DISA 3.0 Project Report on Information Systems audit of a Mutual Fund Systems

Introduction

A mutual fund is an open-end professionally managed investment fund that pools money from many investors to purchase securities. Mutual fund investors may be retail or institutional in nature. Mutual funds are often classified by their principal investments as money market funds, bond or fixed income funds, stock or equity funds, hybrid funds, or other. Funds may also be categorized as index funds, which are passively managed funds that match the performance of an index, or actively managed funds. In India, mutual funds are regulated by Securities and Exchange Board of India, the regulator of the securities and commodity market owned by the Government of India. The mutual fund industry in India is growing at an exponential pace. The Indian mutual fund industry recorded an Average Assets Under Management (AAUM) of Rs. 23.16 trillion as on February 28, 2019. The AUM of the industry stood Rs. 5.09 trillion on February 28, 2009, which means the Indian mutual fund industry has registered a more than 4 ½ fold increase in a period of 10 years.
There are as many as 44 AMFI (Association of Mutual Funds in India) registered fund houses in India which together offer more than 2,500 mutual fund schemes. The wide array of funds often make it a little difficult for investors to choose the best scheme for them. To ease this process, we list out the 10 most popular mutual fund houses in India.

Sr. No. Name of Fund House AUM(In Crore)
1 HDFC Mutual Fund Rs.3,42,525
2 ICICI Prudential Mutual Fund Rs.3,21,281
3 SB! Mutual Fund Rs.2,84,124
4 Aditya Birla Sun Life Mutual Fund Rs.2,46,696
5 Reliance Mutual Fund Rs.2,34,293
6 UT!M utual Fund Rs. 1,59,694
7 Kotak Mahindra Mutual Fund Rs. 1,50,271
8 Franklin Templeton Mutual Fund Rs. 1,19,933
9 Axis Mutual Fund Rs.89,768
10 DSP Mutual Fund Rs.78,363

How Do Mutual Fund Works

While you might have heard many experts say that investing in mutual funds is one of the best ways to grow your wealth, it is perhaps even more important to know how mutual funds work. Let’s understand the working of mutual funds right from the time an Asset Management Company (AMC) or fund house decides to launch a mutual fund till it starts giving attractive returns:

  1. 1. The process begins when a fund house identifies a potential money- making opportunity in the market subject to key risks.
  2. 2. The fund house then weighs the newly identified opportunity against existing investment opportunities and analyses how it can add further value for current investors.
  3. 3. The fund house then appoints a fund manager who creates a portfolio of different asset classes including equities, debt and money market securities. The asset allocation of the scheme decides under which mutual fund category the scheme will fall – Equity Fund, Debt Fund or Hybrid Fund.
  4. 4. The fund manager then compiles all the details including the scheme’s asset allocation, risk level, etc in a document and files the draft with market regulator SEBI for its approval.
  5. 5. After receiving SEBI’s approval, the fund house makes the scheme available to the public for subscriptions through a New Fund Offer (NFO). An NFO generally lasts for 7-10 days.

On the basis of the subscription period, mutual fund schemes can be classified as open-ended and close-ended schemes. An open ended mutual fund scheme allows investors to enter and exit the fund anytime even after the closure of the NFO period. Whereas, a close-ended fund allows investors to enter into the scheme only during the NFO period and does not allow them to exit it until maturity which is typically 3-4 years from the launch date.

  1. 1. After receiving the initial subscription, the fund manager manages the scheme actively or passively depending on the scheme’s requirements as well as market/economic conditions.
  2. 2. A mutual fund investment provides earning to its investors in the form of dividend payouts and capital gains.

About Mutual Fund Service System (MFSS)

An investor who wishes to subscribe or redeem units of a mutual fund scheme can now use Mutual Fund Service System (MFSS) provided by NSE.
This service has been launched on November 30, 2009 at the hands of Mr C B Bhave, Chairman, Securities Exchange Board of India (SEBI), on November 30, 2009.

Mutual Fund Service System

Mutual Fund Service System (MFSS) is an online order collection system provided by NSE to its eligible members for placing subscription or redemption orders on the MFSS based on orders received from the investors.

Orders Placing

The MFSS will be available for Participants between 9 a.m. to 3 p.m.
The NSE MFSS shall facilitate entry of both buy and sell orders. In order to subscribe units, member will be required to place buy orders. A member who wishes to redeem units of mutual fund scheme will be required to place sell orders in the system. Participants can choose between Physical mode and depository mode while putting their subscription / redemption requests on the MFSS. All orders shall be settled on order to order basis, on T+1 (working days).
Individuals, HUF and Body Corporate can participate in MFSS subject to completing the KYC procedure. In case of a minor the guardian would have to be KYC compliant.

Confirmation of order

The system will generate an order confirmation slip for each order which includes time stamp of the order being put on the system, on behalf of the investor. The order confirmation slip which is generated by the system shall be given to the investor by the member and is the conclusive evidence of the transaction.

To deal with the challenges arise in Mutual Fund Service System (MFSS) of (KAA Asset Management Limited), they have appointed M/s AKA & Associates, a Firm of Chartered Accountants, to review and audit of Information System in place and provide suitable recommendations for improvements & best practices that can be adopted in the System of Mutual Funds.

Audit Engagement Team

Our approach to selecting the right people for a project is to bring together the necessary skills and experience for a particular assignment from the rich mix of skills and experience available. The assignment will be executed by M/s AKA & Associates under the personal supervision and lead by Mr K. M/s AKA & Associates is one of the leading practitioners in the area of IS audit, comprising of the following main team members:
1. Mr K –Team leader (DISA qualified, having an experience of over 10years in IS audit). He has worked on 10+ SAP Engagements across different industries like FMCG, Telecom, Chemicals, Oil & Gas, Professional Services, Insurance etc., performing key leadership roles of Program/Project Management.
2. Ms A, Mr A, Ms D, Mr M –Team members (All of the team members are DISA qualified and are experts in the field of audit of software development projects for a period of 5-8 years and have worked on various Projects providing SAP solutions for various aspects and other statutory compliances.
The said team has handled various other projects concerning IS audits and have been into consultation of Software Development Life Cycle, Migration Audits, Business Continuity Management etc.

Auditee Environment

Structure of Mutual Fund

Typically, a mutual fund is a trust that pools the savings of a number of investors who share a common financial goal. The money collected is invested in capital market instruments such as, shares, debentures and other securities and money market instruments. The income earned through these investments and the capital appreciation realized is shared by its unit holders in proportion to the number of units owned by them. A mutual fund offers an opportunity to invest in a diversified, professionally managed basket of securities at a relatively low cost.

DISA Project Report on IS Audit of MF system

Sponsor

The Sponsor(s) are those who establish the Mutual Fund Trust and the Asset Management Company (AMC). They constitute the shareholders of the AMC.

Board of Trustees or Trustee Company

The trustees of a Mutual Fund could be constituted as a ‘Board of Trustees’ or could be incorporated as a ‘Trustee Company’ [‘Trustee Company’]. Where a Trustee Company is appointed, the duties of the trustee would be discharged through its directors. The Regulation 18 of MF Regulations has laid down the rights and obligations of the trustees. The Trustee Company is entitled to receive trusteeship fees for their services. The Sponsor appoints the trustees for the mutual fund. The trusteeship fee is paid by the mutual fund schemes and forms part of the overall expense ratio approved. The mutual fund’s assets belong to the investors and are held in fiduciary capacity for them by trustees. The Trustee Company is the epitome of corporate governance in mutual funds and the trustees are regarded essentially as the front-line regulator. The Trustee Company is entrusted with the responsibility of holding the property of the MF in trust for the benefit of the unit-holders.

Asset Management Company (AMC)

The AMC is a corporate entity, which floats, markets and manages a mutual fund scheme and in return receives a management fee paid from the fund corpus. The AMC is accountable to the Trust for its actions. Regulation 25 of MF Regulations has laid down the AMC’s obligations. In India, the Sponsor or the Trustee appoints the AMC through Investment Management Agreement (IMA). The contents of IMA are given in the Fourth Schedule to the MF Regulations. In terms of Regulation 24 of MF Regulations, no AMC can manage assets of more than one Mutual Fund and in case AMC decides to undertake any other activity then it has to satisfy SEBI that key personnel and infrastructure have been segregated activity-wise.

Fund Accountant (generally outsourced)

Fund Accountant is an entity handling the back office operations of the mutual fund for and on behalf of the AMC, viz., services related to fund accounting, purchase processing, corporate actions accounting, valuation and Net Asset Value (NAV) calculation, reporting and other incidental services in respect of the Mutual Fund. An AMC, generally, enters into service level agreement with Fund Accountant, if outsourced, which will clearly bring out the expectations from the third party service providers. Periodically, these would be reviewed to reflect at all times the business requirements currently in practice.

Background

The audit should be encompassing audit of systems and processes, inter- alia, related to examination of integration of front office system with the back office system, fund accounting system for calculation of net asset values, financial accounting and reporting system for the AMC, Unit-holder administration and servicing systems for customer service, funds flow process, system processes for meeting regulatory requirements, prudential investment limits and access rights to systems interface.
Mutual Funds / AMCs are advised to conduct their systems audit on an annual basis by an independent CISA / CISM qualified or equivalent auditor to check compliance of the provisions of the circular
Mutual Funds / AMCs are further advised to take necessary steps for the exception report. The exception report should be placed for review to the Technology Committee before it placed to the AMC & Trustee Board. Thereafter, exception observation report along with trustee’s comments starting from the financial year April 2019 – March 2020 should be communicated to SEBI within six months of the respective financial year. Further, System Audit Reports shall be made available for inspection.
The circular is issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, read with the provisions of Regulation 77 of SEBI (Mutual Funds) Regulations, 1996, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market

Situation

As the Mutual fund market have moved towards online Investment & Trading system for ease of its investors by eliminating offline representative intervention for investing, buying or selling of mutual funds and easy access for trading to its investors anywhere and everywhere it implemented various security controls to secure its user data by maintaining Integrity, confidentiality and availability by implementing specific controls as and where required.

KAA Mutual Fund is manned by around 2000 people. There are 220 applications running and around 150 plus network devices like firewall, IDS, IPS, Router, Switches, Gateways etc. are there along with 500 plus high end servers. Appropriate communication lines with all required redundancies are present.
Information security risk management policy maintained by the enterprise is not updated and not reviewed for the last three years. At the time of hiring the employees, no background check is done and no documents are asked to submit. Hiring policies are not defined in line with IT Operation.

Management says there are no issues with Access control mechanism. But, multiple failure attempts by unauthorized users were found, it was informed to the senior management but Management did not take any actions believing that these are just unsuccessful attempts therefore no follow-up action is required.
Testing of Security patches for application servers were not being performed before deploying into production environment. There are also issues with the management of backup tapes and blank tapes.
Occasionally, huge rush is observed during the peak closing time of the market especially on Friday. And server is seen experiencing down-time.

Any unusual activities observed by the IT Personnel are reported to CISO by following the proper formal procedure designed by the top management.

No training is provided to employees like Mock drill of earthquake/ fire, safety program classes to its staff. Since, management believes that these circumstances never appeared in the lifetime of the company.

Scope and Terms of assignment

We have been appointed by KAA MF by letter dated 06th April 2021 for the Information System Audit of Mutual fund System on the scope and terms mentioned in the engagement are here under.

Scope:

1. Review adequacy of internal control systems and confirm its appropriateness
2. Review functioning of internal audit function, reporting structure coverage and frequency of internal audit and identify areas requiring improvement.
3. Review financial and risk management policies as per corporate governance requirements and its adequacy.
4. Review compliance requirements as per Information Technology Act as amended in 2008.
5. Review whether the current risk management strategy is adequate considering the current and future business plans, business process, technology deployed, organization structure and regulatory requirements.

Other terms and conditions

1. The report should be submitted latest within three weeks from the date of offer letter.
2. The consolidation remuneration shall be Rs. 1,00,000 (Rupees One Lakh only). It is a package payment and no other travelling or any other allowance will be paid.
3. The auditor is not disqualified in under provision of Companies Act,2013.
4. The auditor firm have never been depaneled due to poor performance.
5. The audit is to be conducted by a CISA, DISA qualified Chartered Accountant or by a team to be headed by the CISA, DISA qualified Chartered Accountants.
6. In case any major ambiguities is noticed or detected, it must be reported to board by the fastest available mode of communication or personally, if Stationed, locally.

Logistics arrangements required

KAA MF shall appoint one senior IT officer part of the implementation team and operation head to co-ordinate for finalizing the initial work plan and shall continue to work with the audit team as when required till the completion of assignment. The company shall make available necessary systems, software, software resources and support facilities for completing the assignment within the appointed time. During the course of audit the following resources shall be made available:
1 2 Nodes with Read only access to extract reports from application.
2 One Laptop with Windows 10 / Microsoft office 2013.
3 Adequate seating and storage for the team.
4 Facilities and permissions to have discussion and seek informations from the IT department as well as the different user departments members.
5 Permission to do penetration testing on the system
6 Permission to carry our Laptop with Computer Aided Audit tools installed to be used for our data analysis.

Methodology and Strategy adopted for the audit

Our audit team has executed the assignment and performed audit procedures on the basis of the following audit methodologies and strategies:-
1. In depth study and analysis of all aspects of application software to obtain understanding how the system currently operates.
2. Reviewed the software in operation to understand how the various components of system interact with each other.
3. Tested each modules in the system including the documentation prepared in respect of each.
4. Reviewed the inbuilt controls for stored data so as to ensure that only authorized persons have access to data on computer files.
5. Reviewed the process and policy of taking backup of data i.e. disk mirroring and its restoration process.
6. Review the alternate activities performed during system downtime and its mapping and data merger process for further continuance of regular operations.
7. Reviewed the controls established which ensure that all the transactions are entered and accepted for further processing and that any transactions are not processed twice.
8. Reviewed the controls established so as to ensure that only valid transactions are processed.

Documents Reviewed

While performing audit procedures, we reviewed the following documents:
➢ Organization structure Diagram.
➢ List of Hardware, Software and Application Software currently used by the client.
➢ Service Offer Agreement.
➢ Password Policy.
➢ Business Continuity Plan and Disaster Recovery Plan.
➢ Information Security Policy.
➢ Backup Procedures.
➢ User Creation, modification and deletion Policy.
➢ Various MIS reports and exception reports generated by the system.
➢ Information system asset registers

References

➢ ISO 27001
➢ COBIT 2019 Framework
➢ Guidelines and Circular issued by SEBI
➢ Information Technology Assurance Framework issued by ISACA
➢ GTAG (Global Technology Audit Guide) prepared by the Institute of Internal Auditors.
➢ Information Technology (Amendment) Act,2008.
➢ References to the ISA Study Materials issued and provided by ICAI

Deliverables

Our audit team has provided following deliverables to the company after
completion of assignment :-

a) Final IS Audit Report drafted in pursuance to ISACA and COBIT Framework stating that such audit has been conducted as per the guidelines issued by SEBI in order to express an opinion on effectiveness of operations and controls of Mutual Fund Systems
b) Executive Summary for senior management persons.
c) Detailed finding and recommendations related to the IS Audit for continuity of sound and stable information system, protection of mutual fund unit holders, market efficiency, privatization and opening of markets, etc.
d) Meeting of IS Security needs
e) Assess risks, economy, efficiency and quality

Audit Findings and Recommendations

SIControl ObjectiveAudit ProcedureRisk RankingObservationImpact on Information AssetsRecommendation
1Information security Risk Management ControlObservation & confirmationHighInformation security risk management process was last reviewed by the top management 3 years ago.Several management action plans might have become irrelevant and outdated which may now require changes (Confidentiality, Integrity, Availability)Defined process should exist and followed for Information security risk management on an annual basis.
2.Human Resource ControlInquiry, InspectionHighKYC
documents of employees who           are given authorized access to the Stock Brokers/ Depository Participant’s critical systems, networks, and        other computer resources were         not available
with           HR Department.
The nonavailability of Employees background may      result
in        serious consequences s  which  may lead             to
fraud.
(Confidentiality, Availability)
Hiring          policies must be defined in line         with         IT operations, background check procedures      must be performed for all      new      joiners subject                   to
stringent supervision, monitoring, and access restrictions
3.Access ControlInspection, Observation                &
Confirmation
HighMany unauthorized user access was found from system logs which were attempted & failed multiple times. Unauthorize d              user
access     may even          get
access to confidential data after trying multiple times. (Confidentiality, Integrity)
Account         access lock   policies   after 3 failure attempts should                    be
implemented for all accounts.
4.Patch Management
Control
Observation                &
Confirmation
MediumTesting       of security patches    are
not carried out by     IT Personnel at regular interval.
This         may create  a  risk to
production environment &            other systems adversely.
Perform     rigorous testing  of  security patches
before deployment       into the          production environment        so as       to         ensure that                       the
application of patches do not impact other systems.
5.Backup media management observationsObservations              &
confirmation
MediumBackup tapes are not levelled accurately externally and internally and stored in humid conditions within the data centre. Incorrect leveling  will lead             to
incorrect processing leading       to data integrity issues (Confidentiality, Integrity, Available)
All tapes should be checked                for
internal and external levels and they should be stored in  a  secure condition in the offsite premises.
6.Business Continuity controlsBusiness continuity Policy documents MIS
Reports
MediumDuring   peak closing   time of       market,
the server experiences downtime due to a large number of user login at the same point of time
In case of a prolonged or frequent service Disruption, customers may lose confidence resulting in loss of faith and goodwill.
(Integrity, Availability)
Extra servers  and work stations need to be  installed to manage work load during peak hours. Appropriate physical and logical access controls also needs to be implemented on the same.
7.Governance
Control
Observation, InquiryHighTime          lag between
Identification                and
Reporting of unusual activities and events to     CISO     is higher than usual.
Sometimes unusual
Activities detected by IT  personnel may be too serious that immediate actions might be required.
But due to extreme reporting procedures performed,  it may lead to delay. (Availability
)
Amend  the reporting
procedures to facilitate communication of unusual activities and events to CISO or to the senior management in a timely manner.
8.Disaster Recovery PlanInspection & ObservationMediumCompany has        never given        any
sort              of
training like Mock drill  of earthquake/ fire,      safety program classes  to its staff.
Though    the chances      of
disaster is very low in this region, but if this takes place, it would be very difficult to subsist with that situation.
Proper training must be given to employees as to how to respond to disaster and mock drill must be performed at least once in a year.

Conclusion

Based on the IS Audit review and findings, the overall conclusions on specific areas are as Follows:-
Information security Risk Management Control
We have observed that the information security control in KAA Mutual Fund working effectively. Further The areas where controls need to be strengthened are highlighted in Para 11 of our Report.
Access Controls, Application & Database Controls
Our review of Access controls at the IT Environment as implemented in KAA Mutual Fund Company using Windows Server, Oracle and MFSS confirms that appropriate security and access controls have been implemented by using related functions and features of the software. Our test checks have revealed that systems of security and controls are reliable.
However, there are some cases of old investors accounts not Deactivated which does not have any balances in their funds.
In addition, we found scope of improvement in the MFSS Software so that manual event update can be avoided at Mutual Funds to prevent revenue leakage.
Also, there is missing data relating to periods when system was not available which have not been updated in the revenue tables in database which may impact correct revenue recognition & risk of revenue loss.

Environmental Controls and Business Continuity plan

Our review of Environmental Controls and BCP implemented by KAA Mutual Fund Company confirms that the business continuity plan is implemented and the staff is aware of various disaster situations.
The power backup for IT Server and Air-conditioner can be improved.
One critical gap is absence of an alternate disaster recovery site and related documentation, which should provide for back up and off-site location of application software, data files and system software to facilitate their restoration following the recovery of critical application.

Further Action

We consider that the recommendations given in our IS Audit Report read together with audit findings to this report would be very useful for facilitating business process controls of KAA Mutual Fund Company and will aid in improving the effectiveness of the MFSS operations. We would like to affirm that the matters included in this report are those which came to our notice during our review by following normal Information System audit procedures by complying with Globally Applicable Information Systems Auditing Standards, Guidelines and procedures that apply specifically to Information system auditing issued by information systems audit and control association, USA and Security and Control practices as outlined in COBIT- 2019 issued by ISACA as adopted to KAA Company operations. Further on account of limitations of scope and time, we have used sample test and test check approach. Hence, certain areas, which are outside the scope of review such as source code review, implementation control are not covered.