ABAGroup

ISAE 3402

TYPE 2 REPORT

THE PRECIOUS GROUP INCLUDES PRECIOUS INVESTMENT MANAGEMENT (PTY) LTD, PRECIOUS LIFE LTD,
PRECIOUS FUND SERVICES (PTY) LTD AND PRECIOUS MANAGEMENT COMPANY (RF) PTY LTD
AND PRECIOUS FUND SERVICES (IRELAND) LTD
CONTENTS

1 INDEPENDENT SERVICE AUDITOR’S ASSURANCE REPORT ON THE DESCRIPTION OF CONTROLS, THEIR DESIGN AND
OPERATING EFFECTIVENESS .................................................................................................................................................................................. 4

2 STATEMENT BY THE SERVICE ORGANISATION ..................................................................................................................................................... 8

3 OVERVIEW AND SCOPE OF WORK ........................................................................................................................................................................ 11

3.1 Introduction ............................................................................................................................................................................................................... 11

3.2 Sampling methodology ............................................................................................................................................................................................ 11

3.3 Exceptions discovered during testing .................................................................................................................................................................... 12

3.4 Summary of control objectives tested and results of testing ................................................................................................................................ 13

4 PRECIOUS MANAGEMENT’S DESCRIPTION OF OPERATIONS AND INTERNAL CONTROLS .......................................................................... 17

4.1 Overview of Precious ................................................................................................................................................................................................ 17

4.2 Control environment ................................................................................................................................................................................................. 17

4.3 Accepting Clients ...................................................................................................................................................................................................... 18

4.4 Authorising and processing transactions ............................................................................................................................................................... 19

4.5 Maintaining financial and other records .................................................................................................................................................................. 24

4.6 Cash management and segregation of assets........................................................................................................................................................ 25

4.7 Monitoring Compliance ............................................................................................................................................................................................ 26

4.8 Reporting to Clients .................................................................................................................................................................................................. 26

4.9 IT General Control Environment .............................................................................................................................................................................. 27

5 CONTROL OBJECTIVES, CONTROL ACTIVITIES AND TESTING OPERATING EFFECTIVENESS OF CONTROLS .......................................... 32

5.1 Accepting Clients. ........................................................................................................................................................................................................ 32

5.2 Authorising and processing transactions ................................................................................................................................................................. 40

5.3 Maintaining financial and other records .................................................................................................................................................................... 53

5.4 Cash management and segregation of assets .......................................................................................................................................................... 68

5.5 Monitoring Compliance ................................................................................................................................................................................................ 69

5.6 Reporting to Clients ..................................................................................................................................................................................................... 72

5.7 IT General Control Environment ................................................................................................................................................................................. 73

6 MANAGEMENT’S COMMENTS THAT DO NOT FORM PART OF OUR OPINION ..................................................................................................... 86

1 Independent Service Auditor’s Assurance Report on the Description of Controls, their
Design and Operating Effectiveness
To the Directors of Precious Group
Scope
We have been engaged to report on Precious Group’s (“Precious”) description of its investment management and administration system, as
documented in Section 4 and the “Precious Process” and “Precious Control Activities” as documented in Section 5, as at 31 March 2017 (“the
description”), and on the design and operation of controls related to the control objectives stated in the description. For the purpose of our
engagement and this report, “Precious” refers to Precious Investment Management (Pty) Ltd, Precious Life (RF) Ltd, Precious Fund Services
(Pty) Ltd, Precious Management Company (RF) (Pty) Ltd and Precious Fund Services Ireland (Pty) Ltd, as the investment management and
administration system operates across all of these entities.
Precious’s Responsibilities
Precious is responsible for: preparing the description in Section 4 and the accompanying statement in section 2, including the completeness,
accuracy and method of presentation of the description and the statement; providing the services covered by the description; stating the control
objectives; and designing, implementing and effectively operating controls to achieve the stated control objectives.
Our Independence and Quality Control
We have complied with the independence and other ethical requirements of the Code of Ethics for Professional Accountants issued by the International
Ethics Standards Board for Accountants, which is founded on fundamental principles of integrity, objectivity, professional competence and due care,
confidentiality and professional behavior.
The firm applies International Standard on Quality Control 1 and accordingly maintains a comprehensive system of quality control including documented
policies and procedures regarding compliance with ethical requirements, professional standards and applicable legal and regulatory requirements
Service Auditor’s Responsibilities
Our responsibility is to express an opinion on Precious’s description and on the design and operation of controls related to the control objectives stated
in that description based on our procedures. We conducted our engagement in accordance with International Standard on Assurance Engagements
3402, “Assurance Reports on Controls at a Service Organisation” issued by the International Auditing and Assurance Standards Board. That standard
requires that we plan and perform our procedures to obtain reasonable assurance about whether, in all material respects, the description is fairly
presented and the controls are suitably designed and operating effectively.
An assurance engagement to report on the description, design and operating activities of controls at a service organisation involves performing
procedures to obtain evidence about the disclosures in the service organisation’s description of its system and design and operating effectiveness of
controls. The procedures selected depend on the service auditor's judgement, including the assessment of the risks that the description is not fairly
presented, and that controls are not suitably designed or operating effectively. Our procedures include testing the operating effectiveness of those
controls that we consider necessary to provide reasonable assurance that the control objectives stated in the description were achieved. An assurance
engagement of this type also includes evaluating the overall presentation of the description, the suitability of the control objectives stated therein, and
the suitability of the criteria specified by the service organisation and described in Section 2.
We believe that the evidence we have obtained is sufficient and appropriate to provide a basis for our qualified opinion.
4
Limitations of Controls at a Service Organisation
Precious’s description is prepared to meet the common needs of a broad range of clients and their auditors and may not, therefore, include every aspect
of the system that each individual client may consider important in its own particular environment. Also, because of their nature, controls at a service
organisation may not prevent or detect all errors or omissions in processing or reporting transactions. Also the projection of any evaluation of
effectiveness to future periods is subject to the risk that controls at the service organisation may become inadequate or fail.

5
 Basis for Qualified Opinion

Reference Control objective Qualification on design/operating effectiveness

1 5.3.5.1 & Controls provide reasonable Precious states that it has controls in place to meet this objective, including the
5.3.5.5 assurance that investment fact that management packs are produced and reviewed monthly by a senior
management fees, performance member of the finance team. However, for one of the months selected we were
fees are accurately calculated and unable to inspect evidence that the management pack was reviewed by a senior
recorded. member of the finance team. As a result of this exception, the operating
effectiveness of the control failed and the control objective was not met
2 5.7.3.4, Controls provide reasonable Precious states that it has controls in place to meet this objective, however, a
5.7.3.5, assurance that logical access to number of exceptions were noted in testing the controls related to this control
5.7.3.6 & computer systems, programs, objective:
5.7.3.7
master data, transaction data and
parameters, including access by
The following controls were not suitably designed to achieve this control objective:
administrators to applications,
databases, systems and networks, 1 Users are not assigned multiple accounts. We found however, multiple user
is restricted to authorised ID’s for 2 users on Eagle Access and 4 users on T-Cube.
individuals via information security 2 Administrative access is restricted to appropriate personnel. We found,
tools and techniques. however, that administrative access through the sharing of generic user
accounts is granted on the T-Cube Database (DB) and Operating System
(OS) as well as the Thinkfolio DB and OS

In addition the following controls did not operate effectively during the period
3 Users who terminate employment or transfer job functions are removed in a
timely manner from the application and database. We found, however, that
the user accounts for 2 Eagle Access users who have left the organisation
have not been locked and not been terminated.
4 A review of the appropriateness of access is performed for the Active
Directory, T-Cube and Eagle Access application and database. We found,
however, that evidence of the annual review of the user access to confirm
validity and appropriateness of user access could not be obtained for the
Eagle Access application

As a result of these exceptions the control objective was not met.

6
Qualified Opinion
Our opinion has been formed on the basis of the matters outlined in this report. The criteria we used in forming our opinion are those described in Section
2. In our opinion:
(a) The description fairly presents Precious’s investment management and administration system as designed and implemented throughout the year
from 1 April 2016 to 31 March 2017;
(b) Except for the effects of the matters described in 2 in the Basis for Qualified Opinion table above the controls related to the control objectives
stated in the description were suitably designed and implemented throughout the year from 1 April 2016 to 31 March 2017; and
(c) Except for the effects of the matters described in 1 and 2 in the Basis for Qualified Opinion tabled above the controls tested, which were those
necessary to provide reasonable assurance that the control objectives stated in the description were achieved, operated effectively
throughout the year from 1 April 2016 to 31 March 2017
Description of tests of controls
The specific controls tested and the nature, timing and results of those tests are listed in the “BIG4 test procedure and results of testing” portion of
Section 5.
Other Matter
Sections 2.1 and 6 includes supplementary information in the form of management comments on the exceptions identified in Section 5. This
information is not covered by our opinion
Intended users and purpose
This report and the description of test of controls in Section 5 is intended only for clients who have used Precious’s systems, and their auditors, who have
a sufficient understanding to consider it, along with other information, including information about controls operated by clients themselves, when
assessing the risks of material misstatements of client’s financial statements.
BIG4 Services (Pty) Limited

Chartered Accountant (SA) Foreshore

Director Cape Town
16 May 2017 8001

7
2 Statement by the Service Organisation
The accompanying description has been prepared for clients who have used the investment management and administrative operations of
Precious and their auditors, who have a sufficient understanding to consider the description, along with other information, including information
about controls operated by clients themselves, when assessing the risks of material misstatements of clients’ financial statements.
Precious confirms that:
(a) The description of the investment management and administration system, documented in Section 4 and the “Precious Process” and
“Precious Control Activities” portions of Section 5, fairly presents its controls related to investment management and administration
operations as designed and implemented throughout the period 1 April 2015 to 31 March 2016. The criteria used in making this statement
were that the accompanying description:
(i) Presents how the system was designed and implemented, and including:
 The types of services provided, including, as appropriate, classes of transactions processed.
 The procedures, within both information technology and manual systems, by which those transactions were initiated,
recorded, processed, corrected as necessary, and transferred to the reports prepared for clients.
 The related accounting records, supporting information and specific accounts that were used to initiate, record, process and
report transactions; this includes the correction of incorrect information and how information was transferred to the reports
prepared for clients.
 How the system dealt with significant events and conditions, other than transactions.
 The process used to prepare reports for clients.
 Relevant control objectives and controls designed to achieve those objectives.
 Controls that we assumed, in the design of the system, would be implemented by user entities, and which, if necessary to
achieve control objectives stated in the accompanying description, are identified in the description along with the specific control
objectives that cannot be achieved by ourselves alone.
 Other aspects of our control environment, risk assessment process, information system (including the related business processes)
and communication, control activities and monitoring controls that were relevant to processing and reporting clients’ transactions.
(ii) Includes the relevant changes to the service organisation’s system during the period 1 April 2015 to 31 March 2016.
(iii) Does not omit or distort information relevant to the scope of the system being described, while acknowledging that the
description is prepared to meet the common needs of a broad range of clients and their auditors and may not, therefore, include
every aspect of the system that each individual client may consider important in its own particular environment.

8
 (b) The controls related to the control objectives stated in the accompanying description were suitably designed and operated throughout the
period 1 April 2016 to 31 March 2017. The criteria used in making this statement were that:
(i) The risks that threatened achievement of the control objectives stated in the description were identified;
(ii) The identified controls would, if operated as described, provide reasonable assurance that those risks did not prevent the stated
control objectives from being achieved; and
(iii) The controls were applied as designed, including that manual controls were applied by individuals who have the appropriate
competence and authority, throughout the period 1 April 2016 to 31 March 2017.

Precious Group

C Mockford
Chief Operating Officer
16 May 2017

9
2.1 Comments by the Service organisation on exceptions noted in the Qualified Opinion

Reference Control objective Management response*

5.3.5 Controls provide reasonable The month of November 2016 was an anomaly in that there were certain major
assurance that investment operational and financial activities that resulted in the CFO’s review of the management
management fees, performance fees pack being delayed. The management pack for the month of November was subsequently
are accurately calculated and reviewed. The packs for the months prior to and subsequent to November 2016 were
recorded. reviewed. Management packs are also distributed to the relevant executives, who review
the management packs of their business units. It should also be noted that management
packs contain comparative, year to date information for each month, meaning that
subsequent months included November 2016 information.
5.7.3.4 Controls provide reasonable These are users that left the employ of Precious during Feb 2017 and the accounts were
assurance that logical access to only locked at the end of the following month, after the audit extract was retrieved, at
computer systems, programs, which point it was verified that the users had not accessed the system since their last
master data, transaction data and day of employment.
parameters, including access by
5.7.3.5
administrators to applications, The two T Cube users (4 user ID’s) that have been duplicated are as a result of the
databases, systems and networks, original user account that was created which differed to that of the Active Directory user
is restricted to authorised individuals and therefore the user could not access the system. The one duplicated Eagle user (2
via information security tools and user ID’s) was as a result of the external user locking himself out because his PC was
techniques. set to remember his password and was unable to clear the stored password and needed
the information urgently. A new user was therefore created in the above instances.
Important to note that there was no concurrent access by the users through their various
accounts.
5.7.3.6 There was no documented annual review sign off since there is an ongoing review
performed throughout the year as and when users are created or terminated. In future
the control is to be updated to only cover a documented annual review of users with write
access to Eagle.
5.7.3.7 The shared account is only available to 3 staff members who have been in Precious’s
employ in excess of 7 years. Even though the access is shared, the IP addresses of the
machines connecting to these servers is logged and can be traced if required. We have
recently appointed a dedicated Database Administrator (DBA). The DBA will administer
these databases removing shared access.

* Refer also to section 6 for detailed exceptions and management comments

10
3 Overview and scope of work

3.1 Introduction
Our review was performed in terms of International Standard on Assurance Engagements (ISAE) 3402 “Assurance Reports on Controls at a Service
Organisation”. Our fieldwork covered the period 1 April 2016 to 31 March 2017 and was conducted during the period of October 2016 and March to May
2017.
The scope of our review was based on criteria (control objectives) agreed with management of Precious. These were agreed prior to the commencement
of the review.
Our procedures included interviews with key personnel, inspection of documents and records, observation of Precious’s activities and operations,
structured walkthrough procedures and a combination of these procedures to determine the effective design and operation of the internal controls. In
addition our procedures were limited to the period 1 April 2016 to 31 March 2017 and do not extend to any events subsequent to that period.
Controls that are performed by clients remain their responsibility and were not considered as part of this engagement.
Control objectives were split between business process and IT process objectives. For each of these processes, we gained an understanding of the
operation of the process. We then assessed the adequacy of the design and implementation and operating effectiveness of those controls to achieve
the stated control objectives. This assessment is reported in section 5 below.

3.2 Sampling methodology

In terms of the frequency of the performance of the control by Precious, we consider the following guidance when planning the extent of tests of control
for specific types of controls.
Where a manual control is performed periodically or is recurring, the following guidelines are utilised:
Frequency of control Minimum sample
procedure size
Quarterly 2
Monthly 2
Weekly 5
Daily 15
More than daily 25

Test of controls are based on the above sample sizes.

General IT controls may be manual, manual with an automated component or automated. Where the General IT control is manual or manual with an
automated component, the guidelines above related to the extent of testing of manual controls are considered to determine the extent of testing of
General IT controls. Where the General IT control is automated, we use our professional judgement, combined with the guidance above.
11
3.3 Exceptions discovered during testing
The concept of effectiveness of the operation of controls recognises that some exceptions in the way controls are applied by Precious may occur.
Exceptions from prescribed controls may be caused by such factors as: changes to key personnel, significant seasonal fluctuations in volume of
transactions and human error.
We use judgement in considering the overall operating effectiveness of the control by considering the number of exceptions detected, the potential
significance of the financial statement effect, as well as other qualitative aspects of the exceptions such as the cause of the exception.
When we identify an exception for a periodic or automated control, we consider whether other controls may provide the evidence we require.

When we identify an exception for a recurring manual control, we consider whether:

to increase the extent of testing to be performed and/or

other controls may provide the evidence we require.

If we find a single deviation in our initial sample for a recurring manual control operating multiple times per day, when we did not expect to find control
deviations, we consider whether the deviation is representative of systematic or intentional deviations.
If control deviations are found in tests of controls which operate daily or less frequently, the sample size cannot be extended and we assess such controls
as ineffective.

12
3.4 Summary of control objectives tested and results of testing
The table below summarises the various objectives that have been tested and the related exceptions, if any:

Control Objective Number of controls tested Results

Accepting Clients
5.1.1 Controls provide reasonable assurance that complete and authorised client
agreements are operative prior to initiating investment activity. 4 Control objective met.

5.1.2 Controls provide reasonable assurance that accounts are set up and administered in
accordance with client mandates and applicable regulations. 9 Control objective met.

5.1.3 Controls provide reasonable assurance that clients’ take-on, including in-specie Control objective met.
transfers, are monitored, documented and opening positions are accurately reported to 9
clients.

Authorising and processing transactions

5.2.1 Controls provide reasonable assurance that the responsibility for generating proxy
voting instructions is clearly established. 1 Control objective met.

5.2.2 Controls provide reasonable assurance that the investment strategy is

implemented in a timely manner. 1 Control objective met.

5.2.3 Controls provide reasonable assurance that investment transactions are

executed and allocated in a timely and accurate manner. 7 Control objective met.

5.2.4 Controls provide reasonable assurance that investment and related cash
transactions are completely and accurately recorded. 6 Control objective met.

5.2.5 Controls provide reasonable assurance that corporate actions are processed and
recorded accurately and in a timely manner. 6 Control objective met.

5.2.6 Controls provide reasonable assurance that proxy voting instructions are generated
and recorded and carried out accurately and in a timely manner. 2 Control objective met.

5.2.7 Controls provide reasonable assurance that client new monies and withdrawals are
processed and recorded completely and accurately and that withdrawals are 12 Control objective met.
appropriately authorised.

13
Control Objective Number of controls tested Results

Maintaining financial and other records

5.3.1 Controls provide reasonable assurance that investment income is recorded

accurately, completely, and in the proper period. 4 Control objective met.

5.3.2 Controls provide reasonable assurance that investments are valued using current
prices obtained from independent external pricing sources or determined
according to approved pricing policies and procedures for fair values in 5 Control objective met.
circumstances where independent sources are not available.

5.3.3 Controls provide reasonable assurance that investments are valued using market-
related spreads and accurate yield curves. 1 Control objective met.

Control objective met.

5.3.4 Controls provide reasonable assurance that cash and investment positions are
completely and accurately recorded and reconciled to third party data. 7

5.3.5 Controls provide reasonable assurance that investment management fees and
performance fees are accurately calculated and recorded. 11 Exceptions noted.

Control objective not

met.
5.3.6 Controls provide reasonable assurance that issues and cancellations (including
switches) of units are recorded completely and accurately, and positions are regularly 3 Control objective met.
reconciled.

5.3.7 Controls provide reasonable assurance that fund pricing is accurate and timely.
3 Control objective met.

5.3.8 Controls provide reasonable assurance that expenses are accurately calculated and
recorded in accordance with the requirements of the fund and on a timely basis. 3 Control objective met.

5.3.9 Controls provide reasonable assurance that fund distributions are accurately
calculated, authorised and recorded, and distributed in a timely manner. 5 Control objective met.

14
Control Objective Number of controls tested Results

Cash management and segregation of assets

5.4.1 Controls provide reasonable assurance that client money is segregated. 3 Control objective met.

Monitoring Compliance

5.5.1 Controls provide reasonable assurance that client portfolios are managed in
1 Control objective met.
accordance with investment mandates.

5.5.2 Controls provide reasonable assurance that transactions (including mandate

2 Control objective met.
breaches and deal amendments) are rectified promptly and accurately.

5.5.3 Controls provide reasonable assurance that pricing and distribution rate errors are
4 Control objective met.
rectified in a timely manner.

Reporting to Clients

5.6.1 Controls provide reasonable assurance that client reporting in respect of portfolio
transactions, holdings and performance, commission and voting is complete and 2 Control objective met.
accurate.

IT General Control Environment

5.7.1 Controls provide reasonable assurance that physical access to computer networks,
equipment, storage media and program documentation is restricted to authorised 3 Control objective met.
individuals.

5.7.2 Controls provide reasonable assurance that the physical IT equipment is

maintained in a controlled environment. 2 Control objective met.

5.7.3 Controls provide reasonable assurance that logical access to computer systems,
programs, master data, transaction data and parameters, including access by Exceptions noted.
administrators to applications, databases, systems and networks, are restricted to 7
authorised individuals via information security tools and techniques. Control objective not
met.

15
 Control Objective Number of controls tested Results

5.7.4 Controls provide reasonable assurance that segregation of incompatible duties is

defined, implemented and enforced by logical security controls in accordance with job 1 Control objective met.
roles.

5.7.5 Controls provide reasonable assurance that data transmissions between the service
organisation and its counterparties (Eagle (accounting system)) are complete, 2 Control objective met.
accurate, timely and secure.

5.7.6 Controls provide reasonable assurance that appropriate measures are

implemented to counter the threat from malicious electronic attack (e.g. 4 Control objective met.
firewalls, anti-virus etc).

5.7.7 Controls provide reasonable assurance that development and implementation of new
systems, applications and software, and changes to existing systems, applications and 1 Control objective met.
software, are authorised, tested, approved and implemented.

5.7.8 Controls provide reasonable assurance that data and systems are backed up 2 Control objective met.
regularly, retained offsite and regularly tested for recoverability.

Explanation of control numbering in the detailed control tables which appear under sections 5.1 to 5.6:

The detailed controls and results of testing for each control (excluding IT controls) are set out in the body of the report, which spans sections 5.1 to 5.6.
The relevant controls are tabulated and numbered/ referenced sequentially under each control objective e.g. 5.1.1.1, 5.1.1.2, etc. However, to
distinguish between controls performed by Precious Fund Services Ireland (PFSI), Alternative Administration and all other domestic (South Africa)
business units, “a” and “b” are inserted at the end of the control reference. Where controls references end with an “a”, this is to denote that it is a PFSI
control. Where controls references end with a “b”, this is to denote that it is an Alternative Administration control. Therefore, the remainder of control
reference which do not end in an “a” or “b” (e.g. 5.1.1.1), which represent the majority of the controls tabulated in this report, relate to all other domestic
business units.

16
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

4 Precious Management’s Description of Operations and Internal Controls

This section has been produced by management to provide an overview of their operation and related internal controls.

4.1 Overview of Precious

Precious was launched in 1998 as an investment management firm with the stock broking business following in 1999. Over the years,
Precious has evolved into a partnership of people and companies servicing a broad range of clients. Our business has been structured to
efficiently and seamlessly meet the needs of our clients and the investing community. Being a trend-setter in various fields locally, we've
spread our wings into sub-Saharan Africa, Europe and Asia.
What started as a quantitative investment management business has evolved to include an administration services division, a stock broking arm
that has developed into a niche player, a wealth manager, retail product offerings, a linked life company and retirement products.
The investment management and administrative services are now offered by Precious Investment Management (Pty) Ltd, Precious Life (RF)
Ltd, Precious Fund Services (Pty) Ltd, Precious Fund Services (Ireland) Ltd and Precious Management Company (RF) (Pty) Ltd (collectively
“Precious Group”).
As we expand into new markets and grow the business, we strive to maintain the culture, work ethic and commitment to clients that have
contributed to our success thus far. To manage the growth of the business, we ensure that we are ahead of the curve in terms of
infrastructure, systems and people.
Precious’s founding philosophy was and remains the creation of an organisation that embraces the positive spirit, growth and development
that a partnership with full equity participation in the new South Africa produces.

4.2 Control environment

The control environment is an essential component of an organisation’s governance structure and includes the control consciousness of its
people. It is the foundation for all other components of internal control, providing discipline and structure. The objectives of an internal control
structure is to provide reasonable, but not absolute, assurance as to the integrity and reliability of the financial information, the
protection of assets from unauthorised use or disposition, and that transactions are executed in accordance with management’s
authorisation and client instructions. The management of Precious has established and maintained an internal control structure that
monitors compliance with established policies and procedures.
Precious’s executive management are accountable for monitoring the system of internal control within the business. Precious’s executive
management have implemented an internal control system designed to facilitate effective and efficient operations. The control environment
has been designed to enable management to respond appropriately to significant business, operational, financial, compliance and other
risks. The system of internal control contributes to ensuring adequate control of internal and external reporting and compliance with
applicable laws and regulations.
Precious regards its internal control environment as fundamental to its business strategy. All business development initiatives are required to
adhere to stringent control standards.

17
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
The controls and their related operations are described in more detail in this section. In determining the controls and control objectives we
took into account the following criteria:
The risks that threatened achievement of the control objectives stated in the description were identified;
The identified controls would, if operated as described, provide reasonable assurance that those risks did not prevent the stated control
objectives from being achieved; and
The description of the controls and control environment does not omit relevant information.

4.3 Accepting Clients

Following a successful presentation to a client, the following procedures occur to take-on a new client:
A mandate is drafted and signed by the client and Precious. The mandate will normally include the granting of power of attorney over bank and
scrip accounts to Precious. Precious opens a bank account for the client and a scrip account at the same bank. An e-mail is sent to the
client with the bank account details for their own records.
In certain instances a client will prefer to open the account, in which case Precious is notified (the details are, however, still included in the
mandate).
Management fees are agreed with the new client when the mandate is signed by both parties. The management fee can be calculated in
several ways depending on the specific client mandate. These include daily portfolio valuation, monthly portfolio valuation and performance
fees.
On the initial joining of a client, a take-on checklist is completed. On this checklist, one of the sections is whether performance fees are
applicable. Performance fees are only calculated if there is a mandate in place.

PFSI
Standard mandates, which are in line with Irish Central Bank requirements, are entered into and arrangements are made to open custodian
accounts with BNY Mellon, in order to facilitate the take on of client scrip and cash.
Alternative Administration
Investors subscribe by completing the relevant subscription documents, this is signed as proof of acceptance and the capital is paid into the
documented Fund bank account. All Net Asset Value (NAV) based fees, as defined in the legal agreements of the funds, are agreed with the
Investment Manager upfront and designed into monthly fee calculator workbooks (which integrate into the accounting systems). The NAV based
fees, (which include administration, management and performance fees) are then calculated monthly and are signed off with the Investment
Manager as part of the monthly NAV signoff process.

18
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
4.4 Authorising and processing transactions
Transfer of funds/scrip
Transfer of funds/ scrip occurs as follows:
Notification is received by the client (e-mail) if a transfer has been made.
Upon notification, the administration department will review the bank and/or custody account to confirm that the transaction has occurred
and positions are reconciled before any trading on that account commences.
Scrip transfers are checked against custody communications. In the case of Standard Bank and Nedbank this is done via online viewing of
scrip balances, whereas for the other banks, balances are confirmed via fax from the custodians.
Once all transactions have been confirmed, approval is given by the administration department to the dealers that trading on the accounts
may commence.
PFSI
Transfers of funds/ scrip occurs as part of the take on process and is agreed and managed in consultation with the investment manager and
custodian.

Alternative Administration
Transfers of funds/scrip are managed for these funds as part of the launch or go live of these structures to a detailed take on process, and
agreed to the prior administrator book of records and, as applicable, to the investment manager.
Trading process
Orders for the purchase and sale of equities are initiated by the trading team and executed by the brokerage team. A manual deal sheet is
completed by the trading team and signed by an authorised signatory. The deal sheet will stipulate the rate at which the deal is to be
executed by the brokers. The deal sheet is then sent to the portfolio administration team who will upload the deal on Eagle. A copy of the
deal sheet will then be sent to the brokers. The administration team will keep all the deal sheets for the day while they are being executed
by the brokers. Once the trade has been executed the administration team will receive a copy of the brokers note and match these to the deal
sheets. Any unmatched deals will be investigated by the administration team with the fund manager and/or counterparty and any differences in
the trade details will be updated within Eagle or by the counterparty as necessary.
The administration team is responsible for reconciling swap agreements, broker notes and deal sheets. Settlement instructions are prepared
and sent to the relevant custodians for settlement of the trade only once the trade has been reconciled and matched to the counterparty.
The same control environment is in place for both purchases and sales. Standard Corporate and Merchant Bank, Rand Merchant Bank and
BNP Paribas e-mails Precious a daily booking report, which includes the current position of any derivative instruments held, previous day
derivate positions and trades done. This report is reconciled to the positions on Eagle, updating the portfolio for any trades. The report is also
compared to the deal slip for completeness and accuracy. An Excel spreadsheet is maintained to monitor and reconcile daily cash flows for
mark-to-market and initial margin settlements are required with each bank for each account. This reconciliation reconciles Eagle daily
calculated margin amounts against that received by the bank.

19
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
Orders for the purchase and sale of money market instruments are initiated and executed by the trading team. A manual deal sheet is
completed by the trading team and signed by an authorised signatory. The deal sheet will stipulate the rate and amount at which the deal is
to be done. The deal will then be executed by the trading team with the counter party over the phone. The deal sheet is then sent to the
portfolio administration team who will upload the deal on the investment system. If the money market instrument is a new instrument, then the
trading team will create the instrument on Eagle. Dematerialised money market trades are reported to Strate for matching with the
counterparty. The counterparty or Strate will contact the trading team if they find any discrepancies. The administration team will send a
settlement instruction to the custodians to transfer money to the counter party as per the deal sheet once trade details have been matched at
Strate. A signed settlement instruction will then be sent to the custodian for settlement for physical money market that is not in dematerialised
form. All trades are sent to the custodian for settlement via Data Matrix tool using SWIFT. DataMatrix is an internal tool that tracks the status
of the trades, identifies trades that are in a “Matched” state with Strate for money market trades and then upon review, the administrator
acknowledges that SWIFT instructions for settlement to the custodian are ready to be sent forall trades that have met the matching criteria with
the counterparty. A manually signed letter of instructions for settlement will be sent to the custodian for execution of physical money market
positions that that are not in dematerialised form. The DataMatrix tool will identify traded money market positions whereby the security is
not in dematerialised form. The administrator reviews the status on DataMatrix after importing the trade files and will generate manual letters
for instruction to be reviewed and matched to the deal sheet before being signed by an authorised signatory before they are sent to the
custodian for settlement.
Alternative Administration
The administration of the Hedge Funds typically follow two operating models, prime broker model or fund of hedge fund model.
Prime Broker model
Hedge Funds, via their assigned Investment Manager, designate a choice of prime broker(s) and trade via these accounts and any other
platforms as defined in the Fund’s investment management agreement (referred to as the Portfolio Management Agreement for the
Regulated Hedge Funds under Precious Management Company (RF) (Pty) Ltd platform) with the assigned Investment Manager. The
administration of the trading activity is matched and reconciled on a daily basis via the Accounting Systems used, excel daily workbooks,
to both Investment Manager confirmed trade instructions and to information reported and accounted for, at the applicable Prime Broker(s).
Fund of hedge fund model
Hedge Funds, via their assigned Investment Manager, document an investment policy and liaise with the Administration Team to
transact in compliance with the mandate relating to deals for the purchase and sale of underlying investments, which can include other hedge
funds and various money market transactions. The administration of the trading activity is matched and reconciled on a daily basis via the
Accounting Systems used, daily Excel workbooks, to both Investment Manager confirmed trade instructions and to information reported and
accounted for, at the applicable underlying administrator or custodian of that underlying trade or transaction.
Bank reconciliations
An extract of the bank balances from Eagle is obtained and compared to the bank balance per the electronic banking system positions. For
SCB, Societe Generale, FNB, Bank of New York, Citibank, Standard Bank, JP Morgan and Nedbank bank account balances are saved daily.
The settled cash balances for each client account is sourced from Eagle and updated. Existing reconciliation templates per fund
administrator are then automatically updated and exceptions are highlighted with the use of formulas stored in the file templates. The bank
reconciliation is performed by each fund administrator on a daily basis. All reconciling items are investigated and reasons for reconciling items
are noted on the reconciliation.
20
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
Senior Precious staff members review each fund administrator’s account on a weekly basis to ensure that long outstanding reconciling
items are being attended to. Any exceptional outstanding items identified through this process are also taken to the Precious group risk
meetings which are held quarterly, for further review.
Alternative Administration
The administration of all bank accounts of each Hedge Fund is reconciled on a daily basis with a detailed reconciliation process performed at
month end, agreed to third party statements and accounted for daily into the valuation of that Hedge Fund. The monthly reconciliation process
is performed by the assigned Fund Administrator and reviewed by another Fund Administrator, both evidenced in a monthly checklist.
Scrip Reconciliations
The administration department reconciles the custodian statement to the portfolio holdings on a monthly basis. Any differences are followed up.
The reconciliations are automated in the administration system – and the custodians positions are updated via SWIFT. The report is
completed in Excel in order to bring in external data sources such as Finswitch record of client positions in order to reconcile Manco unit
holdings. Each administrator investigates any reconciling differences and a review is performed by a senior team member.
Alternative Administration
The administration of all custodian accounts of each Hedge Fund is reconciled on a daily basis with a detailed reconciliation process
performed at month end, agreed to third party statements and accounted for daily into the valuation of that Hedge Fund. The monthly
reconciliation process is performed by the assigned Fund Administrator and reviewed by another Fund Administrator, both evidenced in a
monthly checklist.
Price Feeds
Listed equity and bond prices are received from I-Net Bridge (I-Net) at 15h00 and fund pricing begins at 15h15. Precious also receives
the closing bond yields from BESA for bond instruments. A spreadsheet is maintained with links to I-Net that pulls in the closing prices
directly from I-Net.
For listed bonds, money markets and credit linked notes, an Excel spreadsheet, with links to I-Net to import prices, is maintained. The
prices are compared to the BESA prices for the same time stamp, and any differences will be followed up. Another check that is
performed is to compare the I-Net prices per the Excel spreadsheet to the ICDF file sent by I-Net, to ensure that all prices agree. The
same procedure will be followed for equities, and the closing prices on the spreadsheet will be compared to the I-Net ICDF file to ensure
that the prices agree.
SAFEX and Yieldx prices are included on the I-Net feed, and the daily booking fee report from Standard Bank (the clearing member) is
used to agree the prices imported from the I-Net feed, thereby ensuring that the daily mark to market calculation is correct.
For the unlisted money market securities, a clean price feeds daily from Fincad into Eagle. This happens automatically at 12 o'clock every
day. Eagle will calculate the accrued interest on each money market security and add it to the clean price to get the all-in-market value.
The Fincad tool values all other unlisted instruments. Fincad is a valuation tool, with built in models, to value each type of instrument.
Contract/deal information feeds automatically from Eagle into Fincad. Fincad then uses the daily SWAP curve, built by Precious, together
with deal information from Eagle, and other market related information from Bloomberg to get a clean price per instrument.

21
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
For OTC derivative (Interest Rate Swap) a clean price feeds twice a day from Fincad into Eagle. This happens automatically at 12 o'clock
and end of business every day. Eagle will calculate the accrued interest on each security and add it to the clean price to get the all-in-
market value.

 For Contract for Differences (“CFDs”) derivatives, these derivatives are based off equity underlyings with daily prices obtained from the I-
Net / Bloomberg closing prices feeds and used to price CFDs on a daily basis. These prices are uploaded into Eagle and reconciled
back to Prime Broker data on a daily basis. The pricing of CFDs are then used to calculate daily mark to markets, which are valued in the
underling funds.

For Fund of Hedge Fund investments, prices are agreed to monthly investment statements received from underlying administrator or
custodians. These unlisted securities are then setup in the Accounting System. The pricing is uploaded into Eagle on a daily basis,
based on the latest available prices received.

Portfolio valuations are reviewed by the administration department and the fund managers on a daily basis for reasonability. A check
that is performed by the fund manager is to ensure that all portfolios within a composite should perform relatively the same. The
reasonability check is performed by comparing today's prices to the previous day, to ensure that all significant movement in prices can
be identified and explained. Fund price movements are compared to the benchmark movement as well as to movements in similar
portfolios. An explanation is sought for large variations above 5% for equities and 0.1% for bonds.

Alternative Administration
Portfolio valuations are reviewed and signed off, based on the dealing frequency of the applicable Hedge Fund. The administration of all
components of each Hedge Fund is reconciled on a daily basis (and evidenced in a daily reconciliation workbook), with a detailed reconciliation
process performed at month end. The Portfolio valuations are accounted for on a daily basis in the Accounting Systems. The monthly valuation
process is performed by the assigned Fund Administrator and reviewed by another Fund Administrator, both evidenced in a monthly checklist.
Corporate Events
 Corporate events notifications, pending for processing, are fed into Eagle system via a Bloomberg data feed on a daily basis each night.
This is validated with a second source such as a custodian event diary. The event is then approved in the system and the system will then
generate the required journal entries for each client holding applicable. Every corporate event raised in the system is signed off by a senior
staff member and event details are then kept on file. Event entitlements are raised to the client’s account on the ex-date of the event by
the system automatically as part of the systems scheduled start of day run. Any unallocated income is identified via the bank reconciliation
process.

An entitlement report is received from the custodian by the administration team for items (such as dividends) several days before
settlement is expected. This report serves as a final confirmation that the income event is payable and will be settled shortly. The
entitlement report is checked against the dividends raised on Eagle to ensure that the amount agrees, and also checked against the
payment on settlement date.

Corporate actions on unlisted CFDs are verified to event slides and to Prime Broker records. This reconciliation is performed daily and as
22
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
part of the monthly checklist process, the corporate actions on these “manufactured” dividends are checked for accuracy against event
slides, against Prime Broker (PB) election and for completeness, against the Accounting Systems universe of underlying equity corporate
event listings.
Elections regarding corporate events
If a decision regarding an election is to be made then the investment team will make the decision.
The administration department is informed of the decision and in turn notifies the custodian of the election decision via email. The
administration department then monitors the expected receipt of any scrip/cash and ensures that it is included in the scrip holding report/
bank statement.
Investment Income
The daily bank reconciliation process identifies any interest and dividends received. The entitlement report will also highlight dividend/interest
receipts to be expected.
Alternative Administration
System interest accruals are matched to month end third party accruals and statements, and are then adjusted appropriately to match
those statements received, for month end valuation purposes.

Interest
Short term security information is provided by either the fund manager and is referenced with what is available on the JSE website to
create and update instrument details, which determines the interest accrual method for each day.
SAFEX and Yield X derivatives are marked to market daily and agreed to the booking fee reports.
Bond interest is accrued for at the effective rate. Purchased interest is debited against the interest account, and cumulative interest on the
bond is credited to the interest account daily (thus leaving a net credit of accrued interest in the account). The accrual for bond interest
is calculated at a combination of the coupon rate and a pull-to-par rate (the difference between the book yield when purchased and the
coupon rate).
Dividends
Dividend cents per share are obtained from the corporate events spreadsheet maintained by the administration department (updated
from the custodian event advices daily). The dividend will be agreed to the entitlement report obtained from the custodian.
Dividends are accrued for on the portfolios at ex-date.
The bank statements are inspected regularly to ensure that the dividends are received timeously.

23
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

Yield curves
Fincad has been programmed to import yield curves from the specific network folder, where these curves are saved, on a daily basis. The
programme can be altered to instruct it to import daily yield curves from a different network location, however, this can only be done by
an authorised staff member. Furthermore, access to programme changes are limited to the Fincad terminal.

4.5 Maintaining financial and other records

Performance Fees
Performance fees are calculated by the fund administrator and/or finance team based on the mandate. The administrator will prepare a
calculation spreadsheet and place the performance criteria on file, along with the date of calculation. The calculation is reviewed by a more
senior staff member. Performance fees are sent for review to the Fund Manager, who is ultimately responsible for validating that the fee
calculation method is appropriate. After they have reviewed the calculation, they will give their authorisation to be billed via email.
Management Fee
At month-end, before the management fees are calculated, Precious ensures that the following processes have been performed:
All trades have been captured;
All income has been raised;
All corporate events have been attended to;
All cash has been applied; and
Securities have been valued.
The calculation of the management fee is maintained in Excel, and the spreadsheet is updated with the management fee percentage as
per the mandate. Once the portfolios have been updated as per above, the market values are captured into the excel spreadsheet. The
management fee is calculated using an Excel formula, within the password protected spreadsheet.
The finance team prepares a management fee analysis report which forms part of the monthly management accounts.
For a small percentage of clients who do not pay the management fee from their portfolios, the invoice will be sent by email, fax or post.
The management fee will be amended if there are changes to the client's fee arrangements. The Compliance team is the custodian of this
process, and is responsible for ensuring that the finance team is aware of any changes to client mandates (with respect to fees). This ensures
that client fees are always levied at the correct rate.

24
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
PFSI
All NAV based fees are calculated in Eagle and accrued in the NAV of each fund on a daily basis. The monthly total is reviewed by the
Fund Accounting Manager and a summary and calculations are sent to each manager for their review. In addition, all performance fee
calculations are sent to the relevant Manager for their review. Once the fees are approved by the Investment Manager a payment is set up
to pay the fees from the fund, and this is then authorised by the Head of Operations. The fee settlement is posted in Eagle by the Fund
Accountant, which is reviewed as part of the daily Fund review process.
Alternative Administration
All NAV based fees, as defined in the legal agreements of the funds, are agreed with the Investment Manager upfront and designed into
monthly fee calculator workbooks which integrate into the accounting systems. The NAV based fees (which include administration,
management and performance fees) are then calculated monthly and are signed off with the Investment Manager as part of the monthly
NAV signoff process.

4.6 Cash management and segregation of assets

Precious maintains day to day bank accounts with Nedbank, SCB, SCMB, Societe Generale, Nedbank Namibia, BNY, BNP Paribas, JP
Morgan, Citi and FNB. The authorised administrator completes an online authorisation before payments are released from the bank accounts.
Bank balances are reconciled on a daily basis and inspected for any unusual movements. Bank reconciliations are prepared weekly and
reviewed by a more senior staff member.
EFT and non-EFT transactions are only authorised after supporting documentation has been inspected (e.g. deal slip, booking fee report,
and invoice). Subsequent settlement of these transactions is monitored through daily bank reconciliations.
EFT payments
Online system platforms are used by Precious for all EFT payments as authorised by the client except for Societe Generale where only fax
instruction is available. Capture of EFT transfers are made by the administration department. It is possible for the same person to capture
and verify/audit an EFT payment, but the person who captures and or verifies a payment will be unable to authorise a release of the final
payment. Two authorised signatories are required for all EFT transfers (authorised signatories per company resolutions). User profiles are
set up with these controls and restrictions by the banking institutions. They cannot be amended without required authorisation and required
banking protocols.
Non-EFT payments
Societe General clients receive non EFT payments instructions, as well as clients that have elected for Precious to send manual instruction
letters to the bank to initiate cash transfers for settlement.
In all cases, the administration department monitors and follows up with banks on all transfers that have been made each day.

PFSI
PFSI maintains Fund bank accounts with BNY Mellon and shareholder bank accounts with Citibank. All payments are made manually and
must be authorised by a second person. Users of the BNYM and Citi online system must be authorised by the Head of Operations, who
also defines the permissions for each user.
25
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
All bank accounts are reconciled daily, and the bank reconciliations are also reviewed on a daily basis. Alternative Administration
All banking rights are setup to the particular bank accounts of the Hedge Fund, and as defined as per the user rights included in the
Administration Agreement and Power of Attorney documents agreed and signed as part of the take on.
As part of the investment decision of the assigned Investment Manager for each Hedge Fund, bank, custodian and prime broker accounts are
setup in the name of that Hedge Fund. The administration team is responsible to transact and reconcile, as defined upfront. All bank
accounts, custodian accounts and prime broker accounts, as applicable to the particular hedge fund, are in the name of that Hedge Fund
and contracted on, based on the separate legal agreements to each Hedge Fund.

4.7 Monitoring Compliance

Monthly validation checks are performed on all product models to ensure that the client’s investments are being managed in accordance with
client mandates. All compliance breaches will be flagged by the StatPro system and will be followed up by the legal and compliance
department.
All applicable regulations (which include Regulation 28 for Pension Funds, Regulation 30 for Medical Schemes and Notice 80 of the
Collective Investment Schemes Control Act) are monitored and reported on by Precious.
PFSI
As part of its obligations as UCITS Manager and Alternative Investment Fund Manager, PFSI is responsible for monitoring compliance with
investment restrictions. Funds are loaded in the StatPro system which is run by the Precious group’s compliance department in Cape Town,
and all breaches are notified to the Compliance Officer in Dublin. Funds are also monitored separately in an Excel spreadsheet, with all
breaches reported to the Investment Manager and Trustee. PFSI follows up all outstanding breaches to ensure timely resolution.
Alternative Administration
Monitoring compliance is not included as an administration function for Hedge Funds, other than the Regulated Hedge Funds under Precious
Management Company (RF) (Pty) Ltd. These hedge funds are monitored by Compliance on a daily basis to the mandate compliance
requirements, per the applicable Portfolio Management Agreement and to regulatory requirements, as defined in Board Notice 52 of the
Collective Investment Schemes Control Act.

4.8 Reporting to Clients

Prices, units held and market value information is sent to the authorised recipient(s) at each client. The content of daily price / market value
reporting is determined in the client acceptance phase and can be amended by client request from time to time.
Daily transactions reports are sent to authorised client recipients for review.
Monthly administration reports are sent to clients detailing, among other items, a portfolio summary for the month. These reports are prepared
based on the needs of the client; in some instances clients prefer quarterly or annual reports.
Regulation 28 and Regulation 30 reports are generated for clients and are distributed based on the requirements of these regulations.

26
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
PFSI
Daily and monthly client reporting is driven by client needs. All clients receive daily NAV reports and if required, additional portfolio reports
are distributed, either on a daily or monthly basis.
PFSI also reports to the Central Bank of Ireland on a monthly and quarterly basis in line with regulatory requirements. Regulatory reports
are prepared by a Fund Accountant and reviewed by the Fund Accounting Manager or Head of Operations before being filed.
Alternative Administration
Monthly reporting packs are sent to authorised client recipients for review before monthly price and market value reporting is sent to the
investors of the applicable Hedge Fund. Such reporting is determined in the client acceptance phase and can be amended by client request
from time to time.
Regulatory reporting is not included as an administration function for the Alternative Funds, other than the Regulated Hedge Funds under
Precious Management Company (RF) (Pty) Ltd. Such regulatory reporting is performed by Compliance as required and as defined in Board
Notice 52 of the Collective Investment Schemes Control Act.

4.9 IT General Control Environment

System Environment
The T-Cube application is administered by Precious IT personnel and hosted in the data centre in Cape Town.
The ThinkFolio application is administered by Precious IT personnel and hosted in the data centre in Cape Town. ThinkFolio is currently utilised
by Regarding Capital Management (Pty) Ltd (ReCM) as a front office modelling, order management system and compliance solution. Precious
performs administration services on Eagle for ReCM, including the administration of ThinkFolio and remote access to the solution. ThinkFolio
Interfaces with Eagle application (portfolio management system).
The Eagle application is hosted offshore (USA) and a separate ISAE 3402 report is available for the IT controls surrounding the Eagle
application which covers the period 1 October 2015 to 30 September 2016. Selected IT controls are performed by a separate division in Ireland.
Service Providers
Based on the risk assessment performed by the service organisation, the activities performed by Eagle Access LLC, Zubat Nine and the
ThinkFolio vendor as per the table below do not sit within Precious Management control and have been carved out.

Service Providers Services provided Control activities

Zubat Nine T-Cube problem and incident Incidents and problems are analysed, monitored and resolved by Zubat Nine.
management.
T-Cube program change control Zubat Nine will send through releases for system upgrades/changes to
including technical testing of Precious. The technical testing and approval relating to the releases are

27
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
Service Providers Services provided Control activities

releases and patches. performed by Zubat Nine.

Eagle Access LLC

Password Configuration settings. Password configuration settings, Multiple, Unique and generic user ID’s have been
Multiple and Unique user ID’s. tested as part of the Eagle Access LLC SOC 1 report.

Super user access to the Eagle Super user access to the Eagle database and Operating system is tested as part of
database and Operating System. the Eagle Access LLC SOC 1 report.
Segregation of Duties. Segregation of Duties is tested as part of the Eagle Access LLC SOC 1 report.

Change Control management. Change Control to the Eagle application, database and operating system is tested as
part of the Eagle Access LLC SOC 1 report.
Eagle problem and incident
management. Eagle incident and problem management is tested as part of the Eagle Access LLC
SOC 1 report.

ThinkFolio vendor ThinkFolio problem and incident Incidents and problems are analysed, monitored and resolved by ThinkFolio.
management.
ThinkFolio will send through releases for system upgrades/patches to
ThinkFolio program change Precious. The technical testing and approval relating to the releases are
control including technical testing performed by ThinkFolio.
of releases and patches.
Segregation of Duties is controlled by the external third parties that utilise the
ThinkFolio Segregation of Duties application and not by Precious.

Physical Access Controls

Restricted Access
Access to Precious’s buildings is controlled via a biometric access control system at the automatic gate to the building. Visitors are required to
report to reception. Visitors are accompanied into the building by a Precious staff member.
New employees are required to sign the IT policy, after which they are given biometric fingerprint access to required sections of the building
including the server room. Employees’ access is controlled via groups on the access control system, which includes a specific group for
contractors.
Only authorised IT department employees are permitted access to Precious’s server room. Access to the server room is authorised by the
Head of IT and the Head of IT infrastructure. Access to the server room is controlled via biometric scanners. Logs are maintained of all people
28
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
who have entered the server room.

Controlled Environment
The data center is housed in a controlled environment that has CCTV cameras, air conditioning, smoke detectors, fire suppression equipment,
raised server racks, fireproof walls and doors and a concrete roof.
The building is maintained by the letting agents. SLAs are in place between the letting agents and the parties responsible for maintenance
(including maintenance of the CCTV cameras, air conditioners, fire extinguishers, generators, smoke detection). The UPS and Fire
suppression system, smoke detectors and Air conditioning is maintained by Precious, and is serviced and tested bi-annually. The generator is
maintained by Precious and is serviced and tested annually.
Logical Access Controls
Information Security
The responsibility for the information security function has been formally assigned to the Information Systems Security Officer. A formal IT
security policy and IT & Usage policy have been reviewed annually and approved by the Head of IT and the Head of Legal of Precious
management. Each new staff member is required to sign an acknowledgement that they have read and understand the IT security and IT
usage policy which details the user access policies. In addition, the policies are available on the intranet.

Authentication
Precious operates on a Windows IT environment. Access to T-Cube and ThinkFolio is authenticated through Active Directory (AD). Users
have a unique Active Directory account and password. Windows authentication is integrated with Active Directory. Access to the appropriate
applications is controlled via Active Directory security groups.
Passwords complexity is enforced by Active Directory. In line with Precious’s policy, passwords expire after 42 days and are required to be 8
characters as a minimum length, and accounts are locked after 5 failed login attempts for 30 minutes. Password complexity is built in
Microsoft standard and includes at least 3 of the following: one uppercase, one lowercase, one digit and one special character.
The Eagle application is hosted offshore (USA) and a separate ISAE 3402 report is available for some of the IT controls, including password
configuration settings. The report covers the period 1 October 2015 to 30 September 2016.
User administration
In order for new users to gain access to the financial applications Eagle and T-Cube, (application and databases) the Head of the Department
(HOD) approves the access. A request for access is logged as a ticket on the Precious service request application. Changes to user access
rights follows the same process.
For internal access to ThinkFolio, a request for access is logged as a ticket on the Precious service request application. The request is approved
by the Business Analyst. The Business Analyst will create the necessary accounts and permissions and notify central IT to create the Active
Directory account and security group access.
For terminations of user access, the Head of Department or Business Analyst for ThinkFolio, is required to send an email notification to IT to
29
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
terminate a user’s access setting and the access to be revised, disabled or removed. IT submits a User Exit form to the HOD for completion
and evidence of approval. For ThinkFolio, the Business Analyst will notify central IT to remove the user’s Active Directory account and
permissions. ThinkFolio access is removed thereafter.
Review of access rights
Reviews of the validity and appropriateness of user access permissions for AD, T-Cube and Eagle are performed annually. User access validity
and appropriateness is not reviewed and approved for ThinkFolio.
Administrative access rights
Access to privileged accounts within the operating system is limited to the appropriate personnel for the T-Cube application. The T-Cube
application has built in segregation of duties controls. Only four IT Manager and a T-Cube developer have direct access to the T-Cube
database through a shared generic user account. Multiple users have administrative access rights to the Eagle application, however, the
“business group” controls what a user is able to see on the relevant accounts. If a user is an admin user and the user is not linked to a
business group, the user cannot affect changes on any entity or portfolio that is not linked to the respective business group. The User groups
assign the associated user rights to the user, further limiting the user rights.
Multiple users have administrative access rights to the ThinkFolio Application. However, the ThinkFolio application has built in segregation of
duties controls. Precious ThinkFolio administrators have full user rights to the system. Only IT staff and the ThinkFolio Administrator have
administrative access to the ThinkFolio database. All IT support staff log into the database server through a shared generic user account. The
password is only known by IT staff. The ThinkFolio Administrator uses Active Directory credentials to access the database.
Segregation of duties
The T-Cube applications had built in segregation of duty controls that prevents a user from capturing and authorising their own transactions.

Information Processing
Automated transmission logs detailing transmission failure or success, are available for client review within the Eagle PACE and Eagle STAR
applications to allow for monitoring of data transmission activity. Monitoring is performed through notification emails that are sent through to
the Operations Team and actioned if necessary. Transmission status is automatically noted in the logs.
Web traffic is filtered through a proxy server. In addition, threat websites are published on the proxy server and prevent certain websites from
being accessed. A redundant Firewall has been implemented to control all internal and external communication. Public-facing servers are
hosted within a demilitarised zone (DMZ). In the event of failure on the primary Firewall the backup Firewall will take over responsibility for
securing the network.
An anti-virus solution has been implemented on servers, laptops and workstations. A SysLog server has been implemented to allow for
security logging and analysis. These logs are reviewed on an ad-hoc basis and are not formally reviewed on a regular basis.
Program changes
A formal change control policy and procedure is in place. Any changes to the financially significant applications are logged via email with the
third party developers.
Changes to T-Cube are approved by the Head of IT. Once the changes have been developed by the respective third parties, the changes are
30
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
loaded into the Precious test environment and business and IT signs off on the test procedures performed.
Internal development work is sometimes required to be performed by the Business Analyst in terms of upgrading the integration layer of the
system to cater for enhancements from the ThinkFolio vendor. There is no documentation or change control process followed for these internal
builds.
Eagle changes, including development is handled by Eagle systems (LLS). This is included in the Eagle systems ISEA3402 review performed.
Backup and replication
There is a standard backup’s procedure document in place.
Full backups are taken on a daily basis and the IT department receives an automated email notification of any backup fails. Precious replicates
off-site to a Disaster Recovery site in Bellville on a daily basis.
A backup checklist is completed on a daily basis as evidence of monitoring backups and replication. The Head System Engineer and Head of IT
sign this off.

Restoration testing
Restoration testing is completed during the annual DR test that is performed. Restoration takes place from the replicated data to the DR site.

Incidents
There is no formal incident management policy document in place with predefined SLA guidelines for incident resolution.
T-Cube incidents are handled by Zubat Nine (an external third party). An email is sent to Zubat Nine via the Business Analyst. The developer
will reply and the necessary action will be undertaken.
Eagle incidents are handled by Eagle systems (LLS). This is included in the Eagle systems ISEA 3402 review performed.
Incidents are monitored in an informal IT meeting on a weekly basis wherein IT related matters is discussed, including incidents. Minutes of
these meetings do not state the detail of the incident discussions.
ThinkFolio incidents are logged on the ThinkFolio customer website. It was noted that clients using ThinkFolio are not PIM or PFS
employees, they are external clients of ReCM.

Business Continuity
Formal Business Continuity and Disaster Recovery Plans are in place. The plans are periodically tested and updated accordingly.

31
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5 Control objectives, control activities and testing operating effectiveness of
controls
5.1 Accepting Clients
5.1.1 Controls provide reasonable assurance that complete and authorised client agreements are operative prior to initiating investment activity.

Reference Precious Processes Precious Control Activities BIG4 test procedure and results of testing

5.1.1.1 Domestic operations Inspection

All new portfolio management agreements New client agreements are signed by the client For a selection of new clients, inspected the
comply with the FSB guidelines. All the and an authorised signatory, which includes agreement for evidence of the client's signature as well
agreements are signed by the client and an compliance with all regulatory requirements. as the signature of either an “A” or “B” authorised
authorised Precious signatory as per the list of There is a list of authorised signatories which Precious signatory.
authorised signatories. Bank accounts can only contains both “A” and “B” signatories.
be opened in the name of the client once the No exceptions noted.
signed authorisation and FICA documents
have been received from the client.

5.1.1.1a PFSI Inspection

All new portfolio management agreements Standard client agreements are used which are For a selection of new clients, inspected the
comply with the Central Bank requirements. All signed by authorised signatories only. agreement for evidence of the client's signature as well
the agreements are signed by the client and an Agreements are reviewed by the legal advisor to as the signature of an authorised Precious signatory.
authorised PFSI signatory, as per the list of ensure compliance with central bank
authorised signatories. Only original signed requirements. A list of authorised signatories is No exceptions noted.
mandates are accepted - no copies are maintained.
accepted. Bank accounts can only be opened
in the name of the client once the fund has
been authorised by the Central Bank.

32
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.1.1 Controls provide reasonable assurance that complete and authorised client agreements are operative prior to initiating investment activity.

Reference Precious Processes Precious Control Activities BIG4 test procedure and results of testing

5.1.1.2 Precious Investment Management (“PIM) Client management: a checklist is kept, which has Inspection
Mandates been reviewed by all the teams and by a senior
compliance team member. For a selection of new clients, inspected the
A client take-on checklist is maintained for all completed signed checklist for evidence of
teams (including: compliance, admin, finance, authorisations and review.
performance, marketing and portfolio
No exceptions noted.
management). A member of the compliance
team retains a copy as evidence that all teams
have been notified. Client money is invested
into set portfolios - the client chooses where
they want their money to be invested from a list
of portfolios. Mandate parameters are set up on
StatPro. The compliance team member sets up
the details on StatPro, which is then reviewed by
a senior compliance team member.

5.1.1.2b Alternative Administration Inspection

A client take-on checklist is maintained for all Standard client agreements are used which are For a selection of new clients, inspected the agreement
teams (including: compliance, admin, finance, signed by authorised signatories only. for evidence of the client's signature as well as the
performance, marketing and portfolio signature of an authorised Precious signatory.
management. A signed administration
agreement is placed on file, signed by the new No exceptions noted.
client and by designated Precious staff.

33
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.1.2 Controls provide reasonable assurance that accounts are set up and administered in accordance with client mandates and applicable regulations.

Reference Precious Processes Precious Control Activities BIG4 test procedure and results of testing

5.1.2.1 Precious Fund Services (“PFS”) (external/ Asset Admin: a signed checklist is kept after Inspection
third part managers) successfully loading the fund onto Eagle as
evidence of completing the procedures. A new For a selection of new clients, inspected the
A client take-on checklist is sent to all relevant client cannot be loaded on Eagle without a completed signed checklist for evidence of
admin teams and a member of the relevant completed take-on checklist. authorisations and review.
team signs as evidence of having completed
No exceptions noted.
each section as required.

5.1.2.1b Alternative Administration Asset Admin: a signed checklist is kept after Inspection
A client take-on checklist is sent to all relevant successfully loading the fund onto Eagle as For a selection of new clients, inspected the
admin teams and a member of the relevant evidence of completing the procedures. A new completed signed checklist for evidence of
team signs as evidence of having completed client cannot be loaded on Eagle without a authorisations and review.
each section as required. completed take-on checklist.
No exceptions noted.

5.1.2.2 StatPro produces daily breach reports which are The portfolio managers respond to the Inspection
sent by the compliance team to the relevant compliance team via email explaining how they
portfolio managers. have corrected the breaches. As a breach report For a selection of days and breach reports inspected that
is run daily any breaches which have not been an email had been received by the compliance team
cleared will be identified the next day. member from the portfolio manager, indicating how any
issues raised in the breach report have been resolved.
No exceptions noted.

5.1.2.2a PFSI Inspection

Certain UCITS funds are not suitable for The administrator performs daily compliance
monitoring on StatPro and therefore these are monitoring on the relevant funds which are not Inspected a selection of daily monitoring checks for
monitored by PFSI outside of StatPro on a daily suitable for monitoring on StatPro. UCITS funds. Inspected the incident/ breach log for
basis. the selected sample.
No exceptions noted.

34
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.1.2 Controls provide reasonable assurance that accounts are set up and administered in accordance with client mandates and applicable regulations.

Reference Precious Processes Precious Control Activities BIG4 test procedure and results of testing

5.1.2.3 StatPro maintains a log of all breaches and The logs produced by StatPro are reviewed by a Inspection
changes to compliance parameters. compliance team member on a daily basis.
For a selection of days inspected that a log had
been maintained of all breaches and that all breaches
had been reviewed by a compliance team member.
No exceptions noted.

5.1.2.4 Access to StatPro is limited to the compliance Access to StatPro is limited, via unique Observation
team and two other senior members of staff. usernames and passwords, to the compliance
team and two other senior members of staff. Attempted to log into StatPro using unauthorised log-
in details.
No exceptions noted.

Refer also to 5.7.1 and 5.7.3 for additional IT

access controls.

5.1.2.5 Daily breach reports are discussed at the risk Daily breach reports are discussed at risk Inspection
committee meetings. Material breaches will be committee meetings which are held monthly.
discussed at the audit committee meetings. A For a selection of minutes of the risk committee
summary of the breach logs are included as an meeting, inspected evidence of the breach reports
annexure to the minutes of the risk committee being discussed.
meeting. No exceptions noted.

5.1.2.6 Any changes to mandates will be treated as new The addendum to the agreement will be signed Inspection
mandates. The addendum to the agreement will by the client and an authorised signatory at
be signed by the client and an authorised Precious. For a selection of mandate changes, inspected
signatory at Precious. whether the addendum to the agreement had been
signed by both the client and Precious.
No exceptions noted.

35
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.1.2 Controls provide reasonable assurance that accounts are set up and administered in accordance with client mandates and applicable regulations

Reference Precious Processes Precious Control Activities BIG4 test procedure and results of testing

5.1.2.7 PIM Mandates Each team loads the relevant client changes and Inspection
A checklist, similar to what is required for a new signs the checklist (which includes a section
dealing with changes to mandates) once the For a selection of mandate changes, inspected that a
take-on, is sent to all the relevant teams if there take-on checklist (section dealing with mandate
has been a change to a mandate. changes have been loaded.
changes) had been completed and reviewed by a
A compliance team member then receives the compliance team member as evidence of review of the
checklist, once it has been completed and checklist to the system.
signs it as evidence of review.
No exceptions noted.

36
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.1.3 Controls provide reasonable assurance that clients’ take-on, including in-specie transfers, are monitored, documented and opening positions are accurately
reported to clients.

Reference Precious Processes Precious Control Activities BIG4 test procedure and results of testing

5.1.3.1 Life Portfolios Inspection

A take-on checklist is completed and signed as A policy number is assigned by the For a selection of new clients, inspected that a
evidence of having completed each section administration team member after receiving the policy number was assigned after a signed take-on
required in respect of loading new life portfolios completed, signed take-on checklist from all the checklist was completed.
clients. A policy number is then assigned to relevant teams.
the client. No exceptions noted.

5.1.3.2 Segregated Portfolios Inspection

For new segregated portfolio clients, the client The administration team will reconcile the amount For a selection of new clients, inspected that the
will transfer money and send an email instruction per the bank statement to the amount indicated by amount per the email agrees to what was captured on
noting the exact amount transferred. the client and record, on Eagle, all new Eagle.
segregated clients that have transferred money
into the bank account. No exceptions noted.

5.1.3.3 Segregated Portfolios Inspection

The administration team will provide the Correspondence with the custodian is maintained For a selection of new client scrip take-on, inspected the
custodians with a list (received from the client confirming that their records agree to the share email confirmation from custodian confirming the records
and loaded onto Eagle) of scrip in the new transfer. agree to the share transfer .
portfolio. Any differences identified in the scrip
reconciliation are discussed with the client and No exceptions noted.
the portfolio is only activated by Eagle for
trading once the differences have been
resolved.

5.1.3.4 Segregated Portfolios Inspection

Bank reconciliations are performed on a daily A comment and date is inserted next to each For a selection of days, inspected reconciling items that
basis by an administration team member. reconciling item on daily Excel workbook versions. a comment and date had been inserted and there was
This serves as evidence of follow-up and the a comment as evidence of follow up.
number of days for which the reconciling item
has been outstanding. No exceptions noted.

37
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.1.3 Controls provide reasonable assurance that clients’ take-on, including in-specie transfers, are monitored, documented and opening positions are accurately
reported to clients.

Reference Precious Processes Precious Control Activities BIG4 test procedure and results of testing

5.1.3.5 Collective Investment Schemes Inspection

For all new clients, a signed application form is The signed application form is then processed by a For a selection of new clients, inspected that there was
received via a central email box/fax number. member of the administration team and the an application form that had been sent to the central
application forms is stored in the unit registry mailbox and that the application form had been stored
system once complete. in the unit registry system by the administrator team
member as evidence of being processed.
No exceptions noted.

5.1.3.5a PFSI Inspection

For all new clients, a signed application form is A standard application form is used along with a For a selection of new clients, inspected completed
completed. In specie transfers are coordinated checklist to ensure all necessary steps are application forms and the use of the take take-on
with the investment manager. completed by a senior team member on the unit checklist
registry system.
No exceptions noted.

5.1.3.6 Collective Investment Schemes

Inspection
Signed application forms The signed application form is then processed by a For a selection of new clients, inspected that the
Cash is received into the Management member of the administrator team and signed as application form had been signed by the
Company (Manco) inflow account for new evidence of being processed and matched to administrator team member as evidence of being
take-ons and transfers. amount received in the inflow account. processed and was match to the amount received in
the inflow account.
No exceptions noted.

5.1.3.7 Collective Investment Schemes

Bank reconciliations are performed whereby any Inspection
Unmatched cash unmatched cash received Explanations are made
next to all the Manco’s reconciling items For a selection of days, inspected reconciling items, to
Cash is received into the Manco/inflow account indicating what they relate to and how they have confirm that notes had been made next to each item as
for new take-ons and transfers. been resolved – this serves as evidence of follow- evidence that the item had been reviewed and
up of the reconciling items. followed up.
No exceptions noted.

38
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.1.3 Controls provide reasonable assurance that clients’ take-on, including in-specie transfers, are monitored, documented and opening positions are accurately
reported to clients.

Reference Precious Processes Precious Control Activities BIG4 test procedure and results of testing

5.1.3.7a PFSI
Inspection
Unmatched cash On a daily basis the inflow bank account is
reconciled to identify any unmatched cash. For a selection of days, inspected the bank inflow
Cash is received into PFSI’s inflow account, Each item in the inflow account is aged and an account reconciliation to confirm that reconciling
which is reconciled on a daily basis. explanation is provided of what the items relates items are identified and actions are recorded next to
to and how it is being resolved. This serves as each item.
evidence of follow-up of the reconciling items. No exceptions noted.

39
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.2 Authorising and processing transactions

5.2.1 Controls provide reasonable assurance that the responsibility for generating proxy voting instructions is clearly established.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.1.1 Segregated Portfolios Inspection

The responsibility for generating proxy voting Mandates, which are signed by the client, For a selection of mandates, inspected the mandate to
instructions is clearly established through signed stipulate that Precious would be given the confirm that it stipulated that Precious has been given
client mandates which stipulate whether power of attorney to vote on behalf of the the authority to vote on behalf of the client.
Precious will be given power of attorney to vote client.
on behalf of their clients. No exceptions noted.

40
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.2.2 Controls provide reasonable assurance that the investment strategy is implemented in a timely manner.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.2.1 StatPro produces daily breach reports which are The portfolio managers respond to the Inspection
sent to the relevant portfolio managers. compliance team member via email explaining
how they have corrected the breaches. As a For a selection of days, inspected that an email had been
breach report is run daily any breaches which sent from the portfolio manager to the compliance
have not been cleared will be identified the next team member explaining how the issues raised in the
day. breach report have been resolved.

(PFSI: refer to control 5.1.2.2a) No exceptions noted.

41
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.2.3 Controls provide reasonable assurance that investment transactions are executed and allocated in a timely and accurate manner

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.3.1 Domestic operations When a trade is executed or a transaction Inspection

occurs, the relevant information is loaded to
When a trade is executed or a transaction Eagle via DataMatrix, Excel upload or manual For a selection of days, inspected the DataMatrixqueue to
occurs, an instruction is sent from the capture. A separate member of the confirmthat it has beenclearedas evidence of review.
investment team to the administration team. The administration team inspects that the transactions
administration team will load the information on No exceptions noted.
loaded onto Eagle agrees to the brokers
Eagle via DataMatrix, Excel upload or manual confirmation. The queue in DataMatrix will be
capture. The administration team will confirm the cleared once the electronic matching has
following day that what appears on Eagle occurred.
agrees to the broker confirmations. An
exception report in DataMatrix identifies
5.2.3.2 Trades are matched to the broker via SWIFT Inspection
unmatched items. If any discrepancies are noted,
MT515 and triggers the settlement instruction to
the administration team member will contact the For a selection of trades,, inspected that the status on
the custodian via SWIFT MT541/MT543
investment team telephonically to rectify this. Datamatrix indicated “Processed”.
controlled via DataMatrix. Once the status on
DataMatrix changes to “Processed” it indicates to No exceptions noted.
Precious that the custodian has received the
settlement instruction/s.

5.2.3.3 Custodians will notify PFS of any unmatched Inspection

trades i.e. not matched within the market
deadlines. Matching occurs daily. Where there are For a selection of days, confirmed if an email had been
no unmatched trades an email will not be received or not and corroborated this with the inspection of
received. the DataMatrix queue to confirm that it has been cleared
as evidence of review and follow up.

5.2.3.4a PFSI The administrator reviewing the fund will Inspection

compare the Eagle transactions listing with the
Trades are updated through a combination of transaction listing from the broker, after loading Obtained the list of authorised users and compared it to
automated uploads through Thinkfolio and it. In addition, the trades loaded to the custodians an Instruction Capture Report from the Custodian's
manual processes. system are authorised by a separate person portal ("WorkBench"). Inspected that the trades were
and this includes a check of trades loaded against authorised by a separate person.
This involves receiving a trade file from the
broker and uploading it to Eagle and the the trade file. No exceptions noted.
custodian’s nominated system, for settlement.

42
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.2.3 Controls provide reasonable assurance that investment transactions are executed and allocated in a timely and accurate manner

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.3.5 For all domestic clients Inspection

A monthly scrip reconciliation report is generated
Scrip reconciliations are performed by the out of Eagle, once positions have been matched For a selection of months, inspected email
administration team on a monthly basis for all against SWIFT MT535 positions, as received from correspondence from a senior member in the
local and foreign assets. custodians an email is sent to all relevant staff administration team noting review of the reconciling
members to confirm that the exception items in the scrip reconciliation.
reconciliation report was produced and is No exceptions noted.
available for review by the account administrator.
A senior operations team member will review that
explanations have been provided by the account
administrator to address the differences identified,
by the end of the month.

5.2.3.6a For PFSI clients Inspection

PFSI carries out scrip reconciliations (Eagle Daily scrip reconciliations are performed and are For a selection of days, inspected the scrip
versus custody records) on a daily basis. reviewed as part of the daily fund review reconciliation performed, to confirm that the daily fund
These reconciliations are reviewed by a process, by a senior person. review was performed by a senior person.
separate person as part of the process to
review the funds on a daily basis. No exceptions noted.

43
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.2.3 Controls provide reasonable assurance that investment transactions are executed and allocated in a timely and accurate manner

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.3.7b Alternative Administration Inspection

The administration team carries out scrip and Daily reconciliations are performed with monthly 1. For a selection of days inspected the daily
cash reconciliations (Eagle versus bank, reconciliations reviewed as part of the fund reconciliations for reconciling items and comments and
custodian and prime broker records) on a review process, by a separate person. dates inserted.
daily basis. In addition the administration team A comment and date is inserted next to each
matches to Investment Manager trades on a reconciling item. This is an indication of
daily basis as part of the daily NAV evidence of follow-up and the number of days for 2. For a selection of months inspected the email sent
reconciliation process. which the reconciling item has been to the underlying investment manager as evidence of
outstanding. approval.
On a monthly basis these reconciliations are
reviewed by a separate person as part of the The Fund Administrator is responsible for No exceptions noted.
process to review the funds. sending a monthly email to the Hedge Fund’s
underlying designated Investment Manager for
approval of the Funds’ valuation, which
incorporates the above controls.

44
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.2.4 Controls provide reasonable assurance that investment and related cash transactions are completely and accurately recorded.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.4.1 Segregated Portfolios Inspection

Bank reconciliations are reviewed on a daily A comment and date is inserted next to each For a selection of bank reconciliations, inspected
basis by an administration team member. reconciling item. This is an indication of reconciling items to confirm that a comment and date
evidence of follow-up and the number of days for had been inserted as evidence of follow up.
which the reconciling item has been
outstanding. No exceptions noted.

5.2.4.2 Scrip reconciliations are performed by the A monthly scrip reconciliation report is generated Inspection
administration team on a monthly basis for all out of Eagle, once positions have been matched
local and foreign assets. against SWIFT MT535 positions, as received from For a selection of months, inspected email
custodians an email is sent to all relevant staff correspondence from a senior member in the
members to confirm that the exception administration team noting review of the reconciling
reconciliation report was produced and is items in the scrip reconciliation.
available for review by the account administrator. No exception noted
A senior operations team member will review that
explanations have been provided by the account
administrator to address differences identified by,
month end.

5.2.4.3 Collective Investment Schemes Inspection

Each member in the administration team is A member of the administration team maintains For a selection bank reconciliations, inspected the bank
responsible for their own portfolio of bank a spreadsheet of all bank reconciliations. A reconciliation for reconciling items that a comment had
reconciliations. second team member, the fund administrator, been inserted as evidence of follow up.
reviews the bank reconciliation by documenting
the reason for the reconciling items. No exceptions noted.

5.2.4.4 A senior team member will review the The senior administration staff member reviews Inspection
reconciliations on a weekly basis. all bank reconciliations on weekly basis and
signs off as evidence of review. For a selection of weeks, inspected that there was
evidence of review of the daily reconciliations by
inspection of signature of the senior admin team
member.
No exceptions noted.

45
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.2.4 Controls provide reasonable assurance that investment and related cash transactions are completely and accurately recorded.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.4.5a PFSI Inspection

Bank reconciliations are performed on a daily Daily cash/bank reconciliations are performed For a selection of daily bank reconciliations,
basis between Eagle and the relevant bank and reviewed by a separate reviewer. inspected the reconciliation for comments inserted as
account(s). All reconciliations are prepared in evidence of the reconciliation having been performed
one workbook and therefore are reviewed and reviewed.
together.
No exceptions noted.

Refer also to 5.2.3 for additional controls

over recording of investment and cash
transactions.

5.2.4.6b Alternative Administration Inspection

The administration team carries out scrip and Daily reconciliations are performed with 1. For a selection of days inspected the daily
cash reconciliations (Eagle versus bank, monthly reconciliations reviewed as part of the reconciliations for reconciling items and comments and
custodian and prime broker records) on a fund review process, by a separate person. dates inserted.
daily basis. In addition the administration team A comment and date is inserted next to each
matches to Investment Manager trades on a reconciling item. This is an indication of
daily basis as part of the daily NAV evidence of follow-up and the number of days for 2. For a selection of months inspected the email sent
reconciliation process. which the reconciling item has been to the underlying investment manager as evidence of
outstanding. approval
On a monthly basis these reconciliations are
reviewed by a separate person as part of the The Fund Administrator is responsible for No exceptions noted.
process to review the funds. sending a monthly email to the Hedge Fund’s
underlying designated Investment Manager for
approval of the Fund’s valuation, which
incorporates the above components.

46
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.2.5 Controls provide reasonable assurance that corporate actions are processed and recorded accurately and in a timely manner.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.5.1 Election of corporate events The portfolio manager makes the corporate Inspection
event election and sends an e-mail instruction to
Eagle receives a notification (“call”) from the administration team. For a selection of elective corporate actions, inspected
Bloomberg which will notify the administration email evidence of the instruction received from the
team of any corporate events which will take An election form is completed and signed by an portfolio manager indicating election of the corporate
place in the following week. The administration “A” and “B” signatory. event and signed by an A and B signatory.
team will then compare the corporate events
diary with the Bloomberg call. No exceptions noted.

5.2.5.2 Eagle will receive a “call” from Bloomberg at the Inspection

end of each week which will indicate the
corporate events that occur in the following For a selection of weeks, inspected a “call” received by
week, and identifies any shares which Precious Eagle and confirmed it was sent by Bloomberg.
or its clients hold. No exceptions noted.

5.2.5.3 The administration team will compare the Inspection

Bloomberg “call” to the corporate events diary.
The corporate event election is reviewed by the For a selection of elective corporate events that had
administration team and signed as evidence of been loaded on Eagle, inspected that the events
review. had been reviewed and signed as evidence of review.
No exceptions noted.

5.2.5.4a PFSI The option chosen is authorised on the Inspection

custodian’s portal by a second person, who
PFSI receives a daily custodian report checks that the correct option has been For a selection of dates, inspected that the
detailing any corporate events. The chosen selected. corporate action selection was authorised by a separate
option is communicated to the investment administrator on the custodian portal.
manager via email. PFSI enters the chosen
option on the custodian’s portal. No exceptions noted.

47
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.2.5 Controls provide reasonable assurance that corporate actions are processed and recorded accurately and in a timely manner.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.5.5a PFSI Inspection

Income/ dividend reconciliations are performed Daily income/ dividend reconciliations are For a selection of days, inspected the income/ dividend
on a daily basis. Data is received from performed to check positions against custodian reconciliation to check that it was performed.
Bloomberg and booked into Eagle. records.
No exceptions noted.

5.2.5.6b Alternative Administration Inspection

The administration team carries out scrip and Daily income/ dividend reconciliation to check 1. For a selection of days inspected the daily
cash reconciliations (Eagle versus bank, amounts against bank, custodian and prime reconciliations for reconciling items and comments and
custodian and prime broker records) on a broker records. dates inserted.
daily basis. In addition the administration team On a monthly basis these reconciliations are
matches to Investment Manager trades on a reviewed by a separate person as part of the
daily basis as part of the daily NAV process to review the funds. 2. For a selection of months inspected the email sent
reconciliation process. to the underlying investment manager as evidence of
The Fund Administrator is responsible for approval
Income/ dividend reconciliations are performed sending a monthly email to the Hedge Fund’s
on a daily basis. Data is received from underlying designated Investment Manager for No exceptions noted.
Bloomberg and booked into Eagle. approval of the Fund’s valuation, which
incorporates the above components.

48
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.2.6 Controls provide reasonable assurance that proxy voting instructions are generated and recorded and carried out accurately and in a timely manner.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.6.1 The administration team will complete the The instruction is signed by both "A" and "B" Inspection
proxy voting instruction (yes, no or abstain) signatories as evidence of review before it is sent For a selection of corporate actions, inspected email
based on information received from the to the custodian. evidence of the instruction received from the portfolio
investment team. This instruction will detail how manager indicating election of the corporate
the investment manager intends to vote at the (PFSI: refer to control 5.2.5.4a) event and signed by an "A" and "B" signatories.
relevant meeting. The instruction is signed by
both "A" and "B" signatories as evidence of No exceptions noted.
review before it is sent to the custodian.

5.2.6.2b Alternative Administration Inspection

In addition to 5.2.6.1, for any corporate actions Prime Broker nominations with the underlying 1. For a selection of days inspected the daily
relating to prime broker created derivatives, the investment manager is typically captured reconciliations for reconciling items and comments and
administration team carries out reconciliations directly onto the Prime Broker records. dates inserted.
(as part of a daily NAV reconciliation Therefore daily income/ dividend reconciliation is
workbook, consisting of reconciliations from performed against bank, custodian and prime
Eagle versus bank, custodian and prime broker records, to capture the correct corporate 2. For a selection of months inspected the email sent
broker records) on a daily basis to identify such action. to the underlying investment manager as evidence of
corporate actions and related proxy voting Daily income/ dividend reconciliations are approval
nominations. performed to check positions against bank,
custodian and prime broker records. No exceptions noted.
Income/ dividend reconciliations are performed
on a daily basis. Data is received from On a monthly basis these reconciliations are
Bloomberg and booked into Eagle. reviewed by a separate person as part of the
process to review the funds.
The Fund Administrator is responsible for
sending a monthly email to the Hedge Funds’
underlying designated Investment Manager for
approval of the Funds’ valuation, which
incorporates the above controls.

49
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.2.7 Controls provide reasonable assurance that client new monies and withdrawals are processed and recorded completely and accurately and that withdrawals are
appropriately authorised
Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.7.1 Collective Investment Schemes Inspection

A contribution (top-up form) is sent by the For the purchase of additional units, a signed top- For a selection of contributions (top-ups), inspected the
client to purchase additional units. up form and/or email notification of inflows is email notifications and/or the signed top up forms
received from the client. received from the clients.
No exceptions noted.

