This article originally appeared in the April 2010 Private Equity Manager Monthly, a monthly printer-friendly publication delivered to subscribers to Private Equity Manager.
SAS 70 has been called “the mother of all audits”, for good reason. Its costs in both time and money have made it a rarity in the private equity industry, but that may be changing, particularly for funds of funds. Last year both HarbourVest and Capital Dynamics completed the audit, which is essentially a third-party audit of an organisation’s internal controls, particularly regarding those parts of the organisation that have custody of client assets or information.
Both firms were recently joined by private equity fund of funds manager Adveq, which successfully passed a SAS 70 Type II examination administered by PricewaterhouseCoopers earlier this year. While a Type I report verifies that controls are in place as of a certain date, a more rigorous SAS 70 Type II examination covers a firm’s investment management, fund administration and information technology practices. Such examinations can last up to six months and cost up to $100,000 each.
Philippe Bucher, managing director and chief financial officer for Adveq, talked to Private Equity Manager about his firm’s experiences in going through such a rigorous audit and what others who plan to do the same should expect:
 |
| Bucher: LP |
PB: Type I you basically have it on paper and it is a snapshot. I believe the true value comes from Type II, because it is more difficult. Writing down what you do is one thing, the other is ensuring that your whole company lives and acts according to what you have written down for Type I over a period of time, day to day, across time zones and offices and cultures. Type II is far more complex and Type I is just a starting point.
In terms of preparation work, one important element about SAS 70 is what scope you have covered. There is no predefined scope when it comes to SAS 70. Basically what SAS 70 is is you put down in writing what you do and the auditors come and check whether you follow that. We basically had three dimensions, the first being investment management processes. And within that we had four basic processes: portfolio buildup and investment strategy implementation, the fund evaluation selection process, then the fund subscription in underlying funds and then obviously investment controlling and monitoring.
The second aspect, and this is becoming more and more important with all the media coverage of things like Madoff, is the fund administration process. Because the risk very often is in the cash flows, meaning in our terms, capital calls and distributions and evaluation of investments. So there is where you can lose a lot of money. And the obviously as a basis for everything a company does, the information technology processes are important, because in everything we do – especially in this virtual organisation where we have many offices – the backbone is IT.
So system overview charts are especially important in IT, process charts are important for all of the three areas mentioned, as well as monitoring reports, additional evidence that can be audited. Auditors can only certify things that they see, which means for instance fund administration manuals on capital calls; overviews of key controls and risk maps; flow charts of processes and copies of evidence like approvals, review reports, selected transactions, investment recommendations. This is basically what you provide once the auditors come in.
Type I is quicker because the auditors come in, look at the paperwork, and then make their opinion. On Type II they have to do samples, they select different investment recommendations, select out of thousands of capital calls maybe 10 or 20 in different periods and offices. So for them it is much more work since they try to cover the last six months of compliance.
PEM: What caused you to undertake this audit process, were you getting requests from clients?
PB: The main driver for our decision in the summer of 2008 to do the audit was to strive to provide our sophisticated clients with high-quality services across all our global operations. We are operating out of offices in New York, Frankfurt, Zurich and Beijing and have a representative office in Sidney. And it is really important for us to stay at the forefront of best practice industry standards when it comes to increasing the trust level of our clients. This is what we wanted to do, to really increase the trust level especially during difficult times in the last 12 months, and it’s all about trust and third-party validation.
[SAS 70] has been around for years and years, and in the traditional asset world it is very common, but in the alternative asset world it has not had much success until recently, where a lot of clients mainly based in the US, UK and Nordic regions are more and more asking for the normal traditional asset class type of things.
PEM: What were some of the biggest cost burdens you encountered during the process?
PB: In my opinion, the external costs are low in terms of the benefits. The harder part is the internal efforts in terms of time, and especially documentation time and then walking through the auditors through how it works. They come in and if you are global they come in at the same time. So it is a time challenge and you have to walk them through these processes, which very often are also cross-functional.
The other thing is really working on the “expectation gap”, because the auditors have a clear expectation about what they will want to see. So for us it was very important to do a test run before we actually had the final audit to really make sure we had alignment and an efficient audit process. Small things which also make it difficult include communication between the auditors, because they have to communicate worldwide as well and then with us. And a lot of fund managers in the private equity world don’t have SAS 70 compliance yet, and some of the smaller fund managers do not fulfill some of the requirements as stated, so it is difficult to have these control points tracked. For instance, we provide our investors with quarterly reports, but some of the underlying funds just report semi-annually.
Otherwise, it is a long-term process, but it’s not rocket science. Every company that is somehow committed to best practices can achieve it, but it’s really a question of commitment.
PEM: As more investors start demanding higher levels of transparency and controls, what should firms consider before embarking on a SAS 70 audit?
PB: I think that going forward the demand from investors will increase more and more. A lot of firms are also looking at this rigorous third-party oversight. Foremost is that you have to have a clear commitment by the management department heads, because it takes up so much internal resources. Obviously in fund administration, they have their peak during the audit season or reporting time, whereas the investment management personnel have all the peaks. So it is difficult to balance the needs of these departments.
For the audits, especially on Type II, I would highly recommend conducting a test audit at the very beginning of the reporting period. So you make sure the processes and the evidence to achieve the key controls of the processes are fulfilled. And that is basically managing the expectation gap in advance of what, in our case, PricewaterhouseCoopers wanted to see. Also, if you are not a one-office firm, communication can be a challenge as well.
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: