IT support staff log into the database server using an account where the password is known by IT staff only.

Four IT staff members have administrative access to the operating system through a shared generic account.

Eagle:

Appropriate personnel have administrative access rights to theEagle application.

ThinkFolio Application:

Appropriate personnel have administrative access rights to the ThinkFolio application.

Administrative access is restricted to the appropriate personnel.

Inspection Inspected evidence that super user access is restricted to authorised individuals. Exception noted Administrative access through the sharing of generic user accounts is granted on the T-Cube Database (DB) and Operating systems (OS) as well as the ThinkFolio DB and OS.

80


31 March 2017



Reference Prescient Processes Prescient Control Activities KPMG test procedure and finding ThinkFolio DB:

Only IT staff and the Business Analyst have administrative access to the ThinkFolio database. All IT support staff log into the database server using the generic account where the password is known by IT staff only. The Business Analyst uses his active directory credentials to access the database.

ThinkFolio OS:

Four IT staff members haves administrative access to the operating system through a shared generic account.

81


31 March 2017

5.7.4 Controls provide reasonable assurance that segregation of incompatible duties is defined, implemented and enforced by logical security controls in

accordance with job roles.


5.7.4.1 Segregation of Duties

T-Cube:

The T-Cube application has built in segregation of duty controls that prevents a user from capturing and authorising their own transactions.

Users are unable to capture and authorising their own transactions.

Performed a walkthrough to observe that the segregation of duties controls were enforced on the T-Cube application.


82


31 March 2017

5.7.5 Controls provide reasonable assurance that data transmissions between the service organisation and its counterparties (Eagle Investments systems) are complete, accurate, timely and secure.


5.7.5.1 Complete, Accurate, and Timely Transmission

Automated transmission logs detailing transmission failure or success, are available for client review within the Eagle PACE and Eagle STAR applications to allow for monitoring of data transmission activity. Monitoring is performed through notification emails that are sent through to the Operations Team and actioned if necessary. Transmission status is automatically noted in the logs.

Automated transmission logs detailing transmission failure or success are monitored and actioned.

Inspection Inspect the Eagle Pace and Eagle Star logs to determine that data transmission statuses are monitored and actioned.

No exceptions noted

5.7.5.2 Secure

Period: 1 April 2016 – 31 August 2016 (Neotel)

Data transmissions between Neotel and Eagle Investments systems are complete, accurate, timely and secure and produce transmission logs detailing success and failure of transmissions.

Neotel provides Prescient with an MPLS connection.

Firewall rule set indicates that secure private IP network is used for data transmission.

Period: 1 September 2016 – 31 March 2017 (Aryaka Africa)

Data transmissions between Aryaka Africa and Eagle Investments systems are complete, accurate, timely and secure and produce transmission logs detailing success and failure of transmissions. Aryaka provides Prescient with a secure encrypted internet connection.

A secure connection is in place and sits behind the Prescient Firewalls.

Inspection Obtained and inspected the firewall rule set for the existence of a secure MPLS connection provided by Neotel. Obtained and inspected the firewall rule set for the existence of a secure encrypted connection provided by Aryaka.


83


31 March 2017

5.7.6 Controls provide reasonable assurance that appropriate measures are implemented to counter the threat from malicious electronic attack (e.g. firewalls,

anti-virus etc.)


5.7.6.1 Proxy

Web traffic is filtered through a proxy server. Threat websites are published on the proxy server to prevent certain websites being accessed.

Web traffic is filtered through a proxy server to ensure that inappropriate websites are blocked.

Inspection Inspected an extract of the blocked website database rules configured on the proxy to ensure that inappropriate websites are blocked.


5.7.6.2 Firewall

A redundant firewall has been implemented to control all internal and external communication. Public-facing servers are hosted within a demilitarised zone (DMZ). In the event of failure on the Primary firewall the backup firewall will take over responsibility of securing the network.

Firewalls have been implemented and all public facing servers are hosted within a DMZ.

Inspection Inspected the network diagram to verify the location of the firewall. Inspected the firewall rule set to verify that the firewall existed and public-facing servers were hosted within a DMZ.


5.7.6.3 Anti-virus

Anti-virus solutions have been implemented on servers and workstations and is monitored and updated when new updates are available.

An anti-virus solution has been implemented on servers and workstations within the Prescient environment and is monitored and updated when the new updates are available.

Inspection

Observed the anti-virus solution is implemented and inspected to confirm that it has been updated with the latest anti-virus signatures.


5.7.6.4 SysLog

A SysLog server has been implemented to allow for security logging and analysis. These logs are reviewed and incidents are followed up and actioned as necessary.

Logs are retained for security logging and analysis and incidents are followed up and actioned as necessary.

Inspection Inspected evidence of a selected tickets logged indicating that monitoring and follow up has occurred based on the incidents per the SysLog.


84


31 March 2017

5.7.7 Controls provide reasonable assurance that development and implementation of new systems, applications and software, and changes to existing systems, applications and software, are authorised, tested, approved and implemented.


