Report on BullionVault’s DAILY AUDIT
18 May 2020
Independent Inspection and Audit Reports (PDF Downloads) (You will need Adobe Reader to open the Documents)
- Canada Gold and Silver
- Singapore Gold
- Singapore Silver
- Switzerland Gold
- Switzerland Silver
- London Gold
- London Silver
- London Platinum
- New York Gold
Report by the Directors
Brink’s means Brink’s Global Services Ltd.
BullionVault means the service offered by Galmarley Ltd through website domains under BullionVault.com, and potentially other websites, whereby BullionVault Customers are able to buy, own, store and sell gold or silver bullion.
BullionVault Clients Ltd means company 08672704 registered in England and Wales.
BullionVault Customers means customers of Galmarley Ltd who have an account at BullionVault held open under the prevailing Terms and Conditions of the BullionVault service.
Galmarley Ltd means company 04943684 registered in England and Wales.
Lloyds means Lloyds Bank plc.
Loomis means Loomis International (UK) Limited.
Malca-Amit means Malca-Amit Global Limited.
Owners means both Galmarley itself and all BullionVault Customers who own gold or silver through the BullionVault service.
Wells Fargo means Wells Fargo Bank N.A.
Responsibilities of Directors
As the Directors of Galmarley Ltd we are responsible for the identification of control objectives relating to customer property and related transactions in the provision of custody services and the design, implementation and maintenance of control procedures to provide reasonable assurance on an ongoing basis that the control objectives are achieved.
We set out in this report a description of the control procedure known as the DAILY AUDIT on the BullionVault website – which operated during the period 1-November-2018 to 31-October-2019.
We confirm that
- the report specifies the control objective of the DAILY AUDIT
- the report describes fairly the control procedures of the DAILY AUDIT
- the control procedures described were operating with sufficient effectiveness to provide reasonable assurance that the related control objective of the DAILY AUDIT was achieved during the specified period.
For and on behalf of the Board of Directors
Dated: 18 May 2020
The control objective of the Daily Audit
The control objective of the DAILY AUDIT is to verify the aggregate of customer-by-customer property records within BullionVault to third party documents.
The third party documents are provided by Loomis, Brink’s and Malca-Amit, who hold BullionVault Customers’ gold, silver and platinum, and Lloyds and Wells Fargo, who hold BullionVault Customers’ money.
The control procedure of the Daily Audit
Loomis, Brink’s and Malca-Amit provide bar lists which detail the gold, silver and platinum bullion held on behalf of BullionVault. These are re-issued the day after any change in the amount of gold or silver stored.
Similarly Lloyds and Wells Fargo provide daily end-of-day bank statements with regard to BullionVault Customer money.
BullionVault maintains all the customer-by-customer records of gold, silver, platinum and money ownership. These are modified by trading activity. At all times the BullionVault accounting records should be in a position where the total amount of Owners’ gold equates exactly to the sum of gold on the Loomis, Brink’s and Malca-Almit’s bar lists, the total amount of Owners’ silver equates exactly to the sum of silver on the Loomis and Brink’s bar lists, the total amount of Owners’ platinum equates exactly to the sum of platinum on the Loomis bar lists, and the total amount of Owners’ money equates exactly to the sum of money on the bank statements for the customer segregated bank accounts.
The DAILY AUDIT procedure verifies this and posts the result on-line for public inspection. However it disguises the identity of individual BullionVault Customers by listing their holdings of gold, silver, platinum and money against an alias, which is known only to BullionVault and the customer.
The DAILY AUDIT produces three important elements of verification:-
- It shows that the total of the BullionVault customer records match exactly to the balance evidenced by the statements or bar lists.
- It shows that the customer records contain no negative holdings.
- It shows that each individual customer’s records are included in the BullionVault records and form part of the totals.
To the Directors of Galmarley Limited
Use of report
This report is made solely for use of the Directors of Galmarley Ltd, and solely for the purpose of reporting on the procedure known as the ‘Daily Audit’ as described in your report on page 1, in accordance with the terms of our engagement letter dated 18 May 2020 and attached at pages 10 – 16.
Our work has been undertaken so that we might report to the Directors those matters that we have agreed to state to them in this report and for no other purpose. Our report must not be recited or referred to in whole or in part in any other document nor made available, copied or recited to any other party, in any circumstances, without our express prior written permission.
We permit the disclosure of this report, in full only, by the Directors at their discretion to customers of Galmarley Ltd using the BullionVault service and to the auditors of such customers, to enable customers and their auditors to verify that a report by Reporting Accountants has been commissioned by the Directors of Galmarley Ltd and issued in connection with the ‘Daily Audit’ procedure, and without assuming or accepting any responsibility or liability to customers or their auditors on our part.
To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the Directors and Galmarley Ltd for our work, for this report or for the conclusions we have formed.
This report covers solely:
- the operation of the ‘Daily Audit’ procedure of Galmarley Ltd as described in your report of 15 May 2020.
- The Independent Inspection and Audit Reports issued by Alex Stewart (International) Corporation on 31 October 2019 (1 report), 5 November 2019 (1 report), 19 November 2019 (4 reports), 20 November 2019 (2 report), 28 November 2019 (1 report) and 29 November 2019 (1 report).
The Directors’ responsibilities are set out on pages 1 and 2 of your report. Our responsibility is to form an independent conclusion, based on the work carried out in relation to the operation of the ‘Daily Audit’ procedure of the company as described in your report for the period from 1 November 2018 to 31 October 2019 and report this to you as Directors of Galmarley Ltd. Our responsibility is to report on whether the ‘Daily Audit’ procedure operated as described in your report and does not include any responsibility to evaluate the design and effectiveness of the procedure.
Criteria and scope
Our work was based on obtaining an understanding of the ‘Daily Audit’ procedure as described on page 3 of the report by the Directors, and included specific tests of the ‘Daily Audit’ procedure, to obtain evidence about the operation of this procedure. The nature, timing and extent of the tests we applied are detailed on pages 8 and 9.
We also obtained confirmation in respect of the Independent Inspection and Audit Reports issued by Alex Stewart (International) on 31 October 2019 (1 report), 5 November 2019 (1 report), 19 November 2019 (4 reports), 20 November 2019 (2 report), 28 November 2019 (1 report) and 29 November 2019 (1 report).
Our tests are related to Galmarley Ltd and its subsidiaries as a whole rather than planned to meet the needs of any particular customer.
Control procedures designed to address specified control objectives are subject to inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Such control procedures cannot guarantee protection against (among other things) fraudulent collusion especially on the part of those holding positions of authority or trust. Furthermore, our conclusion is based on historical information and the projection of any information or conclusions in the attached report to any future periods would be inappropriate.
In our opinion:
- In all material respects, the accompanying report by the Directors describes fairly the ‘Daily Audit’ procedure which was in place as at 31 October 2019.
- In all material respects, the ‘Daily Audit’ procedure tested, as set out in the attachment to this report, was operating as described during the period 1 November 2018 to 31 October 2019.
- The attached reports by Alex Stewart (International) Corporation are as originally issued by them.
Albert Goodman LLP
Mary Street House
DATE: 18 May 2020
- In the following report, we have used the same definitions as set out on page 1 of the report by the Directors, when explaining the tests conducted and the outcomes reached.
- We have obtained confirmation from Loomis that for the period 1 November 2018 to 31 October 2019, vaulting services were being supplied to Galmarley Ltd as detailed in the contract between Loomis and Galmarley Ltd, that no notice had been given to Galmarley Ltd to terminate the contract as at 29 January 2020.
- We have obtained confirmation from Brink’s that for the period 1 November 2018 to 31 October 2019, vaulting services were being supplied to Galmarley Ltd as detailed in the contract between Brink’s and Galmarley Ltd, that no notice had been given to Galmarley Ltd to terminate the contract as at 15 January 2020.
- We have obtained confirmation from Malca-Amit that for the period 1 November 2018 to 31 October 2019, vaulting services were being supplied to Galmarley Ltd as detailed in the contract between Malca-Amit and Galmarley Ltd, that no notice had been given to Galmarley Ltd to terminate the contract as at 7 January 2020.
- We have obtained confirmation from Loomis on a sample basis, that the bar lists supplied to us by the company as used in completion of the Daily Audit procedure are in accordance with their records for the period 1 November 2018 to 31 October 2019.
- We have obtained confirmation from Brink’s on a sample basis, that the bar lists supplied to us by the company as used in completion of the Daily Audit procedure are in accordance with their records for the period 1 November 2018 to 31 October 2019.
- We have obtained confirmation from Malca-Amit on a sample basis, that the bar lists supplied to us by the company as used in completion of the Daily Audit procedure are in accordance with their records for the period 1 November 2018 to 31 October 2019.
- We have obtained confirmation from Lloyds and Wells Fargo that the customer account bank statements for the four currencies operated by either Galmarley Ltd or BullionVault Clients Ltd supplied to us by either Galmarley Ltd or BullionVault Clients Ltd as used in completion of the Daily Audit procedure are in accordance with their records for three dates selected at random by us from the period 1 November 2018 to 31 October 2019.
- For all published dates during the period 1 November 2018 to 31 October 2019 we have obtained a copy of the Daily Audit directly from the website of the company and we have, for a sample of these dates:
- For each vault location agreed the amount listed as ‘Gold vaults’, ‘Silver vaults’ and ‘Platinum vaults’ to the bar lists retained by the company and obtained confirmation of these balances for a sample of dates from Loomis, Brink’s and Malca-Amit (see points 5, 6 and 7).
- For each currency agreed that the amounts listed as ‘Lloyds current and savings’, ‘Lloyds treasury’, ‘Wells Fargo current and savings’, ‘Lloyds unpresented’ and ‘Wells Fargo unpresented’ in total are consistent with bank statements from Lloyds and Wells Fargo, allowing for any valid reconciling items.
- For a sample of letters and numbers, for each vault location and currency, agreed the total amounts shown on the Daily Audit for those letters and numbers to the accounting records of the company for that day, obtaining explanations for a sample of reconciling items. We have undertaken steps as we considered necessary in order to conclude that any reconciling items were valid reconciling items.
- For a sample of letters and numbers, confirmed that the total of the Owners balances listed, for each currency and vault location, agrees to the total listed on the summary page of the Daily Audit.
- Confirmed that the total shown at the bottom of the summary page of the Daily Audit is a true sum of the balances listed for that date.
- Confirmed that there are no customers showing overdrawn or negative holdings of either currency or bullion.
- Of the 25 dates sampled, the website copy of the Daily Audit downloaded for three dates was found to not be up to date. This was due to BullionVault having not completed its Daily Audit on the sampled dates. The reason for this can vary but in these cases it was identified to be the result of deliveries of bullion occurring shortly before each date and therefore BullionVault had not had sufficient time to ensure an accurate Daily Audit was completed and uploaded. Consequently, the next day was chosen and the steps in (9) above were undertaken, with no issues identified.
- For a sample of 30 aliases extracted from the listing of aliases we have confirmed that identification documentation was held.
- We have obtained written confirmation from Alex Stewart (International) Corporation that the attached Independent Inspection and Audit Reports written on 31 October 2019 (1 report), 5 November 2019 (1 report), 19 November 2019 (4 reports), 20 November 2019 (2 report), 28 November 2019 (1 report) and 29 November 2019 (1 report),
- The company displays the current insurance documents at bullionvault.com/secure/insurance/evidence-of-insurance. We have obtained a copy of the document displayed in relation to Loomis from Loomis on 29 January 2020, a copy of the document displayed in relation to Brink’s from Brink’s on 15 January 2020 and a copy of the document displayed in relation to Malca-Amit from Malca-Amit on 7 January 2020.
18 May 2020
Following our discussions when you invited us to report on your Report on the BullionVault Daily Audit procedure (“Daily Audit”) which covers this specific procedure of Galmarley Limited for the period from 1 November 2018 to 31 October 2019 we are writing to set out our proposed responsibilities, our understanding of the work to be performed and the terms and conditions upon which we offer to perform such work.
You have asked us to attach to our report the Independent Inspection and Audit Report to be issued by Alex Stewart (International) Corporation following their visits undertaken during 2019 and to obtain confirmation from Alex Stewart (International) Corporation that the Independent Inspection and Audit Reports attached to our report are as issued by them.
You have also asked us to obtain a copy of the Certificates of Insurance as issued by Loomis, Brink’s and Malca-Amit.
Responsibilities of the directors
As the Directors of Galmarley Limited you are and shall be responsible for the design, implementation and operation of control procedures that provide adequate level of control over customers’ assets and related transactions.
In relation to this specific engagement the Directors’ responsibilities are and shall include:
- acceptance of responsibility for the operation of the Daily Audit;
- evaluation of the operation and effectiveness of the Daily Audit procedure using suitable criteria;
- supporting the evaluation with sufficient evidence, including documentation; and
- providing a written report (“Directors’ Report”) on the operation and effectiveness of the Daily Audit for the period from 1 November 2018 to 31 October 2019.
Responsibilities of reporting accountants
It is our responsibility to form an independent conclusion, based on work carried out, in relation to the operation of the Daily Audit procedure of the company for the period from 1 November 2018 to 31 October 2019 as described in the Directors’ report and report this to the Directors. Our responsibility is limited to reporting on whether the procedure operates as described in the ‘Report on BullionVault’s Daily Audit’ issued by the Directors and does not include any evaluation of the design and effectiveness of the procedure.
Scope of the reporting accountants’ work
Our work will include enquiries of management, together with certain specific tests of documentation and requesting confirmation of specific matters from Loomis International (UK) Limited, Brink’s Global Services Limited and Malca-Amit Global Limited in relation to the operation of the Daily Audit, which will be set out in an appendix to our report.
Our work will not include any evaluation of the internal control objectives relating to the Daily Audit procedure or any evaluation of the effectiveness of the Daily Audit procedure at meeting the internal control objectives.
Any work already performed in connection with this engagement before the date of this letter will also be governed by the terms and conditions of this letter.
We may seek written representations from the directors in relation to matters on which independent corroboration is not available. We shall seek confirmation from the Directors that any significant matters of which we should be aware have been brought to our attention.
The Directors acknowledge that control procedures designed to address specified control objectives are subject to inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Such procedures cannot guarantee protection against fraudulent collusion especially on the part of those holding positions of authority or trust. Furthermore, the opinion set out in our report will be based on historical information and the projection of any information or conclusions in our report to any future periods will be inappropriate.
Use of our report
Our report will, subject to the permitted disclosures set out in this letter, be made solely for use of the Directors of the company, and solely for the purpose of reporting on the Daily Audit of the company, in accordance with these terms of engagement.
Our work will be undertaken so that we might report to the Directors those matters that we have agreed to state to them in our report and for no other purpose.
Our report will be issued on the basis that it must not be recited or referred to or disclosed, in whole or in part, in any other document to any other party, without express prior written permission of the Reporting Accountants. We permit the disclosure of our report, in full only, to customers of the company and to the auditors of such customers, to enable customers and their auditors to verify that a report by Reporting Accountants has been commissioned by the Directors of the company and issued in accordance with the internal controls of the company without assuming or accepting any responsibility or liability to them on our part.
To the fullest extent permitted by law, we do not and will not accept or assume responsibility to anyone other than the Directors and the company for our work, for our report or for the opinions we will have formed.
We will perform the engagement with reasonable skill and care and acknowledge that we will be liable to the Directors and the company for losses, damages, costs or expenses (“losses”) suffered by the Directors and the company as a result of our breach of contract, negligence, fraud or other deliberate breach of duty. Our liability shall be subject to the following provisions:
- We will not be so liable if such losses are due to the provision of false, misleading or incomplete information or documentation or due to the acts of omissions of any person other than us, except where, on the basis of the enquiries normally undertaken by us within the scope set out in these terms of engagement, it would have been reasonable for us to discover such defects;
- We accept liability without limit for the consequences of our own fraud or other deliberate breach of duty and for any other liability, which it is not permitted by law to limit or exclude.
- Subject to the previous provisions of this Liability paragraph, our maximum total liability to the directors and the company, arising from or in connection with the work which is subject to these terms (including any addition or variation to the work), shall not exceed the amount of £750,000. This maximum total liability applies to any and all claims made on any basis and therefore includes any claims in respect of breaches of contract, tort (including negligence) or otherwise in respect of the professional services and shall include interest.
To the fullest extent permitted by law, the company agrees to indemnify and hold harmless Albert Goodman LLP and its partners and staff against all actions, proceedings and claims brought or threatened against Albert Goodman LLP or against any of it partners and staff by any persons other than the Directors and the company, and all loss, damage and expense (including legal expenses) relating thereto, where any such action, proceeding or claim in any way relates to or concerns or is connected with any of Albert Goodman LLP’s work under this engagement letter.
The Directors and the company agree that they will not bring any claims or proceedings against any of our individual partners, members, directors or employees. This clause is intended to benefit such partners, members, directors and employees who may enforce this clause pursuant to the Contracts (Rights of Third Parties) Act 1999 (“the Act”). Notwithstanding any benefits or rights conferred by this agreement on such partners, members, directors or employees by virtue of the Act, we and the Directors may together agree in writing to vary or rescind the agreement set out in this letter without the consent of any such partners, members, directors or employees. Other than as expressly provided in this paragraph, the provisions of the Act are excluded.
Any claims, whether in contract, negligence or otherwise, must be formally commenced within one year after the party bringing the claim becomes aware (or ought reasonably to have become aware) of the facts which give rise to the action and in any event no later than two years after any alleged breach of contract, negligence or other cause of action. This expressly overrides any statutory provision, which would otherwise apply.
This engagement is separate from, and unrelated to, our audit work on the financial statements of the company for the purposes of the Companies Act 2006 (or its successor) or other legislation and nothing herein creates obligations or liabilities regarding our statutory audit work, which would not otherwise exist.
This engagement letter shall be governed by, and construed in accordance with, English law. The courts of England shall have exclusive jurisdiction in relation to any claim, dispute or difference concerning the engagement and any matter arising from it. Each party irrevocably waives any right it may have to object to an action being brought in those Courts, to claim that the action has been brought in an inconvenient forum, or to claim that those courts do not have jurisdiction.
If any provision in this Standard Terms of Business or any associated engagement letter, or its application, are found to be invalid, illegal or otherwise unenforceable in any respect, the validity, legality or enforceability of any other provisions shall not in any way be affected or impaired.
Internet and E-mail Communication
Unless you instruct us otherwise we may, where appropriate, communicate with you and with third parties via email or by other electronic means. However, internet communications are capable of data corruption and therefore we do not accept any responsibility for changes made to such communications after their despatch. It may therefore be inappropriate to rely on advice contained in an email without obtaining written confirmation of it. We do not accept responsibility for any errors or problems that may arise through the use of internet communication and all risks connected with sending commercially sensitive information relating to your business are borne by you. If you do not agree to accept this risk, you should notify us in writing that email is not an acceptable means of communication.
It is the responsibility of the recipient to carry out a virus check on any attachments received.
In this clause, the following definitions shall apply:
‘client personal data’ means any personal data provided to us by you, or on your behalf, for the purpose of providing our services to you, pursuant to our letter of engagement with you;
‘data protection legislation’ means all applicable privacy and data protection legislation and regulations including PECR, the GDPR and any applicable national laws, regulations and secondary legislation in the UK relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time;
‘controller’, ‘data subject’, ‘personal data’, and ‘process’ shall have the meanings given to them in the data protection legislation;
‘GDPR’ means the General Data Protection Regulation ((EU) 2016/679); and
‘PECR’ means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003).
We shall each be considered an independent data controller in relation to the client personal data. Each of us will comply with all requirements and obligations applicable to us under the data protection legislation in respect of the client personal data.
You shall only disclose client personal data to us where:
(i) you have provided the necessary information to the relevant data subjects regarding its use (and you may use or refer to our privacy notice available at https://albertgoodman.co.uk/privacy-statement for this purpose);
(ii) you have a lawful basis upon which to do so, which, in the absence of any other lawful basis, shall be with the relevant data subject’s consent; and
(iii) you have complied with the necessary requirements under the data protection legislation to enable you to do so.
Should you require any further details regarding our treatment of personal data, please contact our Data Protection Point of Contact.
We shall only process the client personal data:
(i) in order to provide our services to you and perform any other obligations in accordance with our engagement with you;
(ii) in order to comply with our legal or regulatory obligations; and
(iii) where it is necessary for the purposes of our legitimate interests and those interests are not overridden by the data subjects’ own privacy rights. Our privacy notice (available at https://albertgoodman.co.uk/privacy-statement) contains further details as to how we may process client personal data.
For the purpose of providing our services to you, pursuant to our engagement letter, we may disclose the client personal data to our regulatory bodies or other third parties (for example, our professional advisors or service providers). The third parties to whom we disclose such personal data may be located outside of the European Economic Area (EEA). We will only disclose client personal data to a third party (including a third party outside of the EEA) provided that the transfer is undertaken in compliance with the data protection legislation.
We shall maintain commercially reasonable and appropriate security measures, including administrative, physical and technical safeguards, to protect against unauthorised or unlawful processing of the client personal data and against accidental loss or destruction of, or damage to, the client personal data.
In respect of the client personal data, provided that we are legally permitted to do so, we shall promptly notify you in the event that:
(a) we receive a request, complaint or any adverse correspondence from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or in respect of our processing of their personal data;
(b) we are served with an information, enforcement or assessment notice (or any similar notices), or receive any other material communication in respect of our processing of the client personal data from a supervisory authority as defined in the data protection legislation (for example in the UK, the Information Commissioner’s Officer); or
(c) we reasonably believe that there has been any incident which resulted in the accidental or unauthorised access to, or destruction, loss, unauthorised disclosure or alteration of, the client personal data.
Upon the reasonable request of the other, we shall each co-operate with the other and take such reasonable commercial steps or provide such information as is necessary to enable each of us to comply with the data protection legislation in respect of the services provided to you in accordance with our engagement letter with you in relation to those services.
Contracts (Rights of Third Parties) Act 1999
Persons who are not party to this agreement shall have no rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this agreement. This clause does not affect any right or remedy of any person, which exists or is available otherwise than pursuant to that Act.
The Proceeds of Crime Act 2002 and the Money Laundering Regulations 2007
In common with all accountancy and legal practices we are required by the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2007 to:
- Maintain identification procedures for clients and beneficial owners of clients;
- Maintain records of identification evidence and the work undertaken for the client; and
- Report in accordance with the relevant legislation and regulations.
Under anti-money laundering legislation we are obliged to confirm the identity of individuals and companies and the beneficial owners of organisations and trusts before accepting new instructions, and to review this from time to time. To avoid the need to request detailed identity information from you, we may use approved external services which review publicly available information on companies and individuals. Our current procedures consist of a search with Experian for the purposes of verifying identity. To do so Experian may check details supplied against any particulars on any database (public or otherwise) to which they have access. They may also use details in the future to assist other companies for verification purposes. A record of the search will be retained and a footprint left on your credit file. This will not have a negative impact on your credit file and will show as an ‘identity search’. Should these checks, for any reason, fail adequately to confirm identity and beneficial ownership, we may ask for further identification evidence. If you do not provide satisfactory evidence or information within a reasonable time, we may have to stop acting for you. In that event, you will be charged for any work we have already done.
The offence of money laundering is defined by S340(11) of the Proceeds of Crime Act and includes concealing, converting, using or possessing the benefits of any activity that constitutes a criminal offence in the UK. It also includes involvement in any arrangement that facilitates the acquisition, retention, use or control of such a benefit.
We are obliged by law to report any instances of money laundering to NCA without your knowledge or consent. In consequence, none of our partners, directors or staff may enter into any correspondence or discussions with you regarding such matters.
We are not required to undertake work for the sole purpose of identifying suspicions of money laundering. We shall fulfil our obligations under the Proceeds of Crime Act 2002 in accordance with the guidance published by the Consultative Committee of Accountancy Bodies.
Acknowledgement and acceptance
We shall be grateful if you could confirm your agreement to these terms by signing the enclosed copy of this letter and returning it to us immediately.
We confirm that we have read and understood the contents of this letter and agree that they accurately reflect the services that we have instructed you to provide.
Signed: P TUSTAIN Dated: 18 May 2020
For and on behalf of the Board of Directors