ASSURANCE REPORT ON INTERNAL CONTROLS (AAF 01/06)

Transcription

1 as at 27 November 2012 Quilter is the trading name of Quilter & Co. Limited, a private limited company registered in England with number , registered office at St Helen s, 1 Undershaft, London EC3A 8BB. Quilter has established a branch in Dublin, Ireland with number , is a member of the London Stock Exchange, is authorised and regulated by the UK Financial Services Authority, is regulated by the Central Bank of Ireland for conduct of business rules, under the Financial Services (Jersey) Law 1998 by the Jersey Financial Services Commission for the conduct of investment business in Jersey and by the Guernsey Financial Services Commission under the Protection of Investors (Bailiwick of Guernsey) Law, 1987 to carry on investment business in the Bailiwick of Guernsey. Accordingly, in some respects the regulatory system that applies will be different from that of the United Kingdom.

2 CONTENTS Section 1 - Introduction 2 Section 2 - Directors report 3 Section 3 - Overview of the Quilter group 3 Section 4 - Quilter s corporate governance structure 4 Section 5 - Control environment 5 Section 6 - Control objectives as set out in AAF 01/06 5 Section 7 - Reporting accountants assurance report 8 Section 8 - Control procedures and testing performed by reporting accountants 10 APPENDIX Reporting accountants engagement letter 37 SECTION 1: INTRODUCTION The directors of Quilter are pleased to present its Type 1 Assurance Report on Internal Controls as at 27 November It is based on the framework set out in the Technical Release AAF 01/06 issued by the Audit and Assurance Faculty of the Institute of Chartered Accountants in England and Wales. This report is intended for existing and potential clients, their advisers and auditors. We identify the control objectives required in providing our services, and outline the internal controls and procedures in place to meet these objectives and mitigate risk in the conduct of our business. The controls, which are set out in Section 8, have been independently verified by Deloitte LLP. We are committed to maintaining a strong control and compliance environment throughout the organisation. Effective control of business risk is a key objective. 2

3 SECTION 2: DIRECTORS REPORT As Directors of Quilter, we are responsible for the identification of control objectives relating to client assets and related transactions in the firm s provision of investment management services. We are also responsible for the design and implementation of control procedures which provide reasonable assurance that these control objectives are achieved. In carrying out these responsibilities, we have regard not only to the interests of clients but also to the owners of the business. This report assesses the effectiveness of Quilter s control procedures in accordance with the criteria for investment management as provided in the Institute of Chartered Accountants in England and Wales Technical Release AAF 01/06 (as expanded June 2009). We set out detailed aspects of our control environment, risk assessment, management information, communication and monitoring processes. We also include descriptions of the relevant control procedures together with the related control objectives in place at 27 November Furthermore, we confirm that: (a) the descriptions on pages 10 to 36 fairly present the control procedures of Quilter s investment management and information technology departments that were in place on 27 November 2012; and (b) the controls relating to the control objectives stated in the descriptions on pages 10 to 36 were suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls operated effectively as at 27 November SECTION 3: OVERVIEW OF THE QUILTER GROUP Quilter is a UK-based private client investment manager providing discretionary and advisory investment management services to private clients, pension funds, trustees and charities. Our heritage can be traced back to 1771 and in 2012 we became independently owned for the first time since The Quilter Group consists of Quilter & Co. Limited and its subsidiaries - Quilter Fund Management Ltd ( QFM ) and eight nominee companies. QFM is no longer trading and the nominee companies sole purpose is to act as bare nominees or trustees. Quilter is the only operating entity in the group and all entities are controlled by the firm s senior management. Our corporate governance structure is set out in Section 4. The key focus of the firm is on fee-paying investment management with discretionary mandates within the affluent sector of the UK market. At 31 October 2012, we had 8.2bn of funds under management and employed 385 staff across 13 regional offices in the UK, Ireland and our offshore office in Jersey. Both Quilter and QFM are authorised and regulated by the FSA. Signed on behalf of the Directors Mark MacLeod, CFO 27 November

4 SECTION 4: QUILTER S CORPORATE GOVERNANCE STRUCTURE Quilter employs a transparent, consistent and comprehensive governance framework for the management of risk faced by the business. Key risks are reviewed formally by the Board annually and subsequent key control performance is reported to management committees on a monthly basis. The governance structure is overseen by the Board and applies to all entities within the group. The Board has delegated responsibility for management to the Executive Committee, which is the group s senior management team and is chaired by the CEO. The overall governance structure is designed to ensure that through a framework incorporating central management, business lines and independent control groups: specific risks are managed within a comprehensive framework the integrity of legal entities is maintained controls operate effectively infrastructure supports business and product development client related risks are managed across the appropriate business units Day-to-day governance is provided by the business unit management teams who are responsible to the Finance & Administration Executive and the various sub-committees that support the business on an ongoing basis. The Finance & Administration Executive meets fortnightly and reports to the Executive Committee. The Audit & Risk Committee reports independently to the Board. Its role is primarily one of oversight and review and specifically to monitor: the integrity of the financial statements of Quilter and its regulated subsidiary, QFM. the systems of internal controls of these entities compliance with legal and regulatory requirements the qualifications and independence of external auditors and the performance of both internal and external auditors the efficacy of the company s policies and structures for conflict management in Europe 4

