A traditional audit focuses only on the financial accounting and reporting aspects of an organization. It looks at how business transactions are processed and recorded in the accounting system, weighs regulations and examines whether a company’s financial statements represent a true and fair view of a company’s financial situation. In short, it focuses on accounting and financial reporting of the business. It doesn’t examine the business processes themselves. For example, an audit of a car manufacturer would opine on its financial situation and not on whether the manufacturer produces good cars. This is why a controls report is critical. It reviews areas that a traditional financial audit does not address.
With the general trend towards outsourcing operations, especially in the area of financial services, internal controls (and reviews of those controls) are increasingly important. In addition, the financial crisis has greatly increased the focus on the internal processes employed by asset managers and financial service organizations from both regulators and institutional investors.
For many institutional investors, understanding the internal controls at an asset management firm or investee fund will form a component part of their due diligence. This is especially true with respect to alternative fund managers, which were subject to less regulation and oversight and therefore have historically been less transparent in terms of their investment process and operations. Demonstrating the credibility and quality of services being offered has, therefore, never been more important.
The typical scope of the controls report addresses many different areas. The primary and overarching duty of any organisation is to ensure strict adherence to the client’s investment objectives, including the selection and monitoring of third-party managers and investee funds; this will therefore form a key part of the controls report. Other important areas that the auditor will review include: execution and “settlement”; portfolio positions valuation and reconciliations; investment and performance reporting; proper calculation of management and performance fees as well as critical IT processes and data security.
With the proliferation of technology systems to manage various processes, data security is an increasing concern. Ensuring a firm can demonstrate the strength of the security governing the data it holds is therefore vitally important and will become ever more so as the breadth and complexity of these systems grow.
Control phase
The controls report examination will typically consist of four phases.
During the first phase, the scope of the controls report is determined on the basis of contractual obligations of the service organisation towards its clients and a “gap analysis” conducted which examines expected controls against existing controls.
To understand the controls in place, the auditor will conduct a review of standard contracts with user organisations to gain an understanding of the firm’s contractual obligations. It will also review the organizational structure, including segregation of functional responsibilities, policy statements, personnel policies and procedure manuals.
While the controls review focuses on processes that are often technical and legal in nature, it cannot rely solely on an examination of paperwork. A significant amount of the review involves face-to-face discussions between the auditor, management and other relevant personnel at the organization. This can include an observation of the firm’s personnel in the performance of their assigned procedures and a walk-through of selected processes and controls.
The last stage of phase one involves the auditor developing recommendations for any identified gaps in the controls process.
In the second phase, the recommendations developed in phase one are implemented to eliminate any gaps in the process. This could result in additional controls being put in place, an improvement of the controls documentation or a modification of how the controls are designed. A description of the controls will be prepared and the potential for a Type I report to be issued will exist.
Phases three and four are the lengthiest parts of the process. These phases involve generating a report detailing the track record of the suggested controls and then testing these controls in terms of their operating effectiveness. During phase four, feedback will be provided and further recommendations for control modifications can be made. The final stage is the representation letter and management assertion, followed by the issuance of the Type II report.
The trend of outsourcing management services in the financial services sector has grown strongly in recent years, resulting in more choice than ever for investors.
As in any marketplace, with increased choice comes increased opportunities for good and bad practice. Caveat emptor applies just as keenly in financial services as in any other sector. As a result, ensuring early and full compliance with the most up-to-date international transparency, governance, regulatory and accounting standards has become crucial to win trust and generate new business. Whereas previously a “nice to have,” demonstrating a strong internal control process through an independent verification process is increasingly a “must have” for any serious asset manager. It demonstrates a commitment on the part of the manager to ensuring clients receive best-practice service levels and Type II certification can be a crucial differentiator in a crowded market.
A controls report enables investors to have confidence in the asset manager to whom they have entrusted their capital. An asset manager with these controls in place demonstrates to an investor they are willing to allocate the necessary resource to ensuring the best service.
The financial crisis spurred calls for increased transparency across financial services, including the alternative asset management industry. A firm compliant with ISAE 3402 standards will produce improved reporting for investors and help satisfy these transparency demands. It is an effective operational risk management element and helps promote the organisation’s risk culture.
For institutional investors, ensuring a prospective asset manager has the right controls in place is a key element of due diligence and has its own unique benefits. An institutional investor is likely to increase its own due diligence effectiveness and efficiency by including the prospective asset managers’ controls process in its due diligence. It may reveal gaps or throw up questions that had not been previously asked or simply confirm statements previously made.
Investors, such as pension funds, are subject to audits themselves. Their auditor will have to review the internal controls around the outsourced operations such as investment management. If the asset manager provides a Type II ISAE 3402 controls report, the auditor of the investor can place reliance on it, which helps facilitate the audit process and increases confidence.
Improvement and benchmarking
The purpose of an ISAE 3402 is not limited to the auditor finding the asset manager to have a faultless process or detecting any deviations. A successful audit should actually reveal areas for improvement in a manager’s internal control process. The controls report should improve the internal process by challenging the asset manager to continuously take proactive steps to ensure best practice processes are in place. A controls report forces an organisation to constantly reflect on its processes and ask what could be done differently. The most committed firms do not view a controls report as a “one-off”exercise but an evolving process throughout the year – a real learning opportunity.
Regular dialogue with the auditor is important. It provides an organization with the ability to benchmark – in an informal way – its controls performance against its peers by asking questions and keeping abreast of industry developments. An investment manager with Type II certification will have plugged any gaps in the process that might previously have existed and the most committed are also looking for these gaps on a regular basis. The controls report also provides investors with the ability to benchmark prospective asset managers and make the best-informed allocation decision possible. As a matter of fact, great processes and effective controls have a significant positive impact on investment performance.
Type I or Type II?
Under the International Standards for Assurance Engagements 3402, auditor reports are classified as either Type I or Type II.
In a Type I report, the auditor evaluates the design and existence of internal controls within a service organization at the specific reporting date and their description in the ISAE 3402 internal controls report.
A Type II report includes the same information, but it also examines the operating effectiveness of controls during a specific time period.
The difference between Type I and Type II reports can therefore be compared to that between a snapshot and a movie. Achieving Type II certification is far more valuable than simply obtaining Type I as it demonstrates a firm is applying its standards, not just paying lip-service to them.
One change to a Type II report is that the auditor also gives its opinion on the suitability of design of controls throughout the entire period under review, as opposed to at a specific date.
This is an extract from The Private Equity CFO & CTO Digest, available from PEI Media’s bookstore at www.privateequityinternational.com/bookstore
If you do not receive this within five minutes, please try to sign in again. If the problem persists, please email: