Transcription
Financial Intermediary Controls andCompliance Assessment Engagements2014
Copyright 2014 by the Investment Company Institute. All rights reserved.
Financial Intermediary Controls andCompliance Assessment EngagementsI.Introduction. 3II. FICCA Matrix. 7» Overview and Objective. 7» Areas of Focus. 8» FICCA Matrix Format . 9» 17 Control Areas of Focus:1. Management Reporting (Quality Control). 102. Risk Governance Program . 103. Third-Party Oversight . 114. Code of Ethics. 125. Information Security Program. 136. Anti–Money Laundering (AML) and the Prevention of Terrorist Financing . 147. Document Retention and Recordkeeping . 158. Security Master Setup and Maintenance . 169. Transaction Processing—Financial and Nonfinancial (e.g., Account Setup andMaintenance). 17–1810. Cash and Share Reconciliations . 1911. Lost and Missing Security Holders . 2012. Shareholder Communications . 2013. Subaccount Billing, Invoice Processing . 2114. Fee Calculations . 2215. Information Technology (Including Internet and VRU). 2316. Business Continuity/Disaster Recovery . 2417. Blue Sky Reporting . 25III. Glossary of Terms . 27IV. Sample Report of Independent Accountants and Sample Management Assertion . 31» Introduction. 31» Sample Report of Independent Accountants. 32» Sample Management Assertion. 34V. Mapping Template for Control Reports. 35VI. Internal Control Reporting Standards Reference Guide. 37
I. IntroductionFinancial intermediary relationships are complicated arrangements, demanding significant commitmentfrom fund complexes for management and oversight. As regulatory initiatives continue to create new orexpanded regulatory compliance requirements, and because many intermediaries have moved away fromholding individual broker controlled accounts on the books of fund companies in favor of aggregated“omnibus” accounts,1 mutual fund complexes are challenging and continuing to enhance their oversightprocedures to ensure that intermediaries are meeting their obligations.Intermediary OversightGiven the financial intermediary’s direct control over and knowledge of its customers’ fund positions,mutual fund oversight often includes monitoring certain intermediary activities to ensure adherence tomutual fund regulations, contractual obligations, and compliance with the terms of fund prospectuses andstatements of additional information (SAIs).Many fund sponsors have deployed policies and procedures to review the adequacy and effectiveness ofan intermediary’s compliance controls, which may include onsite examinations, certifications, receiptof transparency data, review of analytics, and questionnaires. However, some of these methods can beduplicative and inefficient for intermediaries that have agreements with multiple fund complexes.Increased Efficiency and TransparencyRecognizing the benefits of creating a standardized and efficient way for financial intermediaries to reporton the effectiveness of their control environment, a working group of Investment Company Institute(ICI) member firms and representatives of the four national accounting firms developed the FinancialIntermediary Controls and Compliance Assessment (FICCA) engagement framework in 2008. Theframework calls for the omnibus account recordkeeper to engage an independent accounting firm to assessits internal controls relating to specified activities the intermediary performs for its shareholder accounts.The FICCA engagement is performed under attestation standards issued by the American Institute ofCertified Public Accountants (AICPA). The auditor’s report expresses an opinion on its evaluation of anintermediary’s assertion that it has established specified control objectives and related controls that weresuitably designed and operating effectively. A sample report of independent accountants and a samplemanagement assertion for this type of engagement are provided in Section IV.A Flexible, Efficient FrameworkThe FICCA framework developed by the fund industry describes multiple areas of focus where fundsponsors are seeking assurances. These areas include document retention and recordkeeping, transactionprocessing, shareholder communications, privacy protection, and anti–money laundering, among otherthings. Details regarding the 17 areas of focus are documented on the FICCA “matrix” in Section II.1Omnibus accounts are held in the name of the intermediary on a mutual fund transfer agent’s records. The intermediarymaintains the underlying shareholder account information on its own recordkeeping systems—a process knownas subaccounting—and reports share transactions to the funds on an aggregate basis. The intermediary handles allcommunications and servicing of its customer accounts. As a result, the underlying shareholders in an omnibus accountdo not directly interact with the fund organization, and the fund organization may have little, if any, knowledge or limitedtransparency about such underlying shareholders.FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS 3
The scope of the auditor’s examination is intended to be f lexible for the intermediary completing theengagement. The specific details of the engagement are agreed upon by the auditor and the intermediaryfirm. For example, if an omnibus firm has previously engaged an auditor to perform an examination underSSAE 16, Reporting on Controls at a Service Organization (formerly SAS 70) covering certain aspects of itsoperations, the FICCA assessment could be used to provide assurance on those areas not covered by theSSAE 16 report.2 The intermediary also may provide the FICCA auditor’s report and other control reportsto all of the funds it represents, thereby reducing the need for overlapping compliance reviews by eachfund complex.2014 FICCA EnhancementsRecognizing the value of this tool, many fund complexes have encouraged and requested FICCA reportsfrom their significant intermediary partners. In response to these requests, several financial intermediaries(broker-dealer firms) conducted their first FICCA engagements and provided their reports to mutual fundtransfer agents tasked with overseeing the financial intermediary’s activities. As the use of this oversighttool continued to expand, a working group of ICI member firms, representatives of the four nationalaccounting firms, and financial intermediaries was formed and met throughout 2013 to review the 2008FICCA framework. The review was conducted to enhance the performance of future engagements andimprove the reports issued, in order to promote broader use by intermediaries and funds. The objectives ofthe working group were to:»» provide a forum to share experiences and develop a better understanding of the types of FICCAreports issued to date;»» validate that the control areas defined in the 2008 version of the FICCA matrix were still currentand appropriate to ensure that intermediaries are meeting their compliance and contractualobligations;»» review and update the framework based on feedback provided;»» streamline and improve the documentation where appropriate, in order to facilitate a betterunderstanding of and more efficient control engagements.The review of the FICCA framework by the working group culminated in a variety of enhancements thathave been incorporated into the 2014 matrix document:»» The “Overview and Objective” section of the matrix now includes definitions of key terms andstates that each of the 17 control areas (labeled “Areas of Focus”) should be addressed on an annualbasis as part of the financial intermediary’s controls and compliance assessment engagement.»» A review of the 17 areas of focus resulted in two specific changes on the matrix. First, “FinancialViability” was removed because this topic is covered in the intermediary’s audited financialstatements, not as part of a FICCA or SSAE 16 report. Second, “Blue Sky Reporting” was added as anew area of focus on the 2014 matrix.2SSAE 16 reports, prepared in accordance with the AICPA’s Auditing Standards Board’s Statement on Standards forAttestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meetthe needs of the management of user entities and the user entities’ auditors, as they evaluate the effect of the controls at theservice organization on the user entities’ financial statement assertions.4 FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS
»» T he column in the 2008 version of the matrix titled “Sample Control Objectives” was renamed“Management Description or Controls Testing” and now also indicates whether each area of focusshould be subject to controls testing or covered in a management narrative.»» The “Management Description or Controls Testing” and “Points to Consider” for the areas offocus were streamlined where appropriate to facilitate a more efficient engagement process forintermediaries and audit firms.»» Language was added to the “Points to Consider” section of the matrix to clarify that the pointsprovided are not intended to be a checklist or comprehensive listing of all relevant factors that maybe considered for each control environment or engagement.Importantly, a key goal of the working group was to preserve f lexibility for intermediaries when providingfunds’ independent assessments of the 17 control areas defined in the matrix. Because intermediariesmay complete other attest engagements (such as an SSAE 16) in which certain controls defined on thematrix are already tested, the working group agreed that intermediaries should not be required tohave independent audit firms perform duplicate testing or reporting. Consistent with the 2008 FICCAframework, an intermediary may provide multiple reports that cover the 17 controls defined in the matrixthrough either a combination of a FICCA report and other control report (e.g., SSAE 16) or through an allinclusive FICCA report.Additional Materials to Assist Industry ParticipantsThe working group also developed the following new materials, which have been incorporated into theFICCA document, to further aid the understanding and efficiency of FICCA engagements:»» A Glossary of Terms for the FICCA matrix (see Section III)»» A Sample Report of Independent Accountants and a Sample Management Assertion typicallyprovided for a FICCA engagement (see Section IV)»» A FICCA Mapping Template for Control Reports that can be used by intermediaries to assist fundsponsors in determining where the 17 control areas defined in the FICCA matrix are covered, eitheras part of the FICCA report, the SSAE 16 (Type 2) service organization controls report, or a thirdparty vendor’s SSAE 16 (Type 2) report (see Section V)»» An Internal Control Reporting Standards Reference Guide that provides information on the typesof audit standards that may be used to conduct control engagements, including the complianceattestation and SSAE 16 reporting standards (see Section VI)FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS 5
For More Information About the FICCAFund, intermediary, or audit firm representatives who are interested in learning more about thedocumentation should contact Kathleen Joaquin, ICI Chief Industry Operations Officer,at kjoaquin@ici.org or 202-326-5930; Marty Burns, ICI Senior Director of Operations and Distribution,at mburns@ici.org or 202-326-5980; or Greg Smith, ICI Senior Director of Fund Accounting, atsmith@ici.org or 202-326-5851.Audit firm contacts:Barry Benjamin, PricewaterhouseCoopers: barry.p.benjamin@us.pwc.comKristina Davis, Deloitte & Touche: kbdavis@deloitte.comAlan Fish, Ernst & Young: alan.fish@ey.comRobert Wolf, KPMG: rkwolf@kpmg.com6 FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS
II. FICCA MatrixOverview and ObjectiveThe Financial Intermediary Controls and Compliance Assessment (FICCA) matrix document is intendedto provide guidance to financial intermediaries that engage independent accountants to report on theircontrol and compliance environments and to mutual fund complexes that will use these auditor reports aspart of their ongoing due diligence programs.Terms used in the FICCA matrix are defined as follows:»» Client—Refers to the user organization of the financial intermediary (typically the fund complex).»» Company—Refers to the financial intermediary organization.»» Third-Party Vendor SSAE 16 Report—Controls report issued by a third-party vendor providingservices to the financial services intermediary organization. The report may address certain keyfunctions, which are defined as areas of focus in the FICCA matrix (e.g., subaccount billing, invoiceprocessing).»» Control Objectives—Included in the detailed testing section of a controls report; testing of operatingeffectiveness is required on Control Objectives.»» Management Description—Statements made by the financial intermediary organization that areincluded in the description of controls section in an SSAE 16 report, management’s assertion ina FICCA report performed under the AT101 standard, or an unaudited section in either report.Operating effectiveness testing is not required on these topics.»» SSAE 16—Auditing Standards Board of the American Institute of Certified Public Accountants’(AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting onControls at a Service Organization.A more detailed glossary of terms used in the FICCA matrix is provided in Section III.FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS 7
Areas of FocusEach of the areas of focus described in the matrix as listed below should be addressed on an annualbasis as part of the financial intermediary’s controls and compliance engagements. This includes havingan independent auditor test the operating effectiveness of controls as well as providing additionaldocumentation to the fund complex to describe the policies, procedures, and controls that are in place forareas of focus that do not require formal operating effectiveness testing.The matrix identifies whether each focus area might be covered in a FICCA report or an SSAE 16 report.The financial intermediary and its audit firm may use the Mapping Template for Control Reports providedin Section V to indicate where the recommended audit coverage can be found.1.Management Reporting (Quality Control)2.Risk Governance Program3.Third-Party Oversight4.Code of Ethics5.Information Security Program6.Anti–Money Laundering (AML) and the Prevention of Terrorist Financing7.Document Retention and Recordkeeping8.Security Master Setup and Maintenance9.Transaction Processing—Financial and Nonfinancial (e.g., Account Setup and Maintenance)10.Cash and Share Reconciliations11.Lost and Missing Security Holders12.Shareholder Communications13.Subaccount Billing, Invoice Processing14.Fee Calculations15.Information Technology (Including Internet and VRU)16.Business Continuity/Disaster Recovery17.Blue Sky Reporting8 FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS
FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS 9Description of theArea of FocusArea of FocusFinancialIntermediaryFICCA ReportThird-PartyVendor SSAE16 Reportseparate controls report exists (“Third-PartyVendor SSAE 16 Report”).»» Controls performed by third parties where aEngagements That Address SpecifiedCompliance Control Objectives and RelatedControls at Entities That Provide Services toInvestment Companies, Investment Advisers,or Other Service Providers (“Client FICCAReport”); and»» Statement of Position 07-2 AttestationOrganization (formerly SAS 70) (“Client SSAE16 Report”);»» SSAE 16, Reporting on Controls at a ServiceThe method used to describe the controlenvironment and results of any testing performed.Options include reports prepared pursuant to:FinancialIntermediarySSAE 16 ReportReporting MechanismManagement Descriptionor Controls TestingControls Testing: Performance of controls testingby the independent auditor to determine if thecontrols described are suitably designed andoperating effectively.Management Description: Company statementsincluded in the description of controls sectionin an SSAE 16 report, management’s assertionin a FICCA report performed under the AT101standard, or an unaudited section in either report.The FICCA matrix is organized in a table, and heading definitions are as follows:FICCA Matrix FormatSuggested points for consideration when describing theprocedures and controls for Areas of Focus. The pointscaptured are a summary of the principal inquiriesthat fund sponsors have regarding the Areas of Focusand should be tailored based on the intermediary’sactual operations. It is not intended to be a checklist ora comprehensive listing of all relevant factors that mayexist in each control environment or arrangement.Points to Consider