5 SECTION 5: CONTROL ENVIRONMENT The Board recognises the importance of a robust risk management framework and Quilter maintains a strong compliance and risk management culture which operates within the three lines of defence model: 1st line: line management in each business unit identifies, manages, mitigates and reports on risk as part of their role and are responsible for operating effective controls. 2nd line: implementation and monitoring by the Compliance Department and Operational and Business Risk Department. The Compliance Department undertakes an advisory and monitoring function. Compliance advises on all areas of regulatory principles, rules and guidance, including leading on any policy and processing changes, and undertakes monitoring activity on key areas of regulatory risk. The Compliance Department has over 30 monitoring programmes all designed to ensure firm policies and procedures are being followed. The Operational and Business Risk Department facilitates and monitors the implementation of effective risk management practices. It also assists the risk owners in reporting adequate risk-related information. This provides oversight over business process and risks. 3rd line: Internal Audit provides independent assurance on the design and effectiveness of key controls and that the overall risk management process is working as intended. SECTION 6: CONTROL OBJECTIVES AS SET OUT IN AAF 01/06 1. ACCEPTING CLIENTS 1.1 Accounts are set up and administered in accordance with client agreements and applicable regulations. 1.2 Account modifications are made only with client supporting evidence*. 1.3 All client opening documentation is stored securely*. 1.4 Complete and authorised client agreements are operative prior to initiating investment/custody activity. 1.5 Investment holdings transferred from prior custodians are received and recorded completely, accurately and on a timely basis. 1.6 Client take-ons are monitored, documented and accurately reported to clients. 1.7 Investment limits and restrictions are established and updated as required. 1.8 Responsibility for generating proxy voting instructions is clearly established. 1.9 Adherence to ISA subscription limits is checked and recording of client information required by legislation is accurate*. 2. AUTHORISING AND PROCESSING TRANSACTIONS 2.1 Investment strategy is set and implemented in a timely manner. 2.2 Investment transactions are properly authorised, executed and allocated in a timely and accurate manner. 2.3 Transactions are undertaken only with approved counterparties. 2.4 Commission levels and transaction costs are monitored. 5

6 2.5 Investment and related cash transactions are completely and accurately recorded and communicated for settlement in a timely manner. 2.6 Corporate actions are processed and recorded accurately and in a timely manner. 2.7 Dividends are processed and recorded accurately and in a timely manner*. 2.8 Proxy voting instructions are generated and recorded and carried out accurately and in a timely manner. 2.9 Client new monies and withdrawals are processed and recorded completely and accurately; withdrawals are appropriately authorised Lender and borrower participation in lending programs is authorised and loan initiation, maintenance and termination are accurate and timely* Loans are fully collateralised and the collateral together with its related income is recorded completely, accurately and on a timely basis*. 3. MAINTAINING FINANCIAL AND OTHER RECORDS 3.1 Investment income and related tax are accurately recorded in the proper period. 3.2 Investments are valued using current prices obtained from independent external pricing sources or determined according to approved pricing policies and procedures for fair values in circumstances where independent sources are not available. 3.3 Cash and investment positions are completely and accurately recorded and reconciled to third party data. 4. CASH MANAGEMENT AND SEGREGATION OF ASSETS 4.1 Uninvested cash is managed with regard to diversification of risk and security of funds. 4.2 Investments are properly registered and client money is segregated. 4.3 Physically held securities are safeguarded from loss, misappropriation and unauthorised use*. 5. MONITORING COMPLIANCE 5.1 Client portfolios are managed in accordance with investment objectives, monitored for compliance with investment limits and restrictions and performance is measured. 5.2 Transaction errors (including guideline breaches) are rectified promptly and clients are treated fairly. 5.3 Compensation payments are authorised, calculated and reviewed by management*. 5.4 Outsourced activities are properly managed and monitored and conflicts of interest identified to clients. 5.5 Sub-custodians are approved and performance standards are monitored on a timely basis. 5.6 Counterparty exposures are monitored. 5.7 Banking exposures are monitored*. 3.4 Investment management fees and other account expenses are accurately calculated and recorded. 6

7 6. REPORTING TO CLIENTS 6.1 Client reporting in respect of portfolio transactions, holdings and performance, commission and voting is complete and accurate and provided within required timescales. 7. RESTRICTING ACCESS TO SYSTEMS AND DATA 7.1 Physical access to computer networks, equipment, storage media and program documentation is restricted to authorised individuals. 7.2 Logical access to computer systems, programs, master data, transaction data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques. 7.3 Segregation of incompatible duties is defined, implemented and enforced by logical security controls in accordance with job roles. 9. MAINTAINING AND DEVELOPING SYSTEMS HARDWARE AND SOFTWARE 9.1 Development and implementation of new systems, applications and software, and changes to existing systems, applications and software, are authorised, tested, approved and implemented. 9.2 Data migration or modification is authorised, tested and, once performed, reconciled back to the source data. 10. RECOVERING FROM PROCESSING INTERRUPTIONS 10.1 Data and systems are backed up regularly, retained offsite and regularly tested for recoverability IT hardware and software issues are monitored and resolved in a timely manner Business and information systems recovery plans are documented, approved, tested and maintained. 8. PROVIDING INTEGRITY AND RESILIENCE TO THE INFORMATION PROCESSING ENVIRONMENT, COMMENSURATE WITH THE VALUE OF THE INFORMATION HELD, INFORMATION PROCESSING PERFORMED AND EXTERNAL THREATS 8.1 IT processing is authorised and scheduled appropriately and exceptions are identified and resolved in a timely manner. 8.2 Data transmissions between the service organisation and its counterparties are complete, accurate, timely and secure. 8.3 Appropriate measures are implemented to counter the threat from malicious electronic attack (e.g., firewalls, anti-virus etc.). 8.4 The physical IT equipment is maintained in a controlled environment. 11. MONITORING COMPLIANCE (IT) 11.1 Outsourced activities are properly managed and monitored. * These marked control objectives are not specified in the ICAEW Technical Release AAF 01/06 (Appendix 1 expanded June 2009) in respect of investment management. However, they have been included as the Directors consider them to be an important aspect of Quilter s control environment. The following controls specified by the ICAEW Technical Release AAF 01/06 (Appendix 1 expanded June 2009) in respect of investment management have not been included as there are no in-house pooled funds: Accepting clients - In-house pooled fund unit holder activity is recorded completely, accurately and in a timely manner Maintaining financial and other records - Pooled funds are priced and administered accurately and in a timely manner 7

8 SECTION 7: REPORTING ACCOUNTANTS ASSURANCE REPORT 8

9 9 ASSURANCE REPORT ON INTERNAL CONTROLS (AAF 01/06)

10 SECTION 8: CONTROL PROCEDURES AND TESTING PERFORMED BY REPORTING ACCOUNTANTS 1. ACCEPTING CLIENTS 1.1 Accounts are set up and administered in accordance with client agreements and applicable regulations. All clients receive a client information form and a charging schedule which must be signed and returned. Reviewed a sample client information forms and charging schedule, and noted it had been signed and returned by the respective client. Once the client information form is complete the Investment Manager will supply a new client pack to the Operations department. This pack contains all the relevant information required to open an account. It includes the investment objective, investment restrictions, risk strategy, client charging schedule, the client signed application form and Anti-Money Laundering ( AML ) documentation. The new client pack is signed by the Investment Manager and reviewed by the Team Head. Reviewed a sample new client pack and noted that it included relevant information as described in the control procedures. Observed that the sample new client pack had been signed by the Investment Manager and the Head of Team. All client application forms and AML checks are performed by the Account Opening department. An account will only be created once satisfactory evidence of identity is obtained. Reviewed sample client application form and checked that Anti-Money Laundering checks, including a World Check on the client, were conducted. Having reviewed the new client pack, the Account Opening department will sign off the application form and pass it to the Records department for data entry to the system. All data entered onto the system by the Records department is checked by the Checking and Controls department by the end of the next business day. Reviewed sample application form and noted that Account Opening had signed off the application form. Observed on screen that the data had been entered onto the Fiscal system. Observed that Checking and Controls Department had approved the changes. 10

11 1.2 Account modifications are made only with client supporting evidence. Account modifications in Fiscal are made by the Records department. All requests must have supporting written evidence from the client and require verification of the client s signature. Once the client signature has been verified, any amendments are input into Fiscal. Reviewed a sample request by client for account details modification. Checked the client s signature on the instruction had been verified by the Records department. Observed that Records department had made the requested changes. 1.3 All client opening documentation is stored securely. All amendments to Fiscal made by the Records department are reviewed by the independent Checking and Control department by the end of the next business day. All relevant documents, including the signed client application form, are scanned into Adest and then archived in a secure location. Observed for a sample client that the Checking and Control department had reviewed the changes made. Observed for a sample client that documents are stored electronically on Adest. Inspected the locked filing cabinets in which client documents are stored. 1.4 Complete and authorised client agreements are operative prior to initiating investment/custody activity. For Discretionary and Advisory accounts only: On receipt of the client information form, an Investment Policy Statement ( IPS ) is generated from an internal matrix. The matrix will not produce an IPS if there are inconsistencies in the client s investment objectives. Inspected internal matrix that generates individual client IPS. Corroborative enquiry conducted to confirm internal matrix parameters are determined by Chief Investment Officer ( CIO ). See control 2.1. Observed that when inconsistent combinations were entered, the system presented an error message and requested information to be re-entered. The IPS sets out in plain language the key aspects of the portfolio including objective, suitability, time horizon, and the proposed implementation strategy. Reviewed sample IPS and noted that the items described in the control are present and clearly stated. 11

12 The IPS has to be signed and returned by the client before a Do Not Deal restriction on the account is lifted. The Records department enter the IPS receipt date on Fiscal and release the Do Not Deal ( DND ) freeze. Reviewed the Client Information Form ( CIF ) and signed IPS for a sample client. Observed that a Do Not Deal ( DND ) message was given when trying to place a trade for a client who had not yet returned the signed IPS. Aside from cash in the form of a cheque or bank transfer, assets are not accepted into Quilter s safe custody until an account has been set up in accordance with the process set out in control procedures 1.1. Confirmed by corroborative inquiry that a marker is present on the account advising that no stock can be accepted until an account has been opened. 1.5 Investment holdings transferred from prior custodians are received and recorded completely, accurately and on a timely basis. A list of holdings to be transferred is passed to the Operations department by the client s Investment Manager. Any share certificates received are kept in locked cabinets. Inspected a list of holdings passed from the Investment Manager to the Operations department. Observed that share certificates pending re-registration are held in locked cabinets. The valuations system is loaded accordingly by Operations, subject to input and verify levels. Investment Managers are able to check the client s valuation on the following business day for completeness and accuracy. After the asset transfer has been agreed between Quilter and the delivering broker or custodian, arrangements are made to transfer ownership of those assets to Quilter or a safe custody depot. Inspected the system and noted the holdings and valuations were correctly displayed. Confirmed by corroborative inquiry with an Investment Manager that they are able to check the holdings on the system. 12

13 1.6 Client take-ons are monitored, documented and accurately reported to clients. On receipt of confirmation that legal title has been transferred, assets are accurately recorded in the Nominees system. Inspected signed transfer agreements and share certificates for a recent transfer. Investment Managers are alerted to any differences between what is loaded on the valuation and what has been re-registered by means of a blue star on the holdings list. Inspected the valuation system and noted holdings not held in the nominee were marked with a blue star. Monthly reports are produced by the Operations department to identify differences between the client s valuation and what has been received in the nominee. Differences are commented upon within the report which is reviewed by a senior manager. Reviewed a monthly nominees/valuations reconciliation and noted it was signed by a senior manager. 1.7 Investment limits and restrictions are established and updated as required. Investment restrictions are not accepted in the Managed Portfolio Service. For Discretionary and Advisory accounts only: If a client wishes to exclude specific investments or asset classes, they are sent a Restrictions form by their Investment Manager. Once the form is completed and returned, the investment restrictions are entered into Fiscal by the Operations department. The restrictions on Fiscal are visible to the Investment Manager. Reviewed an application form for the Managed Portfolio Service and noted that no option is provided for investment restrictions. Confirmed via corroborative enquiry with an investment manager that only the Discretionary Portfolio Service and Advisory Portfolio Service allow investment restrictions. Noted that a sample Restrictions Form had been signed by Operations as having been reviewed. Observed that the data had been input in Fiscal, and was visible to the Investment Manager. 13

14 Investment restrictions are included in the six-monthly investment summaries that are sent to clients. Reviewed a sample six-monthly client statement and noted it provides details on restricted investments. At the point of order entry for a client with an investment restriction, all restrictions are shown. Where there is a potential breach of a restriction the Investment Manager has to manually override the restriction before the order is placed. Observed an Investment Manager attempting to place a restricted trade and noted that an automatic warning message was displayed. When an override is made at order entry, s are automatically sent to the Investment Manager, their Team Head and Compliance. The Compliance department will request an explanation for the override from the Investment Manager; otherwise the transaction will be reversed. Reviewed correspondence between Compliance and the Investment Manager relating to an override of restrictions showing an explanation was requested and received. Monthly breach reports of all holdings potentially in breach of an investment restriction are circulated to Investment Managers, heads of department, and senior management. Reviewed sent out to Investment Managers with the monthly report attached showing potential breaches in investment restrictions. 1.8 Responsibility for generating proxy voting instructions is clearly established. Proxy voting will only be actioned upon the specific request of an Investment Manager. The Corporate Actions department are responsible for lodging proxy votes. See control procedures at 2.8. See control procedures at

15 1.9 Adherence to ISA subscription limits is checked and recording of client information required by legislation is accurate. All new client accounts are monitored by the ISA department to ensure National Insurance numbers have been supplied. The ISA Administration System automatically ensures that ISA subscriptions don t exceed the maximum determined by legislation. Confirmed by corroborative enquiry that all new client accounts are monitored to ensure National Insurance numbers have been provided. Observed that a sample client pack included National Insurance numbers. Reviewed a sample daily report of ISAs and noted this had been reviewed by a member of the Operations department to ensure completeness. Observed that the Administration System rejects ISA amounts above the legal limit for a sample client. The yearly submission to HM Revenue & Customs is reviewed by the ISA department and signed off by a manager in the Operations department. Inspected the yearly HMRC submission made in 2012 and noted it was signed off by a reviewer. 2. AUTHORISING AND PROCESSING TRANSACTIONS 2.1 Investment strategy is set and implemented in a timely manner. The account opening process for the Discretionary and Advisory Portfolio Services requires clients to provide financial information and answer questions on the Client Information Form relating to their primary investment objective, capacity for and tolerance to risk, as well as investment time horizon. The Investment Manager uses the answers to these questions - together with other information gathered, perhaps at interview - to recommend a suitable investment strategy. This is summarised by preparing an Investment Policy Summary ( IPS ). Observed a sample Client Information Form included the questions described in the control procedure. 15

16 The IPS is produced using an internal system which only allows permissible combinations of responses to questions on the Client Information Form. The matrix of combinations has been pre-defined by the Chief Investment Officer and is embedded in the software used to produce the IPS. The software is designed to prevent what would normally be regarded incompatible investment objectives. Confirmed by corroborative enquiry that the Chief Investment Officer ( CIO ) had approved the internal matrix.observed that an error message arose when an Investment Manager attempted to input inconsistent combinations onto the system. The IPS has to be signed and returned by the client, and authorised by the Investment Manager s Team Head, before any monies can be invested. This is controlled by a marker in the dealing system. Observed that for a sample client who had not returned their IPS, an attempt to deal for the client was rejected by the system. As a secondary check, the combinations are monitored on a monthly basis with a portfolio implementation monitoring report to ensure there are no recording errors. The report also picks up material asset allocation discrepancies from the benchmark. Inspected a sample monthly portfolio implementation monitoring report. Noted that this included a comparison and error (1 noted) was displayed. This was noted to be reviewed and commented on by the Operations department. The sample monthly report reviewed also included the asset allocation details described in the control procedure. The report is circulated to Investment Managers, Team Heads and senior management, and Investment Managers will take appropriate action for their portfolios. Observed that the sample report was circulated to Investment Managers, Team Heads and Senior Management.Confirmed by enquiry that Investment Managers will take action as appropriate. 16

17 2.2 Investment transactions are properly authorised, executed and allocated in a timely and accurate manner. Market transactions can only be entered onto the order entry system by front office staff, who are either a CF30 approved person or acting under the supervision of a CF30 approved person. Confirmed by enquiry that only front office staff have access to the order entry system. Reviewed correspondence demonstrating that for a sample Investment Manager, the Compliance Department had approved the Investment Manager s access rights to the order entry system. Reviewed the FSA website to confirm a sample Investment Manager is a CF30 approved person. At the time of order entry, a valid account has to be entered and the trade is automatically checked to ensure that (where applicable) it does not breach any restrictions, nominee sales are covered, W-8BENs are in place and sufficient cash is held. Observed for a sample trade entry that the system automatically conducts the checks described in the control procedure and shows a warning message if there are any issues. 2.3 Transactions are undertaken only with approved counterparties. All domestic equities are traded through firms that are members of the London Stock Exchange. Reviewed a list of counterparties used. Observed that a sample of counterparties are listed on the London Stock Exchange. International securities are only traded through counterparties that have been approved by the firm s Compliance department Inspected correspondence for a recently appointed international counterparty and noted that it was approved by the Finance & Adminstration Executive ( F&A ) and Compliance. 17

18 2.4 Commission levels and transaction costs are monitored. Commission and other transaction charges are either automated depending on the agreed charging schedule, or can only be overridden by the Contracts department. For a recent sample contract note, the commission charged corresponded to the client s charging schedule. The Records department input the basis for fees and charges into Fiscal in accordance with the signed client agreement. This is then reviewed by the Checking and Control department. Inspected correspondence around a recent override and noted it was approved by the Contracts department. Inspected the details of fees for a sample new client per Fiscal and noted these were signed off by the Checking and Control department as evidence of review. 2.5 Investment and related cash transactions are completely and accurately recorded and communicated for settlement in a timely manner. Exception reports detailing unmatched and alleged trades are produced and reviewed on a daily basis by the Operations department. Any breaks are dealt with on a timely basis to ensure all transactions settle on settlement date. Reviewed a sample unmatched trades report and noted it was reviewed by the Operations Department. 2.6 Corporate actions are processed and recorded accurately and in a timely manner Exception reports for unit trust settlement and a failed trade report from the custodians are also produced and reviewed by Operations on a daily basis. Corporate actions affecting client holdings are logged on a computerised diary system by the Corporate Actions team on a daily basis to ensure timely processing. Data is received from Crest, the London Stock Exchange, Interactive data and from the custodians. Observed for a sample custodian, a report of failed trades was received and reviewed. Reviewed correspondence demonstrating that items from the failed trade report were queried with the custodian. Inspected the corporate actions computerised diary system and noted that a sample corporate actions notification from a third party source and noted it was included in the diary system. 18

19 Where elections are required, a secure corporate actions communication platform is used. Investment Managers input instructions through the system to enable the Corporate Actions team to make an election. All elections are input and independently checked by a senior member of the team. Reviewed a sample of Investment Managers instructions for a corporate action and noted these had been appropriately input and independently checked by members of the Corporate Actions team. 2.7 Dividends are processed and recorded accurately and in a timely manner. The communication platform stores all events processed through it and provides an audit history. Dividend information affecting client holdings is received from Interactive Data on a daily basis. This automatically creates dividend entitlements based upon the ex-date holding information as recorded in the Fiscal nominee system. Inspected the communication platform and noted it provided an audit history of corporate actions. Reviewed a sample daily notification of dividend information from Interactive Data and a sample Inserted Dividend Sheet confirming the dividend entitlements had been calculated per the holdings in Fiscal. On payment date and upon receipt of funds, the dividend will be released to clients. All dividend releases are reviewed and signed off by a senior member of the Dividend department. Inspected a sample Dividend Release Report and confirmed it was signed by a senior manager authorising the release of the dividend. An unreceipted dividend report is maintained to ensure that all dividends entitlements captured and created by the system are received and released. This report is monitored by senior members of staff and appropriate action is taken to investigate any items not received. Inspected a sample Unreceipted Dividend Report and noted it had been reviewed by a senior manager. 19

20 2.8 Proxy voting instructions are generated and recorded and carried out accurately and in a timely manner. 2.9 Client new monies and withdrawals are processed and recorded completely and accurately; withdrawals are appropriately authorised. Generally Quilter does not exercise voting rights on securities or investments held on behalf of a client. Proxy voting will only be actioned upon request from an Investment Manager by the Corporate Actions department. All voting is cast in a timely manner, either electronically or by registered post in order to meet the registrar s deadlines. All receipts are assigned to a client. These are checked and authorised prior to presenting at the bank. The process required to update client accounts on Fiscal also requires authorisation. All payments are processed following receipt of valid instructions from either the client or Investment Manager. Confirmed by corroborative enquiry that Quilter does not exercise voting rights on securities held on behalf of client. Observed that a sample proxy vote instruction was sent by the Investment Manager to the Corporate Actions department, and that the proxy vote was cast before the deadline. Observed a sample receipt was assigned to a client. Where the payee account differs from that held on Fiscal and is in excess of 5,000 the client s signature is verified. All instructions are checked and authorised prior to processing. Observed that a sample payment was authorised by the client and that a Third Party Payment Request Form was completed, evidencing that all instructions had been checked prior to processing. All bank accounts are reconciled on a daily basis. Inspected a daily bank reconciliation. 20

21 2.10 Lender and borrower participation in lending programs is authorised and loan initiation, maintenance and termination are accurate and timely. All loans require a signed agreement between Quilter and the client. This agreement can only be authorised by one of three main board directors. Upon termination the collateral is released back to the client. Reviewed a sample loan and confirmed that an authorised agreement was in place Loans are fully collateralised and the collateral together with its related income is recorded completely, accurately and on a timely basis. All loans are fully collateralised and there are criteria setting out the amount and type of collateral that must be held. A daily collateral report covering all outstanding loans is reviewed by the Operations and Finance departments to ensure sufficient collateral is available. Reviewed a report showing that all loans were fully collateralised. Inspected a sample of daily collateral which had been circulated to Operations department automatically. 3. MAINTAINING FINANCIAL AND OTHER RECORDS 3.1 Investment income and related tax are accurately recorded in the proper period. Quilter provide clients with an annual Consolidated Tax Certificate ( CTC ) providing details of all investment income collected and the taxes associated with each item. Inspected a sample CTC and noted it included investment income and associated taxes. All items processed under the controls of the Nominee Dividend system automatically write to the client CTC files. Confirmed by corroborative enquiry that system automatically writes to the client CTC files. Year end reports are produced and reviewed to demonstrate consistency in the processing, categorisation and taxation of similar dividend types. Inspected the year end report and noted it was as described in the control procedure. Confirmed by inquiry that this is reviewed by Operations. 21

22 3.2 Investments are valued using current prices obtained from independent external pricing sources or determined according to approved pricing policies and procedures for fair values in circumstances where independent sources are not available. Investments are valued using the previous day s mid-market price provided by an automatic feed from Interactive Data. For manually priced securities, the price is sourced from either Interactive Data s website or a recognised trading platform. Any manual adjustments are logged and the source recorded. All manual pricing is independently reviewed by the Services department. Observed that the Interactive Data system automatically provides prices. Inspected a daily manual pricing report and noted it was as described in the control procedure and signed off by an independent reviewer. A report is produced and reviewed each day for all stocks that have had a ten percent variance in their pricing. Inspected a sample ten percent variance report that had been reviewed by valuations. There is no formal signoff or evidence of review, but confirmed by inquiry that the report is checked daily. 3.3 Cash and investment positions are completely and accurately recorded and reconciled to third party data. A stale pricing report is monitored to ensure that stock pricing is being updated and that there are no stale prices. All bank accounts are reconciled on a daily basis. Any reconciliation breaks are aged and reviewed on a daily basis and are rectified by the third business day, with unidentified money returned to the sender on the third business day. Reviewed a sample stale stock pricing report. Confirmed by inquiry that this is prepared on a rolling basis. Any price changes on known stale prices are picked up by the manually priced report which is reviewed (see above). Observed that bank reconciliations were prepared for a sample date. These had been reviewed by Operations Head and Operational and Business Risk department. Outstanding items report had also been reviewed. 22

23 Outstanding issues are reported to the CASS Working Group on a monthly basis. Reviewed minutes of the CASS Working Group confirming that breaks were on the agenda and that there had not been any recent client money breaks. All stock positions are reconciled by an independent reconciliation department on a monthly basis. Reconciliation breaks are aged and also reviewed. Inspected a sample monthly stock reconciliation and noted it was signed off as evidence of independent review. Outstanding issues are reported to the CASS Working Group on a monthly basis. Reviewed the minutes of the CASS Working Group and noted they discussed issues arising from the reconciliations. 3.4 Investment management fees and other account expenses are accurately calculated and recorded. The Records department input the basis for fees and charges into Fiscal in accordance with the signed client agreement. This is then reviewed by the Checking and Control department. Any amendments are input and reviewed by the above departments. Confirmed that the fee details for a sample new client had been correctly entered and noted these were signed off by the Checking and Control department as evidence of review. Fees are automatically calculated as a percentage of the portfolio s average month end value over a three month period. Fees are debited to client accounts on a quarterly basis and are included in client statements. Upon request, clients receive notification of the fee debit by invoice. Reviewed client statement sent to a sample client and noted that the appropriate fee rate had been debited to their account. 23

24 4. CASH MANAGEMENT AND SEGREGATION OF ASSETS 4.1 Uninvested cash is managed with regard to diversification of risk and security of funds. A Client Money Diversification Report ( CMDR ) is produced each day to ensure that client money is diversified in accordance with FSA CASS Rules. The CMDR is monitored by both the Operational and Business Risk and Treasury departments, and appropriate action is taken if the internal guideline limits are exceeded. Reviewed a sample CMDR and noted it calculated client money held by respective institutions in accordance with the FSA CASS rules. It was noted from the reports that two balances had gone over the half a percentage tolerance level set. As such the subsequent three days worth of reports were selected for review, showing a reduction in the balances of the two affected accounts, thereby demonstrating their continuing maintenance at acceptable levels. 4.2 Investments are properly registered and client money is segregated. A monthly review of bank credit ratings is performed and reviewed by the CASS Working Group. All client stock holdings are registered to one of Quilter s nominee companies. Each client has their registration details updated on to Fiscal and this determines how the client s stock will be registered. A client will have their physical and book entry holdings registered to the same nominee. Reviewed meeting minutes of the CASS Working Group and noted bank credit ratings were discussed. Observed for a sample client that the stock holdings were registered with a nominee company and updated on Fiscal. Stock held by the custodian will be held to the order of either Quilter London or Quilter Jersey depending on their onshore or offshore status. Inspected custodian statement for a sample of clients. Statement showed Quilter London custody account for onshore clients and Quilter Jersey custody account for offshore clients. 24

25 Segregated client money accounts are in place for which Trust status has been confirmed with the relevant bank. Observed that a sample client money account had trust status. 4.3 Physically held securities are safeguarded from loss, misappropriation and unauthorised use. 5. MONITORING COMPLIANCE 5.1 Client portfolios are managed in accordance with investment objectives, monitored for compliance with investment limits and restrictions and performance is measured. Client money requirements are calculated and reconciled to cash holdings on a daily basis by the Treasury department. Any shortfalls or excesses are funded from or transferred to a corporate bank account. Physically held securities are registered to a nominee company and the certificates are held in locked fire proof cabinets. A record of physically held securities is logged on Fiscal and a monthly reconciliation of physically held securities is performed. A Monthly Monitoring Report is prepared and circulated to Investment Managers, Senior Management and Team Heads. This report reports the following: 1. Mismatches between permitted combinations of client objectives, benchmark and model. 2. Any accounts without a recorded benchmark, model, objective and/or risk category. 3. Any accounts with holdings that potentially breach client placed restrictions. Reviewed sample client money requirement calculations. Observed that surplus of requirement over actual client money was transferred out on the same day. Observed physically held security certificates are held in a fire proof cabinet. Inspected a sample monthly reconciliation of physically held securities against Fiscal and noted it was signed off by a reviewer. Reviewed a sample Monthly Monitoring Report and noted it included all the features described in the control procedures. Reviewed correspondence confirming a sample Monthly Monitoring Report had been circulated to the persons described in the control. Confirmed by enquiry with an Investment Manager that the reports are reviewed and appropriate action is taken to resolve any issues noted. 25

26 4. Accounts where holding an asset class in the model. 5. Accounts with performance differs by more than 5% from the benchmark performance over a three and one year period. 6. Accounts with equity holdings of 10% or more of the portfolio value. 5.2 Transaction errors (including guideline breaches) are rectified promptly and clients are treated fairly. If a transaction error is identified, the position is corrected by an error transaction through the Quilter errors account. Client positions are adjusted to where they would have been had the error not occurred. Inspected correspondence regarding a recent error which was greater than 1,000 and noted the client was restored to the original position. 5.3 Compensation payments are authorised, calculated and reviewed by management. Error transactions are logged and losses above 1,000 are reported to the Finance and Administration Executive. Compensation payments are calculated with respect to the type of complaint made. Team leaders or area managers must authorise and sign off on any such payments. Reviewed the Finance & Administration Executive minutes and noted that errors were discussed. Reviewed compensation payment made had been signed off by Team leader. All payments are monitored by the Operational and Business Risk department, Compliance department and the Treating Customers Fairly ( TCF ) Committee. Observed that payments have been reviewed by Operational and Business Risk department, Compliance department and the TCF Committee. 26

27 5.4 Outsourced activities are properly managed and monitored and conflicts of interest identified to clients The main activity outsourced by Quilter is the role of sub custodian. On a monthly basis, all open sub custodian trades and cash balances are reviewed by the Operational and Business Risk department. Reviewed a sample monthly review of all open trades and observed that the Operational and Business Risk department had reviewed the report. Daily reconciliations of failed and open trades are performed and reviewed by the Treasury and Settlements departments. Reviewed a sample daily reconciliation of failed and open trades and noted it was reviewed. 5.5 Sub-custodians are approved and performance standards are monitored on a timely basis The Operational and Business Risk department performs due diligence on all sub custodians prior to their engagement and a checking on annual basis. Both the initial and annual due diligence are signed off by the Chief Financial Officer ( CFO ). Reviewed copy of the due diligence for a sub custodian and observed that it was signed off by the CFO. All open sub custodian trades are reviewed by the Operational and Business Risk department each month to ensure trades are settled on a timely basis, and escalated to senior management where appropriate. Reviewed sample monthly review of all open trades and observed that the Operational and Business Risk department had reviewed the date. Crest performance reports are received from Crest each week and are circulated to management. Reviewed Crest performance report and confirmed by enquiry that it was circulated to management. 27