5.2.7.2 The clients must deposit the purchase Inspection

consideration prior to sending the request for
additional units. Clients attach proof of payment along with the For a selection of contributions (top-ups), inspected that
top-up form. the proof of payments were attached to the emails
received from clients.
No exceptions noted.

5.2.7.2.a PFSI Inspection

A standard subscription application and Subscription checklists are completed to ensure For a selection of subscription transactions, inspected
checklist is completed. The checklist is signed all relevant steps completed. The checklist is the completion of the subscription checklist and
by the reviewer/approver. Monies are deposited reviewed by a second person. evidence of review by a second person (checklist
into the PFSI inflow account. authoriser).
No exceptions noted.

5.2.7.2.b Alternative Administration Inspection

A standard subscription application and Subscription checklists are completed to ensure For a selection of checklist, inspected that the
checklist are completed. The checklist is signed all relevant steps completed. The checklist is checklist has been completed and signed off as
by the reviewer/approver. Monies are deposited reviewed by a second person. evidence of review and inspected the bank statement
into the PFS Alternative Administration inflow noting deposit of money.
account.
No exceptions noted.
For CIS Hedge Funds, the same process as
listed above under “Collective Investment
Schemes” is followed

50
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.2.7 Controls provide reasonable assurance that client new monies and withdrawals are processed and recorded completely and accurately and that withdrawals are
appropriately authorised
Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.2.7.3 For any withdrawal of units, a signed Inspection

redemption form is sent by the client to
Precious. A redemption form is attached for all Inspected, for a selection of withdrawals, that
withdrawals of units. redemption forms were received from the clients,
indicating the amount to be disinvested.
Refer to 5.1.2.6 for controls over changes to any
client details. No exceptions noted.

5.2.7.3a PFSI Inspection

A standard form and checklist is completed for A redemption checklist is used to ensure that all Inspected, for a selection of withdrawals, that a
all redemption requests. relevant steps are performed for withdrawals. redemption checklist was completed and reviewed by
The checklist is reviewed by a separate person. the checklist authoriser.
No exceptions noted.

5.2.7.3bi Alternative Administration A redemption form is attached for all Inspection

withdrawals of units.
For any withdrawal of units, a signed For a selection of redemption forms inspected that the
redemption form is sent by the client to details are correct as signed off as evidence of review.
Precious.
No exceptions noted.
For CIS Hedge Funds, the same process as
listed above under “Collective Investment
Schemes” is followed.

5.2.7.3bii Alternative Administration A redemption checklist is used to ensure that all Inspection
relevant steps are performed for withdrawals.
A standard form and checklist is completed for The checklist is reviewed by a separate person. For a selection of redemption checklists, inspected that
all redemption requests. it was signed off as evidence of review.
For CIS Hedge Funds, the same process as No exceptions noted.
listed above under “Collective Investment
Schemes” is followed.

51
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.2.7.4 Clients are paid out via EFT for redemptions that “A” and “B” signatories are required for the Inspection
have been received. authorisation of any EFT payments.
For a selection of redemption forms, inspected that both
an "A" and "B" signatories authorised an EFT payment.
No exceptions noted.

5.2.7.4a PFSI The first person sets up the payment (first Inspection
level signatory) and the second authoriser
Clients are paid out via EFT for redemptions that releases payment (second level). Inspected, for a selection of withdrawals, two person
have been received. authorisation for the release of the EFT.
No exceptions noted.

5.2.7.4b Alternative Administration: “A” and “B” signatories are required for the For a selection of redemptions, inspected that all
authorisation of any EFT payments. The first payments were authorised by A and B signatories to
Clients are paid out via EFT for redemptions that person sets up the payment (first level confirm authorisation of payment.
have been received. signatory) and the second authoriser releases
For CIS Hedge Funds, the same process as payment (second level).
No exceptions noted.
listed above under “Collective Investment
Schemes” is followed.

5.2.7.5 Bank reconciliations are performed by the The senior administration staff member reviews Inspection
administration members on a daily basis. A the total bank reconciliations on weekly basis
senior team member will review the and signs off as evidence of review. Inspected, for a selection of weeks, that there was
reconciliations on a weekly basis. evidence of review of the weekly reconciliations by
inspection of the signature of the senior admin team
member.
No exceptions noted.

52
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3 Maintaining financial and other records

5.3.1 Controls provide reasonable assurance that investment income is recorded accurately, completely, and in the proper period.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.1.1 A custodian statement is received on a daily The administrator reconciles (by marking all Inspection
basis and a member of the administration coupon payments listed on the reconciliation) the
team reconciles the investment income per the investment income amounts per Eagle against For a selection of days, inspected evidence that the
custodian statement to the amounts per Eagle. the custodian statement. reconciliation was performed. For a selection of bank
reconciliations, inspected that a comment and date had
(Note - The bank reconciliation process, as been inserted as evidence of follow up (as per sections
described in section 5.2.4 and 5.3.4.1, would 5.2.4 and 5.3.4.1) captured by the custodian.
identify any discrepancies between the cash
settled amounts and amount per Eagle). These No exceptions noted.
bank reconciliations are performed on a daily
basis).

5.3.1.1b Alternative Administration Inspection

The administration team carries out scrip and Daily income/ dividend reconciliation to check 1. For a selection of days inspected the daily
cash reconciliations (Eagle versus bank, amounts against bank, custodian and prime reconciliations for reconciling items and comments and
custodian and prime broker records) on a broker records. dates inserted.
daily basis. In addition the administration team On a monthly basis these reconciliations are
matches to Investment Manager trades on a reviewed by a separate person as part of the
daily basis as part of the daily NAV process to review the funds. 2. For a selection of months inspected the email sent
reconciliation process. to the underlying investment manager as evidence of
The Fund Administrator is responsible for approval
Income/ dividend reconciliations are performed sending a monthly email to the Hedge Fund’s
on a daily basis. Data is received from underlying designated Investment Manager for No exceptions noted.
Bloomberg and booked into Eagle. approval of the Fund’s valuation, which
incorporates the above components.

53
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.3.1 Controls provide reasonable assurance that investment income is recorded accurately, completely, and in the proper period.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

Election of corporate events Inspection

5.3.1.2 The portfolio manager makes the corporate An email instruction is sent by the portfolio For a selection of corporate events, inspected email
event election on an election form. manager to the administration team. evidence of the instruction received from the portfolio
(PFSI: refer to 5.2.5.4a and 5.2.5.5a). manager indicating the corporate event election.
No exceptions noted.

5.3.1.3 Eagle receives a notification (“call”) from The portfolio manager makes the corporate Inspection
Bloomberg which will notify the administration event election on an election form. An election
team of any corporate events which will take form is signed by an “A” and “B” signatory. For a selection of corporate events, inspected a
place in the following week. The administration corporate event election form and noted that it had been
team will then compare the corporate events signed by the relevant authorised signatories of
diary with the Bloomberg call. Precious.
No exceptions noted.

5.3.2.1 Domestic operations Pricing sheets in Fincad cannot be altered by Re-performance

unauthorised users.
There is a daily automated feed from Fincad to Attempted to alter the pricing sheets in Fincad,
Eagle. Fincad provides prices for all unlisted noting whether it was possible to alter using the
money market and bonds instruments. profile of an unauthorised user.
No exceptions noted.

5.3.2.1a PFSI As part of the overall pricing review, the reviewer Inspection
will check the prices of unlisted assets against
For certain unlisted assets (e.g. credit linked the data received from the investment For a selection of days, inspected the pricing
notes), the investment manager provides the manager. The reviewer also performs a movement files produced and reasonableness check
pricing data, which is obtained from reasonableness check during the process. performed.
Bloomberg.
(A further control is described under 5.3.2.2a) No exceptions noted.

54
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.2 Controls provide reasonable assurance that investments are valued using current prices obtained from independent external pricing sources or determined
according to approved pricing policies and procedures for fair values in circumstances where independent sources are not available.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.2.1b Alternative Administration Inspection

For certain unlisted assets (e.g. fund of hedge As part of the overall monthly price and position For a selection of months, inspected the monthly
fund prices) the administration team sources reconciliation process, the reviewer will check checklist for signature sign off as evidence of review.
those prices from the underlying fund the prices and quantities of the unlisted assets
administrator and performs a monthly against the price received from the underlying No exceptions noted.
reconciliation on the holdings and prices to the fund administrator and signed off on the monthly
obtained monthly investment statements checklist.
obtained.

5.3.2.2 Domestic operations A daily price reasonability check on portfolios is Inspection

performed by a member of the investment team
A daily price reasonability check is performed and all price variances are indicated in an email. For a selection of days, inspected, that there was an
on the portfolios by a member of the investment email sent by a member of the investments team noting
team by comparing the previous day’s price to review of the price variances of all portfolios.
the current day’s price. Appropriate benchmarks
are used for each type of instrument. No exceptions noted.

5.3.2.2a PFSI The pricing reasonableness test compares Inspection

asset pricing movements from one day to the
A pricing reasonableness test is performed on a next, against a pre-determined threshold. For a selection of days, inspected the pricing
daily basis. movement files produced and reasonableness check
performed.
No exceptions noted.

55
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.3 Controls provide reasonable assurance that investments are valued using market-related spreads and accurate yield curves.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.3.1 Yield Curves Inspection

Portfolios returns are reviewed on a daily An email is sent from the investment team For a selection of days, inspected that there was an
basis to identify excessive/abnormal returns member to the administration team member on a email sent by a member of the investment team as
which would result from any unauthorised daily basis to confirm review of the portfolios evidence of review of the price variances of all
alterations of credit spreads or the yield curve. returns to identify excessive/abnormal returns funds.
which would result from any unauthorised
alterations of credit spreads or the yield curve. No exceptions noted.

56
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.3.4 Controls provide reasonable assurance that cash and investment positions are completely and accurately recorded and reconciled to third party data.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.4.1 Segregated Portfolios A comment and date is inserted next to each Inspection
Bank reconciliations are performed on a reconciling item. This serves as evidence of For a selection of days, inspected reconciling items that
daily basis by an administration team follow-up and the number of days for which the a comment and date had been inserted as evidence
member. reconciling item has been outstanding. of follow up.
No exceptions noted.

5.3.4.2 Scrip reconciliations are performed by the A monthly scrip reconciliation report is generated Inspection
administration team on a monthly basis for all out of Eagle, once positions have been matched
local and foreign assets. against SWIFT MT535 positions, as received from For a selection of months, inspected the monthly scrip
custodians an email is sent to all relevant staff reconciliation to confirm that an email had been sent as
members to confirm that the exception evidence of review of the reconciliation.
reconciliation report was produced and is available No exceptions noted.
for review by the account administrator. A senior
operations team member will review that the
account administrators have noted resolutions to
address differences identified, by month end.

5.3.4.3 Derivative margin call positions are The banks send a daily statement of positions and Inspection
reconciled on a daily basis. this is reconciled by the administration team to
the position per the Eagle system on a daily basis. For a selection of months, inspected the monthly scrip
reconciliation to determine whether an email had been
sent as evidence of review of the reconciliation.
No exceptions noted.

5.3.4.4 Collective Investment Schemes Inspection

A member of the administration team maintains a
Each member in the administration team is spreadsheet of all bank reconciliations. A For a selection of days, inspected the bank
responsible for their own CIS bank second team member, the fund administrator, reconciliations to ensure that the reconciling items had
reconciliation. reviews the bank reconciliation by documenting the a reason documented.
reason for the reconciling items.
No exceptions noted.
(PFSI: refer to control 5.2.4.5a)

57
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.3.4 Controls provide reasonable assurance that cash and investment positions are completely and accurately recorded and reconciled to third party data.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.4.5 Segregated portfolios The senior administration staff member reviews Inspection
all bank reconciliations on a weekly basis and
Bank reconciliations are reviewed by the signs off as evidence of review. For a selection of weeks, inspected that there was
administration team members on a daily evidence of review of the reconciliations by inspection
basis. A senior team member will review the of signature of the senior admin team member.
reconciliations on a weekly basis.
No exceptions noted.
Refer also to 5.2.3 for additional controls
over recording of investment and cash
transactions.

5.3.4.6 For non EFT payment instructions, as well as The letter sent to the bank is signed by Inspection
clients that have elected for Precious to send authorised signatories and sent to the bank with
manual instruction letters to the bank to initiate payment instructions. For a selection of days, inspected that a signed
cash transfers for settlement, a letter is sent letter was sent to the bank with the clients
to the bank for payment of SAFEX. instructions.
No exceptions noted.

5.3.4.6b Alternative Administration Inspection

The administration team carries out scrip and Daily reconciliations are performed with monthly 1. For a selection of days inspected the daily
cash reconciliations (Eagle versus bank, reconciliations reviewed as part of the fund review reconciliations for reconciling items and comments and
custodian and prime broker records) on a daily process, by a separate person. dates inserted.
basis. In addition the administration team A comment and date is inserted next to each
matches to Investment Manager trades on a reconciling item. This is an indication of
daily basis as part of the daily NAV evidence of follow-up and the number of days for 2. For a selection of months inspected the email sent
reconciliation process. which the reconciling item has been outstanding. to the underlying investment manager as evidence of
approval.
On a monthly basis these reconciliations are The Fund Administrator is responsible for
reviewed by a separate person as part of the sending a monthly email to the Hedge Fund’s No exceptions noted.
process to review the funds. underlying designated Investment Manager for
approval of the Fund’s valuation, which
incorporates the above components.

58
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.5 Controls provide reasonable assurance that investment management fees, performance fees are accurately calculated and recorded.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.5.1 Management fees – Segregated funds Inspection

The management fee calculation schedule is A senior member of the finance team reviews the For a selection of monthly management packs,
prepared by a member of the finance team monthly management packs and signs off on the inspected the signature on the hard copy monthly
and included in the monthly management hard copy or sends an email as evidence that management packs or the email sent by a member of
packs for review by a senior finance team the review has been done. the finance team as evidence that the review has been
member. done.
Exception noted
We found that the management packs had not been
reviewed for the month of November 2016.

5.3.5.2 The management fee schedule is password Re-performance

protected.
Attempted to change the management fee calculation
schedule and observed that it was password protected.
No exceptions noted.

5.3.5.3 Performance fees Inspection

The performance fee calculation schedule is The performance fee calculation is reviewed for For a selection performance fees inspected the
prepared by a member of the finance team and accuracy by a senior member of the finance performance fee calculation for evidence of the review
included in the monthly management packs team. by a senior member of the finance team.
which are reviewed by a more senior member of
the finance team. No exceptions noted.

59
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.5 Controls provide reasonable assurance that investment management fees, performance fees are accurately calculated and recorded.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.5.4 Performance fees The fee is sent to the external consultant for Inspection
confirmation. The consultant will authorise the
Subsequent to the review of the fees, the deduction of fees outstanding from the portfolio. For a selection of fees that were sent to external
calculation of the fee is sent to an external consultants, inspected that an email confirmation was
consultant for confirmation. received from the consultant confirming whether the fee
is acceptable or not.
No exceptions noted.

5.3.5.5 Performance fees A senior member of the finance team reviews Inspection
completeness of performance fees, as part of the
A list of performance fees is included in the review of the monthly management reporting For a selection of months, inspected the monthly
monthly management reporting pack and pack and signs off the monthly management management packs for signature or email sent as
reviewed by a more senior member of the packs as evidence that the review has been evidence of the review of completeness of performance
finance team. completed. fees by a more senior member of the finance team.
Exception noted
We found that the management packs had not been
reviewed for the month of November 2016.

5.3.5.6 Performance fees As part of the take-on procedures of new Inspection

clients, the finance team uploads the initial
The performance fee calculation methodology performance fee calculation methodology from For a selection of new clients, inspected evidence of
schedule is prepared by a member of the the mandate which is reviewed by a more review of the loading of performance fees by a more
finance team and reviewed by a more senior senior finance team member. senior team member.
member of the finance team.
No exceptions noted.

5.3.5.7a PFSI performance fees Any performance fees posted are reviewed by a Inspection
separate person, as part of the review of the funds.
For funds that attract performance fees, This includes an on-screen review of the For a selection of performance fees, inspected
calculations are run on a daily and/or month standard spreadsheet, with additional noting to evidence of review by the investment manager.
basis, with the use of a standard any data entered manually/capture. Formulae are
spreadsheet, to identify whether a No exceptions noted.
contained in protected cells.
performance fee should be accrued/ posted.
Performance fees are also reviewed by the
investment manager and reported to the
trustees (monthly).

60
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.5 Controls provide reasonable assurance that investment management fees, performance fees are accurately calculated and recorded.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding
For monthly management expenses, the fund
5.3.5.8 manager calculates the expense and sends the The management fee expense is calculated by Inspection
calculation to their client for approval. Once the fund manager and sent to the
administration team via email for reasonability For a selection of months, inspected the email
approved by their client, the fund manager will correspondence between the fund manager and a
send the admin team member a notice to go check.
member of the administration team confirming that the
ahead and settle from the investment account. management fee expense is acceptable.
No exceptions noted.
The admin team will also perform a
reasonability check for invoicing requirements
to comply with the mandate requirements.
The admin team sends the schedule to the
fund manager to confirm that the
management fee expense data is acceptable.
Approval that there are sufficient funds will be
given before debiting the client’s accounts in
order to credit the fund managers’ corporate
account.

5.3.5.8a PFSI Inspection

On a monthly basis the Fund Accounting All fees are approved by a senior person. The For a selection of months, inspected that the
Manager calculates and prepares the senior person sends an email to the fund management fee calculation was reviewed by a
management fees and administration fees. administrator to confirm the review and approval second person as evidenced by a confirmation email.
Once approved by the Investment Manager, of the fees.
payments from the fund to the manager and No exception noted.
administrator are then set up by the fund
accountant or fund accounting manager.
Details are forwarded to the Head of
Operations who approves and releases the
payments. Once the payments have been
released, the fund administrator is provided with
the relevant data to post the fees in Eagle.

61
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.5 Controls provide reasonable assurance that investment management fees, performance fees are accurately calculated and recorded.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.5.9 The member of the administration team sends The management fee expense is sent to the Inspection
the management fee expense to the finance finance team for capturing on Pastel. Pastel
team member to capture the fee on Pastel. generates a sequentially numbered invoice and For one client, inspected that a sequentially numbered
Pastel generates a sequentially numbered the invoice is sent to the fund manager. invoice was generated by Pastel.
invoice and then invoice is sent to the fund No exceptions noted.
manager.

5.3.5.10b Alternative Administration Inspection

On a monthly basis the fund accountant All fees are included in a detailed fee For a selection of months inspected the fee calculator
calculates and prepares the administration, calculator, per fund and is calculated at a for fees calculated at a class and series level and
management and performance fees. Once class and series level, as applicable. The Fund inspected the monthly checklist for review and sign off
approved by a senior member, these are Administrator is responsible for preparing this of these fees.
then paid from the fund to the manager and calculator as part of the monthly valuation process.
administrator respectively. Once the payments The monthly valuation process is performed by No exceptions noted.
have been released, the fund administrator is the assigned Fund Administrator and reviewed by
provided with the relevant data to post the fees another Fund Administrator, both evidenced in a
in Eagle. monthly checklist.

The Fund Administrator is responsible for

sending a monthly email to the Hedge Fund’s
underlying designated Investment Manager for
approval of the Fund’s valuation, which
incorporates the above controls.

62
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.6 Controls provide reasonable assurance that issues and cancellations (including switches) of units are recorded completely and accurately, and positions
are regularly reconciled.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.6.1 Instructions which are not processed and for If instructions are not processed, the cash Inspection
which cash has been deposited by the client will deposited by the client into the inflow account will
be identified during the bank reconciliation be identified during the bank reconciliation For a selection of bank reconciliations, inspected the
process. process. bank reconciliation for comments and dates inserted
confirming review of reconciling items.
No exceptions noted.

5.3.6.2 For a client who wishes to redeem their Before a disinvestment is processed and Inspection
investment, a signed redemption form needs to released from being “pending”, a member of the
be received by the administration department administration team will review what was loaded For a selection of clients who redeemed their
before the disinvestment can be processed. onto T-cube and reconcile this to the signed investment, inspected that a redemption form was
redemption instruction received from the client. signed by the client. Inspected for evidence of the
review by the administration team member.
No exceptions noted.

5.3.6.2a PFSI Inspection

For a client who wishes to redeem their A redemption checklist is completed by the For a selection of redemptions, inspected that
investment, a signed redemption form needs to administrator and reviewed by a separate person redemptions checklists were properly completed and
be received by PFSI before the disinvestment to ensure that all redemption steps have been signed off.
can be processed. completed.
No exceptions noted.

63
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.7 Controls provide reasonable assurance that fund pricing is accurate and timely.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.7.1 Collective investment schemes Inspection

Funds are flagged on Eagle under the profile of a Where pricing has not been completed for a For a selection of days, inspected whether funds had
member depending on whether the pricing for it particular day, a red flag will remain on Eagles’ the ability to be flagged as either red or green
has completed or not. Control Centre module/screen, under the profile of depending on their status, and noted that all funds for
the relevant administration team member. that day were flagged as green (i.e. pricing
Eagle prevents the admin team member from complete).
releasing the fund unless it is flagged as green. No exceptions noted.
The team member investigates any items
flagged in red or yellow in order to reflect as
green before progressing.

5.3.7.2 A member of the investment team performs the The portfolio managers will review evidence of Inspection
daily pricing and sends an email to the various the daily pricing via email.
portfolio managers. The portfolio managers For a selection of days, inspected the emails from
then send an email to the team member to portfolio manager as evidence that the daily pricing has
indicate whether the pricing is reasonable or been reviewed.
not. No exceptions noted.

5.3.7.2a PFSI Refer to review of security pricing Inspection

reasonableness control 5.3.2.2a. In addition, a
The fund administrator performs a daily NAV reconciliation screen is printed from Eagle For a selection of days, inspected the NAV
pricing reasonableness check. indicating the reasons for the price movements. reconciliation screen print out for evidence of
Each items is reviewed and signed off. review and sign off.

No exceptions noted.

64
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.8 Controls provide reasonable assurance that expenses are accurately calculated and recorded in accordance with the requirements of the fund and on a
timely basis.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding
5.3.8.1
For monthly fund management expenses, the Inspection
fund manager calculates the expense and The management fee expense is calculated by
sends the calculation to the admin team For a selection of months, inspected the email
the fund manager and sent to the administration correspondence with the fund manager and a member
member. The admin team member will team for a reasonability check.
perform a reasonability check on the calculation of the administration team that the management fee
prior to sending it to the finance team and (PFSI refer to control 5.3.5.9a) expense is acceptable.
sends the email to the fund manager that the No exceptions noted.
management fee expense is acceptable.
5.3.8.2
The member of the administration team sends The management fee expense is sent to the Inspection
the fund management fee expense to the finance finance team for capturing on Pastel. Pastel
team member to capture the fee on Pastel. generates a sequentially numbered invoice and For a selection of months, inspected for one client that
Pastel generates a sequentially numbered the invoice is sent to the fund manager. a sequentially numbered invoice was generated by
invoice and the invoice is then sent to the fund Pastel.
manager.
No exceptions noted.

5.3.8.3b
Alternative Administration Inspection
All fees are included in a detailed monthly
On a daily basis the fund accountant expense summary worksheet. The Fund For a selection of months inspected the fee calculator
processes any invoices received for Administrator is responsible for preparing this for fees calculated at a class and series level and
payment. These invoices are approved by the calculation as part of the monthly valuation inspected the monthly checklist for review and sign off
designated Investment Manager. Thereafter process. of these fees.
payment is made from the Fund’s bank The monthly valuation process is performed by
account based on the user rights setup for the assigned Fund Administrator and reviewed by No exceptions noted.
that account. Once the payments have been another Fund Administrator, both evidenced in a
released, the fund administrator is provided monthly checklist.
with the relevant data to post the fees in Eagle.
The Fund Administrator is responsible for
sending a monthly email to the Hedge Fund’s
underlying designated Investment Manager for
approval of the Fund’s valuation, which
incorporates the above controls.

65
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.3.9 Controls provide reasonable assurance that fund distributions are accurately calculated, authorised and recorded, and distributed in a timely manner.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.9.1 A client will make an election on whether to The distribution election is m a d e o n t h e signed Inspection
reinvest their distributions or have these application form.
distributions paid out. This election is made on For a selection of clients who had chosen to reinvest
the signed application form. their distribution per T-Cube, agreed the reinvestment
choice to their signed application form.
No exceptions noted.

5.3.9.2 All distributions are maintained on distribution Distribution calendars used to load distributions Inspection
calendars which are only accessible to the are saved on a shared drive which is accessible
administration team. to the administration team. Inspected that the shared drive where the calendars are
saved is only accessible to the administration team.
No exceptions noted.

5.3.9.3 Distribution schedule calculations are performed Distribution calculations are reviewed by a Inspection
by investment team members. second staff member.
For a selection of funds, inspected evidence of review of
a distribution calculation.
No exceptions noted.

5.3.9.4 Distributions are loaded on Eagle and on T- Reconciliations are performed between Inspection
Cube and a reconciliation is performed. distributions loaded on Eagle to distributions
loaded on T-Cube. The reconciliations are For a selection of funds, inspected evidence of the
reviewed by a second staff member. performance and review of a distribution reconciliation.
No exceptions noted.

66
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.3.9 Controls provide reasonable assurance that fund distributions are accurately calculated, authorised and recorded, and distributed in a timely manner.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.3.9.5 The distribution calendars set out the distribution A formal timeframe is set for the recording and Inspection
timeframe. processing of distributions.
Inspected that a formal timeframe is set for the
recording and processing of distributions for a selection
of distribution sheets.
No exceptions noted.

67
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.4 Cash management and segregation of assets

5.4.1 Controls provide reasonable assurance that client money is segregated.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.4.1.1 Bank reconciliations (in respect of unit trust A comment and date is inserted next to each Inspection
portfolios) are performed on a daily basis reconciling item. This serves as evidence of
by an administration team member. follow-up and the number of days for which the For a selection of days, inspected reconciling items that
reconciling item has been outstanding. a comment and date had been inserted as evidence
of follow up.
(PFSI: refer to control 5.2.4.5a)
No exceptions noted.

5.4.1.2 For all clients Scrip reconciliations are performed on a Inspection

monthly basis by the administration team, and
Scrip reconciliations are performed by the are reviewed by a more senior staff member. An For a selection of months, inspected email
administration team on a monthly basis email is sent to all relevant staff members to correspondence from a senior member in the
for all local and foreign assets. confirm that the review was performed. administration team noting review of the reconciling
items in the scrip reconciliation.
(PFSI refer to control 5.2.3.6a)
No exceptions noted.

5.4.1.2b Alternative Administration Inspection

The administration team carries out scrip Daily reconciliations are performed with For a selection days, inspected the reconciliations for
and cash reconciliations (Eagle versus monthly reconciliations reviewed as part of the comments and dates inserted next to reconciling items as
bank, custodian and prime broker fund review process, by a separate person. evidence of preparation and review.
records) on a daily basis. In addition the A comment and date is inserted next to each
administration team matches to For a selection of months, inspected the monthly
reconciling item. This is an indication of checklist for evidence of procedures performed and
Investment Manager trades on a daily basis evidence of follow-up and the number of days for
as part of the daily NAV reconciliation signed off as evidence of review as well as the email sent
which the reconciling item has been to the underlying investment manager as confirmation
process. outstanding. of approval of the funds’ valuation.
On a monthly basis these reconciliations The Fund Administrator is responsible for
are reviewed by a separate person as part sending a monthly email to the Hedge Fund’s No exceptions noted.
of the process to review the funds. underlying designated Investment Manager for
approval of the Fund’s valuation, which
incorporates the above controls.

68
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.5 Monitoring Compliance

5.5.1 Controls provide reasonable assurance that client portfolios are managed in accordance with investment mandates.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.5.1.1 A client take-on checklist is completed for Each department loads the new client and Inspection
each section (including: compliance, admin, signs the checklist as evidence of completing the
finance, performance, marketing and portfolio procedures in respect of the new client take-on. For a selection of new clients inspected the
management). Client money is invested into A new client cannot be loaded on Eagle without completed signed checklist for evidence of
set portfolios - the client chooses where they a completed take- on checklist, which has been authorisation and review.
want their money to be invested from a list of signed off by all the relevant teams and reviewed No exceptions noted.
portfolios. Mandate parameters are set up on by a senior compliance team member.
Statpro. The compliance team member sets up
the details on Statpro, which is then reviewed by
a senior compliance team member.

69
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.5.2 Controls provide reasonable assurance that errors and breaches, including mandate breaches, are rectified promptly and accurately.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

Mandates Inspection
5.5.2.1 Any changes to mandates will be treated as new The addendum to the agreement will be signed For a selection of mandate changes, inspected whether
mandates. The addendum to the agreement will by the client and an authorised signatory at the addendum to the agreement had been signed by
be signed by the client and an authorised Precious. both the client and Precious.
signatory at Precious.
No exceptions noted.

5.5.2.2 A checklist, similar to what is required for a new Each team notes the relevant client changes. Inspection
take-on is completed if there has been a change
to a mandate. A compliance team member then notes the For a selected of mandate changes inspected that a
checklist and signs it as evidence of review. take-on checklist had been completed and reviewed.
No exceptions noted.

70
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.5.3 Controls provide reasonable assurance that pricing and distribution rate errors are rectified in a timely manner.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.5.3.1 There is a daily automated feed from Fincad to Pricing sheets in Fincad cannot be altered by Inspection
Eagle. Fincad provides prices for all unlisted unauthorised users.
money market and bonds instruments. Attempted to alter the pricing sheets in Fincad,
noting whether it was possible to alter using the
profile of an unauthorised user.
No exceptions noted.

5.5.3.2 A daily price reasonability check is performed A daily price reasonability check on portfolios is Inspection
on the portfolios by a member of the investment performed by a member of the investment team
team by comparing the previous day’s price to and all price variances are indicated in an email. Inspected, for one day, that there was an email sent by a
the current day’s price. Appropriate benchmarks member of the investments team noting review of the
are used for each type of instrument. (PFSI: refer to controls 5.3.2.1a and 5.3.2.2a) price variances of all portfolios.
No exceptions noted.

5.5.3.3 Collective Investment Scheme NAV unit pricing All unitised prices are reviewed by an Inspection
is performed on a daily basis. independent administrator on T+1 for any
significant day on day % changes. A comment For a selection of days inspected that there was a
will be sourced from the fund pricing comment for each unit price change that breaks
administrator for each unit price change that tolerance.
breaks tolerance. No exceptions noted.

5.5.3.4 Income Distribution from Collective Investment A schedule is prepared of all components that Inspection
Schemes are reviewed prior to distributions. determine the income distribution rate per fund
class. This schedule is reviewed by a senior staff For a selection of weeks, inspected the schedule for all
member and signed off before an income rate is components that determine the income distribution
declared for distribution. rate per fund class to confirm that it was reviewed by a
senior staff member and signed as evidence of review.
No exceptions noted.

71
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.6 Reporting to Clients

5.6.1 Controls provide reasonable assurance that client reporting in respect of portfolio transactions, holdings and performance, commission and voting is
complete and accurate.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.6.1.1 Segregated portfolios The administrator electronically documents each Inspection

task for month-end reporting on a reporting
Each administrator electronically completes the checklist once completed. For a selection of electronic month end reporting
month-end reporting checklist for tasks that fall checklists, inspected that each task has been marked
within their scope. The administrators will as completed by the administrator assigned to each
provide commentary on the tasks assigned to task.
them.
No exceptions noted.

5.6.1.1b Alternative Administration The administrator documents each task for Inspection
month-end reporting on a reporting checklist
Each administrator completes the month-end once completed. For a selection of months inspected the monthly
reporting checklist for tasks that fall within their checklists and confirmed that each task had
scope. The administrators will provide comments inserted.
commentary on the tasks assigned to them.
No exceptions noted.

72
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.7 IT General Control Environment

5.7.1 Controls provide reasonable assurance that physical access to computer networks, equipment, storage media and program documentation is restricted to
authorised individuals.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding
Inspection
5.7.1.1 Computer Room and Building Access
Access to the server room and building is Physical access to the server room is restricted Performed a walkthrough of the server room and the
controlled via biometric fingerprint access. to IT Department personnel only. building and observed that access controls were in place
to secure computer networks, equipment, storage
Visitors are required to sign a visitor’s register media and program documentation.
when entering the server room.
No exceptions noted.

5.7.1.2 Review of server room access Inspection

Access logging to the server room is reviewed on Access logs are reviewed on an annual basis by
the Head of It and the Information Systems Inspected evidence of the annual server room access
an annual basis by the Head of IT and the review and confirmed that it was signed off by the Head
Information Systems Security team member. Security team member.
of IT and the Information Systems Security team
member.
No exceptions noted.

5.7.1.3 Physical Access Administration Inspection

For physical access to the server room, only the Employees’ access is controlled via groups on For a selection of new user access to the Precious server
Head of IT and the Head of IT Infrastructure can the access control system, which includes a room, inspected the logged tickets for evidence of
approve access. A request for server room specific group for server room access. New server approval.
access is logged as a ticket on the Precious room access requests are approved by the Head
service request application. of IT and the Head of IT Infrastructure. Inspected the access group configuration settings to
verify that access to the server room was restricted to IT
Employee’s access to the server room is department personnel only.
controlled by groups on the access control
system and only IT employees have access to No exceptions noted.
the server room.

73
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.7.2 Controls provide reasonable assurance that the physical IT equipment is maintained in a controlled environment.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.7.2.1 Controlled Environment Observation

The server room has CCTV cameras, air
The server room is housed in a controlled conditioning, smoke detectors, fire suppression Performed a walkthrough and observed that
environment. equipment, raised server racks, fireproof walls environmental controls were in place in the server
and doors, and a concrete roof. room.
No exceptions noted.

5.7.2.2 Maintenance of Environmental Controls Inspection

A Maintenance log is kept of services to CCTV
The Generator is serviced and tested on an cameras, the Fire Prevention System, Generator, Inspected maintenance records for the IT equipment to
annual basis. UPS Systems and Air- conditioning system (IT verify that the environmental controls have been serviced
equipment). and tested for the period under review
The Fire Prevention System, Smoke Detectors,
Generator, UPS Systems and Air-conditioning No exceptions noted.
system are serviced and tested on a bi-annual
basis.

74
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access
by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.7.3.1 IT Security Policy and IT & Usage Policy Inspection

The IT Security policy and the IT & Usage Policy The IT Security Policy and the IT & Usage policy Inspected the IT Security Policy and the IT & Usage
is reviewed on an annual basis and approved by is updated on an annual basis and is approved Policy and noted that the policies were reviewed and
the Head of IT and the Head of Legal of by Precious management. approved by the appropriate level of management during
Precious management. the period under review.
The IT Security Policy and the IT & Usage Policy Performed a walkthrough and observed that the policies
is available on the Intranet. are located on the Intranet
No exceptions noted.

5.7.3.2 AD authentication Inspection

Access to T-Cube and ThinkFolio is controlled via Users are required to logon to access the
an AD group, and hence the AD password applications. Password settings are enforced on Inspected a screenshot of the password parameters for
parameters apply. Active Directory, T-Cube, and ThinkFolio. AD to verify that the password parameters were
implemented per the control description.
User authentication takes places at first logon
via Active Directory (AD). No exceptions noted.

Password parameters are enforced and

include:
‐ Minimum password length (8 characters)
‐ Password expiry (every 42 days)
‐ Account lockout restrictions (after 5
invalid login attempts)
‐ History : 6
‐ Lockout duration: 30 minutes
Password complexity is built in Microsoft
standard and includes at least 3 of the following:
one uppercase, one lowercase, one digit and one
special character.

75
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access
by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.7.3.3 User access Inspection

An IT Security Policy which details the user New and modified user access is approved
prior to being granted on the system and is in line For a selection of new and modified users, obtained and
access policies is in place. inspected the User Access Request tickets and
with job responsibilities.
T-Cube and Eagle confirmed that the requests were approved by the Head
of Department/Business Analyst.
In order for new users to gain access to T-Cube
and Eagle (application and database), the Head
of Department approves the access. A request No exceptions noted.
for access is logged as a ticket on the Precious
service request application.
The same process is followed for changes to
access rights.

ThinkFolio

For internal access to ThinkFolio, a request for

access is logged as a ticket on the Precious service
request application. The request is approved by the
Business Analyst and actioned by the Business
Analyst and the IT Team.

76
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access
by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.7.3.4 Termination of access

Inspection
In order to terminate a user’s access, IT requires Users who terminate employment or transfer job
an email from the Head of Department (HOD), or functions are removed in a timely manner from Obtain a list of all users whose access was terminated
Business Analyst for ThinkFolio, notifying the IT the application and database. from Precious for the period under review from HR and
team of a staff member that will be leaving the compare it to a list of all active users on the in scope
organisation at a specific date. IT submits a User applications to determine if any terminated users still have
Exit form to the HOD for completion and evidence access and whether users were terminated in a timely
of approval. Once received, the access will be manner.
disabled or removed.
Exceptions noted
Immediately upon termination but rather
changed to a default password known only to The user accounts for two Eagle Access users who have
the IT department, and removed after 6 months. left the organisation have not been locked and terminated.
For those employees in sensitive job functions,
access is removed immediately upon
resignation/termination. A user is prompted to
change their password on first login onto the
system.

77
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access
by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.7.3.5 Multiple, Unique and Generic user ID’s Inspection

Users are assigned unique user IDs on Eagle, T- Users IDs are unique and users are not
assigned multiple accounts. No generic user IDs Obtained a list of all users on the applications and
Cube and ThinkFolio. inspected it for duplicated user IDs, multiple user IDs
are active, they are valid and have been
Users are only assigned one user ID on Eagle, T- authorized by management. assigned to one person and generic user accounts.
Cube and ThinkFolio. Exception noted
No generic accounts are granted access unless 2 multiple user ID’s (for 1 user) have been identified on
authorised for all applications. the Eagle Access application and 4 multiple user ID’s (for
2 users) have been identified on the T-Cube application.

78
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access
by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.7.3.6 Review of user access AD, T-Cube, Eagle Inspection

Reviews of validity and appropriateness of user A review of the appropriateness of access is Inspected the review of user access rights for AD, T-
access on Active Directory, Eagle and T-Cube are performed for the AD, T-Cube and Eagle Cube and Eagle to verify that reviews of access rights
performed annually. application and database. were performed.
Exceptions noted
Evidence of the annual review of user access to confirm
validity and appropriateness of user access could not be
obtained for the Eagle Access application.

5.7.3.7 Administrative/Super Users and Database Inspection

Administrator access rights
T-Cube application: Administrative access is restricted to the Inspected evidence that super user access is
appropriate personnel. restricted to authorised individuals.
Appropriate personnel have administrative
access rights to the T-Cube application. Exception noted
T-Cube DB and OS:
Administrative access through the sharing of generic
Only IT staff have administrative access to the T-
user accounts is granted on the T-Cube Database (DB)
Cube database server. All IT support staff log into
and Operating systems (OS) as well as the ThinkFolio
the database server using an account where the
DB and OS.
password is known by IT staff only.
Four IT staff members have administrative access
to the operating system through a shared generic
account.
Eagle:
Appropriate personnel have administrative access
rights to theEagle application.
ThinkFolio Application:
Appropriate personnel have administrative
access rights to the ThinkFolio application.

79
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.7.3 Controls provide reasonable assurance that logical access to computer systems, programs, master data, transaction data and parameters, including access
by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

ThinkFolio DB:
Only IT staff and the Business Analyst have
administrative access to the ThinkFolio database.
All IT support staff log into the database server
using the generic account where the password is
known by IT staff only. The Business Analyst uses
his active directory credentials to access the
database.
ThinkFolio OS:
Four IT staff members haves administrative
access to the operating system through a shared
generic account.

80
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.7.4 Controls provide reasonable assurance that segregation of incompatible duties is defined, implemented and enforced by logical security controls in
accordance with job roles.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.7.4.1 Segregation of Duties

T-Cube: Users are unable to capture and authorising their Performed a walkthrough to observe that the
own transactions. segregation of duties controls were enforced on the T-
The T-Cube application has built in segregation Cube application.
of duty controls that prevents a user from
capturing and authorising their own transactions. No exceptions noted.

81
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.7.5 Controls provide reasonable assurance that data transmissions between the service organisation and its counterparties (Eagle Investments systems) are
complete, accurate, timely and secure.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding
Inspection
5.7.5.1 Complete, Accurate, and Timely
Transmission
Automated transmission logs detailing Inspect the Eagle Pace and Eagle Star logs to
Automated transmission logs detailing transmission failure or success are monitored determine that data transmission statuses are
transmission failure or success, are available for and actioned. monitored and actioned.
client review within the Eagle PACE and Eagle No exceptions noted
STAR applications to allow for monitoring of
data transmission activity. Monitoring is
performed through notification emails that are
sent through to the Operations Team and
actioned if necessary. Transmission status is
automatically noted in the logs.

5.7.5.2 Secure Inspection

Period: 1 April 2016 – 31 August 2016 (Neotel) A secure connection is in place and sits behind
the Precious Firewalls. Obtained and inspected the firewall rule set for the
Data transmissions between Neotel and Eagle existence of a secure MPLS connection provided by
Investments systems are complete, accurate, Neotel.
timely and secure and produce transmission logs Obtained and inspected the firewall rule set for the
detailing success and failure of transmissions. existence of a secure encrypted connection provided by
Aryaka.
Neotel provides Precious with an MPLS
connection. No exceptions noted.
Firewall rule set indicates that secure private IP
network is used for data transmission.
Period: 1 September 2016 – 31 March 2017
(Aryaka Africa)
Data transmissions between Aryaka Africa and
Eagle Investments systems are complete,
accurate, timely and secure and produce
transmission logs detailing success and failure of
transmissions.
Aryaka provides Precious with a secure
encrypted internet connection.

82
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.7.6 Controls provide reasonable assurance that appropriate measures are implemented to counter the threat from malicious electronic attack (e.g. firewalls,
anti-virus etc.)

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding
Inspection
5.7.6.1 Proxy
Web traffic is filtered through a proxy server. Web traffic is filtered through a proxy server to Inspected an extract of the blocked website database
Threat websites are published on the proxy ensure that inappropriate websites are blocked. rules configured on the proxy to ensure that
server to prevent certain websites being inappropriate websites are blocked.
accessed. No exceptions noted.

5.7.6.2 Firewall Inspection

A redundant firewall has been implemented to Firewalls have been implemented and all public
control all internal and external communication. facing servers are hosted within a DMZ. Inspected the network diagram to verify the location of the
Public-facing servers are hosted within a firewall. Inspected the firewall rule set to verify that the
demilitarised zone (DMZ). In the event of failure firewall existed and public-facing servers were hosted
on the Primary firewall the backup firewall will within a DMZ.
take over responsibility of securing the network. No exceptions noted.

Inspection
5.7.6.3 Anti-virus
Anti-virus solutions have been implemented on An anti-virus solution has been implemented on Observed the anti-virus solution is implemented and
servers and workstations and is monitored and servers and workstations within the Precious inspected to confirm that it has been updated with the
updated when new updates are available. environment and is monitored and updated when latest anti-virus signatures.
the new updates are available.
No exceptions noted.

Inspection
5.7.6.4 SysLog
Inspected evidence of a selected tickets logged
A SysLog server has been implemented to Logs are retained for security logging and indicating that monitoring and follow up has occurred
allow for security logging and analysis. These analysis and incidents are followed up and based on the incidents per the SysLog.
logs are reviewed and incidents are followed up actioned as necessary.
No exceptions noted.
and actioned as necessary.

83
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
5.7.7 Controls provide reasonable assurance that development and implementation of new systems, applications and software, and changes to existing
systems, applications and software, are authorised, tested, approved and implemented.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.7.7.1 Change control policy Inspection

A formal change control policy procedure is in All changes made to the T-Cube and Eagle
application and database are authorised, tested T-Cube
place. Any changes to the financially significant
applications are logged via email with the third and approved prior to implementation in For a selection of changes, obtained and inspected
party developers. production. evidence of approval and testing prior to implementation
into production.
T-Cube:
No exceptions noted
Changes to T-Cube are approved by the Head of
IT. Once the changes have been developed by ThinkFolio
the respective third parties, the changes are
loaded into the Precious test environment and For a selection of the ThinkFolio change, obtained and
business and IT signs off on the test inspected evidence of approval and testing prior to
procedures performed. implementation into production.
.
ThinkFolio:
Internal development work is sometimes required
to be performed by the Business Analyst in terms
of upgrading the integration layer of the system to
cater for enhancements from the ThinkFolio
vendor. There is no documentation or change
control process followed for these internal builds.

84
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

5.7.8 Controls provide reasonable assurance that data and systems are backed up regularly, retained offsite and regularly tested for recoverability.

Reference Precious Processes Precious Control Activities BIG4 test procedure and finding

5.7.8.1 Backup and replication Inspection

There is a standard backup procedures There is a backup procedure in place and full
backups are taken on a daily basis. Inspected the Backup and Restore procedures policy to
document in place. verify that a backup schedule is designed.
Full backups are taken on a daily basis and the For a selection of days, inspected the system generated
IT department receives an automated email email notifications for the statuses of the backups to the
notification of any backup fails. Precious Disaster Recovery site.
replicates off-site to a Disaster Recovery site in
Bellville, Cape Town on a daily basis. Inspected a selection of backup checklists to verify that the
backup and replication process was completed and signed
A backup checklist is completed on a daily off.
basis as evidence of monitoring backups and
replication. The Head System Engineer and No exceptions noted.
Head of IT sign this off.

5.7.8.2 Restoration testing

Inspection
Restoration testing is completed during the annual Restoration is completed during the annual DR
Disaster Recovery (DR) test that is performed. testing utilising the replicated data to the DR site Inspected evidence of the successful restoration as part of
Restoration takes place from the replicated data to the annual DR test that took place during the period
the DR site. covered by thus report.
No exceptions noted.

85
 Precious Group
ISAE 3402 Type 2 report
31 March 2017

6 Management’s comments that do not form part of our opinion

6.1 Business control objectives

Reference Control
Control exception Recommendation Management comments
reference
6.1.1 5.3.5.1 &
We found that the monthly management Management should review the monthly The month of November 2016 was an anomaly in that there
5.3.5.5
packs had not been reviewed for the month management packs and evidence the were certain major operational and financial activities that
of November 2016. review thereof. resulted in the CFO’s review of the management pack
being delayed. The management pack for the month of
November was subsequently reviewed. The packs for the
months prior to and subsequent to November 2016 were
reviewed. Management packs are also distributed to the
relevant executives, who review the management packs of
their business units. It should also be noted that
management packs contain comparative, year to date
information for each month, meaning that subsequent
months included November 2016 information.

86
 Precious Group
ISAE 3402 Type 2 report
31 March 2017
6 Management’s comments that do not form part of our opinion
6.2 IT Control objective

We could not obtain evidence of the Management to ensure that controls to These are users that left the employ of Precious during Feb
6.2.1 5.7.3.4 termination of two Eagle user be operating effectively to ensure that 2017 and the accounts were only locked at the end of the
accounts and the accounts were not users access to applications are following month – after the audit extract was retrieved at which
locked after the termination date. terminated in a timely manner. point it was verified that the users had not accessed the system
since their last day of employment.

2 users have multiple user ID’s for the Management to ensure that users are The two T Cube users that have been duplicated are as a
6.2.2 5.7.3.5 Eagle application and 4 users have not assigned to multiple user accounts result of the original user account that was created which
multiple user ID’s for the T-Cube for applications including the database differed to that of the Active Directory user and therefore the
application. and operating systems. user could not access the system. The one duplicated Eagle
user was as a result of the external user locking himself out
because his PC was set to remember his password and was
unable to clear the stored password and needed the
information urgently. A new user was therefore created in the
above instances. Important to note that there was no
concurrent access by the users through their various accounts.

Evidence of the annual review of user Precious to ensure that an annual There was no documented annual review sign off since there is
6.2.3 5.7.3.6 access to confirm validity and user access review is performed for an ongoing review performed throughout the year as and when
appropriateness of user access could the Eagle application and that users are created or terminated. In future the control is to be
not be obtained for the Eagle evidence of the review is maintained. updated to only cover a documented annual review of users
application. with write access to Eagle.

Administrative access through the Management to ensure that The shared account is only available to 3 staff members who
6.2.3 5.7.3.7 sharing of generic user accounts is administrative access to applications have been in Precious’s employ in excess of 7 years. Even
granted on the T-Cube DB and OS as should not occur through the use of though the access is shared, the IP addresses of the machines
well as the ThinkFolio DB and OS. generic accounts. connecting to these servers is logged and can be traced if
required. We have recently appointed a dedicated Database
Administrator (DBA). The DBA will administer these databases
removing shared access.

87