5.7.7.1 Change control policy

A formal change control policy procedure is in place. Any changes to the financially significant applications are logged via email with the third party developers.

T-Cube:

Changes to T-Cube are approved by the Head of IT. Once the changes have been developed by the respective third parties, the changes are loaded into the Prescient test environment and business and IT signs off on the test procedures performed.

.

ThinkFolio:

Internal development work is sometimes required to be performed by the Business Analyst in terms of upgrading the integration layer of the system to cater for enhancements from the ThinkFolio vendor. There is no documentation or change control process followed for these internal builds.

All changes made to the T-Cube and Eagle application and database are authorised, tested and approved prior to implementation in production.

Inspection

T-Cube

For a selection of changes, obtained and inspected evidence of approval and testing prior to implementation into production.

No exceptions noted

ThinkFolio

For a selection of the ThinkFolio change, obtained and inspected evidence of approval and testing prior to implementation into production.

85


31 March 2017

5.7.8 Controls provide reasonable assurance that data and systems are backed up regularly, retained offsite and regularly tested for recoverability.


5.7.8.1 Backup and replication

There is a standard backup procedures document in place.

Full backups are taken on a daily basis and the IT department receives an automated email notification of any backup fails. Prescient replicates off-site to a Disaster Recovery site in Bellville, Cape Town on a daily basis.

A backup checklist is completed on a daily basis as evidence of monitoring backups and replication. The Head System Engineer and Head of IT sign this off.

There is a backup procedure in place and full backups are taken on a daily basis.

Inspection

Inspected the Backup and Restore procedures policy to verify that a backup schedule is designed.

For a selection of days, inspected the system generated email notifications for the statuses of the backups to the Disaster Recovery site.

Inspected a selection of backup checklists to verify that the backup and replication process was completed and signed off.


5.7.8.2 Restoration testing

Restoration testing is completed during the annualDisaster Recovery (DR) test that is performed. Restoration takes place from the replicated data to the DR site.

Restoration is completed during the annual DR testing utilising the replicated data to the DR site

Inspection

Inspected evidence of the successful restoration as part of the annual DR test that took place during the period covered by thus report.


86


31 March 2017

6 Management’s comments that do not form part of our opinion

6.1 Business control objectives

Reference Control reference Control exception Recommendation Management comments

6.1.1 5.3.5.1 & 5.3.5.5 We found that the monthly management

packs had not been reviewed for the month of November 2016.

Management should review the monthly management packs and evidence the review thereof.

The month of November 2016 was an anomaly in that there were certain major operational and financial activities that resulted in the CFO’s review of the management pack being delayed. The management pack for the month of November was subsequently reviewed. The packs for the months prior to and subsequent to November 2016 were reviewed. Management packs are also distributed to the relevant executives, who review the management packs of their business units. It should also be noted that management packs contain comparative, year to date information for each month, meaning that subsequent months included November 2016 information.

87


31 March 2017

6 Management’s comments that do not form part of our opinion

6.2 IT Control objective

6.2.1 5.7.3.4 We could not obtain evidence of the termination of two Eagle user accounts and the accounts were not locked after the termination date.

Management to ensure that controls to be operating effectively to ensure that users access to applications are terminated in a timely manner.

These are users that left the employ of Prescient during Feb 2017 and the accounts were only locked at the end of the following month – after the audit extract was retrieved at which point it was verified that the users had not accessed the system since their last day of employment.

6.2.2 5.7.3.5 2 users have multiple user ID’s for the Eagle application and 4 users have multiple user ID’s for the T-Cube application.

Management to ensure that users are not assigned to multiple user accounts for applications including the database and operating systems.

The two T Cube users that have been duplicated are as a result of the original user account that was created which differed to that of the Active Directory user and therefore the user could not access the system. The one duplicated Eagle user was as a result of the external user locking himself out because his PC was set to remember his password and was unable to clear the stored password and needed the information urgently. A new user was therefore created in the above instances. Important to note that there was no concurrent access by the users through their various accounts.

6.2.3 5.7.3.6 Evidence of the annual review of user access to confirm validity and appropriateness of user access could not be obtained for the Eagle application.

Prescient to ensure that an annual user access review is performed for the Eagle application and that evidence of the review is maintained.

There was no documented annual review sign off since there is an ongoing review performed throughout the year as and when users are created or terminated. In future the control is to be updated to only cover a documented annual review of users with write access to Eagle.

6.2.3 5.7.3.7 Administrative access through the sharing of generic user accounts is granted on the T-Cube DB and OS as well as the ThinkFolio DB and OS.

Management to ensure that administrative access to applications should not occur through the use of generic accounts.

The shared account is only available to 3 staff members who have been in Prescient’s employ in excess of 7 years. Even though the access is shared, the IP addresses of the machines connecting to these servers is logged and can be traced if required. We have recently appointed a dedicated Database Administrator (DBA). The DBA will administer these databases removing shared access.

prescient isae3402 report 31-03-2017 final · isae 3402 service organisation review type 2 report...

Documents