28 5.6 Counterparty exposures are monitored. Each day an overseas counterparty exposure report is circulated to and reviewed by the Dealing Desk and the Head of Stockbroking. The report shows the total exposure to each counterparty, as well as the individual securities that comprise these exposures. Reviewed a sample overseas counterparty exposure report and noted it was as described in the control, and observed that it had been reviewed by the Dealing Desk and Head of Stockbroking. 5.7 Banking exposures are monitored. A monthly review of bank credit ratings is performed and reviewed by the CASS working Group. 6. REPORTING TO CLIENTS Reviewed sample meeting minutes of the CASS Working Group and noted bank credit ratings were discussed. 6.1 Client reporting in respect of portfolio transactions, holdings and performance, commission and voting is complete and accurate and provided within required timescales. Contract notes are sent centrally from the Contracts department by the end of the business day following the trade. Clients record their account statement requirements on the account opening form, which is recorded on system. Statements are then produced according to the agreed time and frequency. Inspected a contract note for a recent trade and noted it was sent out on the day of the trade. Reviewed a client account opening form and noted it included statement requirements as described in the control procedures. Comprehensive half yearly summaries including performance details are sent within 25 business days from the date of valuation. Each team head must confirm by to the Services department head that this deadline has been met. Reviewed correspondence confirming that the latest half year summaries were sent within 25 days of the valuation date. An annual nominee statement, safe custody statement and valuation statement is sent direct from offsite printers to all clients. Confirmed by corroborative enquiry that statements described in procedures are sent direct from offsite printers. 28

29 7. RESTRICTING ACCESS TO SYSTEMS AND DATA 7.1 Physical access to computer networks, equipment, storage media and program documentation is restricted to authorised individuals Quilter hosted network servers are stored in physically secure comms rooms and access is only granted to authorised individuals. Access has to be approved by the Quilter Head of Technical Services. Copies of the granting approval are retained. Inspected the comms room and observed that the systems in use are restricted to authorised individuals. Inspected a sample of approval s granting access to the comms room. Access to the Quilter comms rooms and activity into the rooms is reviewed and signed off via on a weekly basis by the Quilter Technical Services department. Inspected the log of access activity for the comms room for evidence of sign off. 7.2 Logical access to computer systems, programs, master data, transaction data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques. Backups made on Quilter sites are encrypted and held in fireproof safes. The two most recent backups in London and all month end tapes for all sites are held off site with Iron Mountain. Strong/complex password policies are enforced on the Quilter network and all business critical applications. New user accounts can only be created by members of Quilter Technical Services department on receipt of the approval from HR and the business manager. Observed that backups are held in a fire proof safe. Inspected daily backup control documents. Inspected password settings on the Quilter network and business critical applications. Inspected a sample of user request forms and confirmed approval by HR and the business manager. 29

30 Access requests are only granted by Quilter Technical Services when approved by the owner (system owners are documented against each application) and line staff line manager. Inspected a sample of access request forms and noted approval of the system owner and staff line manager. When a member of staff leaves, Quilter HR notify Quilter Technical Services to remove from the Quilter network and critical business applications Inspected a sample of leaver forms and inspected user lists to confirm that their access had been removed from critical systems. Privileged access is restricted to appropriate personnel. Made enquiries of management as to the appropriateness of personnel with privileged access and confirmed this by reference to their job role. 7.3 Segregation of incompatible duties is defined, implemented and enforced by logical security controls in accordance with job roles. Quilter undertakes 6 monthly entitlement reviews of all network accounts and business critical applications. The entitlements are reviewed and signed off either by line managers or system owners as appropriate. The user entitlement reviews of third party business critical applications include review and sign off by the Operational Risk Manager for administrator level privileges. Records of the reviews are held indefinitely. Inspected a sample of user entitlement reviews for business critical applications. Inspected that administrator level privileges on third party business critical applications had been signed off by the Operational Risk Manager. Changes in user access are only implemented by Quilter Technical Services when approved by line managers and system owners, as per documentation against each system. A matrix of incompatible duties is maintained to ensure incompatible duties are not provided to users for core systems. Inspected a sample of access request forms noting approval by the system owner and staff line manager. Inspected the incompatible duties matrix and the assigned access rights of a sample user and confirmed that they were assigned in line with the matrix. 30

31 When an employee moves departments, all access is removed and only access to specified systems is added back in according to the completed Mover form. Segregation of incompatible duties are not provided to users for business critical applications. Developer access to the live environment is strictly prohibited for Quilter bespoke applications Inspected a sample mover form. Inspected the incompatible duties matrix and the assigned access rights of a sample user to confirm that they were assigned in line with the matrix. Inspected the list of developers and list of users with access to the live environment for Quilter bespoke applications. 8. PROVIDING INTEGRITY AND RESILIENCE TO THE INFORMATION PROCESSING ENVIRONMENT, COMMENSURATE WITH THE VALUE OF THE INFORMATION HELD, INFORMATION PROCESSING PERFORMED AND EXTERNAL THREATS 8.1 IT processing is authorised and scheduled appropriately and exceptions are identified and resolved in a timely manner. Batch jobs are scheduled using automated scheduling tools. Any amendments to a process must adhere to the Change Management procedures. Inspected the automated scheduling tool. Inspected a sample change to a scheduling tool to confirm it followed specified change management procedures. Exceptions to normal processing are alerted to IT support staff who will take remedial action. Inspected a sample alert for an exception to normal processing. Inspected the processing log to confirm remediation action. 31

32 8.2 Data transmissions between the service organisation and its counterparties are complete, accurate, timely and secure. All communications to counterparties are sent securely via the method agreed with the counterparty and approved by the Information Security officer. Inspected a sample of data transmissions to external counterparties and confirmed the method of secure communication used. The accuracy and completeness of data is maintained via a number of system integrity checks which are automatically generated as part of the overnight load process. Inspected a sample of data transmissions and confirmed the data integrity checks were automatically applied. 8.3 Appropriate measures are implemented to counter the threat from malicious electronic attack (e.g., firewalls, anti-virus etc.). Transfer processes are monitored, alerted and promptly resolved where issues with accuracy, completeness or timeliness of data transmissions are identified. Quilter network is protected by multiple vendor security devices - firewalls, intrusion prevention systems, content control and multiple antivirus products. Inspected a sample of data transmissions and confirmed the automated confirmation of successfully completed transfers. It was not possible to evidence the control over resolution of issues identified as there had been no recent failures related to the accuracy, completeness or timeliness of data transmission. Observed that the vendor security devices listed within the control procedure were implemented on the Quilter network. Penetration and web vulnerability testing is undertaken on an annual basis by an external company (which is reviewed and where appropriate changed every 2 years). A response to any issues raised in the testing reports is documented along with any remedial action. Inspected penetration and web vulnerability test reports from external testing providers. Inspected records relating to the external testing provider and confirmed they had not been in use for more than two years. Inspected management responses to issues raised in the testing reports. 32

33 All network PCs and file servers have anti-virus software installed. Virus definitions are checked on an hourly basis and pushed to workstations and file servers across all branches, three times a day. Inspected the anti-virus software installed. Inspected the configuration of the anti-virus software definitions to confirm updates are scheduled hourly. A third party solution is used to scan inbound and outbound s for viruses and spam. Inspected the third party solution configuration screen for anti-virus and spam filtering. 8.4 The physical IT equipment is maintained in a controlled environment. Laptops are encrypted using disk encryption. The core Quilter comms rooms are air conditioned, protected by UPS and connected to a fall back generator. Inspected a sample laptop to confirm disk encryption. Inspected the comms room and observed the environmental systems in use. The core Quilter comms rooms are also monitored by a building monitoring system (BMS), which will alert support staff in the event of problems with regard to temperature, humidity, water detection and fire. Inspected a sample alert from the BMS. In the core Quiter comms rooms,an automated gas fire suppression system is installed and tested annually. Inspected the comms room and observed the fire suppression system. Inspected evidence that the system had been tested within the prior year. 33

34 9. MAINTAINING AND DEVELOPING SYSTEMS HARDWARE AND SOFTWARE 9.1 Development and implementation of new systems, applications and software, and changes to existing systems, applications and software, are authorised, tested, approved and implemented. Quilter application changes are authorised by management and tested in accordance with the documented change management process. Changes to off the shelf applications follow the documented change management process. Changes are developed by the third party vendor and deployed in a user acceptance testing environment. User acceptance testing is performed by the Finance function and approval given. The Operational Risk function perform testing of the change to confirm the change has not affected the control environment of the application and give approval. Implementation is performed by the vendor. Inspected that an application change to a bespoke system had been authorised and tested. This is a new control recently implemented to further strengthen the control environment. The new control had not yet operated at the date of testing, and as such it was not possible to perform testing of the control. Inspection of the change control policy document confirmed that the policy is as described in the control wording. Test sign-off is obtained prior to promotion to the live environment. Inspected a sample of one application change to a bespoke application and confirmed that sign-off had been obtained prior to promotion to the live environment. Inspected a sample network system change and confirmed that sign-off had been obtained prior to promotion to the live environment. 9.2 Data migration or modification is authorised, tested and, once performed, reconciled back to the source data. Data modification and migration is done in accordance with the documented change management process, which includes the authorisation and testing of the change. Inspected a sample of data modification and noted testing and approval documentation. Inspected the changes log and confirmed that there had been no recent data migrations. As such it was not possible to perform testing of the control for data migrations. 34

35 10. RECOVERING FROM PROCESSING INTERRUPTIONS 10.1 Data and systems are backed up regularly, retained offsite and regularly tested for recoverability. Daily encrypted backups are taken at all sites. 10 minute snapshops of data for Quilter bespoke applications are transferred to the Disaster Recovery Site. Inspected the daily backup control sheet. Inspected the configuration of the backup scheduler. Weekly restores are undertaken by the Technology department for the business critical systems to prove recoverability. Inspected the daily backup control sheet IT hardware and software issues are monitored and resolved in a timely manner. IP Sentry, a monitoring system, is in place for core systems which will alert in the event of failures. Members of the Quilter Technology department are on call 24/7 in the event of any overnight processing problems. Inspected the configuration of the IP sentry system. Inspected a sample alert due to an identified failure. Inspected a sample of an alert for an overnight processing problem. The Quilter Helpdesk is available from 07:45 to 18:00 for logging of user and system problems. A call was placed with the help desk within the hours of operation. All report problems are logged on a centralised tracking Helpdesk database and, where necessary, are escalated internally or externally. Weekly and monthly management reporting is also produced on major issues for review. Inspected the centralised helpdesk database. Inspected a sample of weekly and monthly management reporting. 35

36 10.3 Business and information systems recovery plans are documented, approved, tested and maintained. A summary of the business continuity plan is documented and approved by management business, on an on-going basis. Inspected the summary of the business continuity plan. 11. MONITORING COMPLIANCE (IT) 11.1 Outsourced activities are properly managed and monitored. A BCP test is undertaken as a minimum of every 18 months. Service level agreements are in place and performance is monitored to ensure compliance. Inspected the most recent BCP test and confirmed that it was performed within 18 months of the reporting date. Inspected the service level agreements in place. Inspected documentation related to the monitoring of performance against service level agreements. Service level meetings are held to address issues in a timely manner. Inspected a sample of service level monitoring meeting minutes. 36

37 APPENDIX 1 - REPORTING ACCOUNTANTS ENGAGEMENT LETTER 37

38 38 ASSURANCE REPORT ON INTERNAL CONTROLS (AAF 01/06)

39 39 ASSURANCE REPORT ON INTERNAL CONTROLS (AAF 01/06)

40 40 ASSURANCE REPORT ON INTERNAL CONTROLS (AAF 01/06)

41 41 ASSURANCE REPORT ON INTERNAL CONTROLS (AAF 01/06)