10 FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTSXX1) ManagementReporting(Quality Control)2) RiskGovernanceProgramArea of AE 16Intermediary Vendor SSAEReportFICCA Report 16 ReportReporting MechanismFICCA Matrix: 17 Control Areas of FocusManagement DescriptionManagement DescriptionManagement Descriptionor Controls Testing»» Senior management and/or board review and approval.»» Documentation of the risk assessment process; and,»» Risk assessment process;Other considerations include a description of the company’s:activities that should be present at user organizations).»» Other considerations for users of the report (e.g., control»» Use of subservice organizations; and,»» Information technology;»» Legal and compliance responsibilities;»» Responsibilities for risk governance and internal control;»» Management oversight and controls;»» Identification of key business processes;»» Overview of the company;Describe the following:Describe the overall oversight program and escalationprocedures that support the quality assurance process,including the general tools and processes that are used bymanagement to ensure quality and allow management to“review” the organization.Points to Consider
FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS 113) Third-PartyOversightArea of FocusReporting tySSAE 16Intermediary Vendor SSAEReportFICCA Report 16 ReportContinued from previous pageManagement DescriptionManagement Descriptionor Controls Testingother form of external oversight report. If not, how thecompany gains comfort with the subcontractors controlenvironment. Whether the subcontractor has a SSAE 16 report orcompany’s standards (e.g., privacy protection); and How subcontractors are trained and held to the The conditions under which subcontractors are used; Communication protocols; How long has this been a practice;»» The company’s policy/practice related to subcontractors:subcontractors’ business continuity/disaster recovery plans;»» Assessment process for subservice providers’ or»» Compliance awareness training;»» Employee background checks;»» Location: onsite, offsite, offshore;»» The primary partners or subcontractors;subcontractors;»» Whether or not the company uses subservice providers orDescribe the following:Points to Consider
12 FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTSXArea of Focus4) Code of EthicsReporting SSAE 16Intermediary Vendor SSAEReportFICCA Report 16 ReportContinued from previous pageexceptions, and that any resolution isdocumented in a timely manner.»» Designed to identify, research, and report(or other similar internal organization);and,»» Monitored by the compliance departmentemployees in a timely manner;»» Communicated to, and acknowledged by,appropriate governing body);»» Approved by the board (or other»» Formally documented;Controls provide reasonable assurance thatthe company’s Code of Ethics has been:Management Descriptionor Controls TestingThe company should have a Code of Ethics that containsprovisions in accordance with applicable regulatoryrequirements.Points to Consider
FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS 135) InformationSecurity ProgramArea of FocusReporting tySSAE 16Intermediary Vendor SSAEReportFICCA Report 16 ReportContinued from previous page»» Laptop or portable device security, and»» Monitored by the compliance departmentexceptions, and that any resolution isdocumented in a timely manner.»» Designed to identify, research, and report(or other similar internal organization);and,»» Employee awareness and/or training.regulations, and»» Monitoring compliance with applicable laws andControls should address the process for:(subcontractors).»» Impact on, and applicability to, third-partiesoperations;»» Company’s approach to privacy as it relates to itsemployees in a timely manner;access to, or use of, information;»» Communicated to, and acknowledged by,appropriate governing body);»» Formal response program for incidents of unauthorizedinformation;»» Definition of proprietary, nonpublic, or confidentialThe company should have an information security policy thatcontains provisions such as:Points to Consider»» Approved by the board (or other»» Formally documented;Controls provide reasonable assurance thatthe company’s Information Security Programhas been:Management Descriptionor Controls Testing
14 FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS6) Anti–MoneyLaundering(AML) and thePreventionof TerroristFinancingArea of FocusReporting ySSAE 16Intermediary Vendor SSAEReportFICCA Report 16 ReportContinued from previous pageexceptions, and that any resolution isdocumented in a timely manner.»» Designed to identify, research, and report(or other similar internal organization);and»» Monitored by the compliance departmentemployees in a timely manner;»» Communicated to, and acknowledged by,appropriate governing body);»» Approved by the board (or other»» Formally documented;Controls provide reasonable assurance that thecompany’s Anti–Money Laundering and TerroristFinancing Prevention Policy has been:Management Descriptionor Controls Testingcompliance risk management and oversight.»» Board and senior management responsibilities for»» Compliance monitoring and testing; and»» Independence of compliance staff;management and oversight;»» Firm-wide approach to BSA/AML/OFAC compliance riskThe company should have an Anti–Money Laundering (AML)/Prevention of Terrorist Financing Policy that contains provisionsin accordance with applicable regulatory requirements andfollowing the globally recognized four principles for compliancerisk management and oversight:Points to Consider
FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS 157) DocumentRetention andRecordkeepingArea of FocusReporting ySSAE 16Intermediary Vendor SSAEReportFICCA Report 16 ReportContinued from previous page»» Document destruction protocols;»» Approved by the board (or otherexceptions, and that any resolution isdocumented in a timely manner.»» Designed to identify, research, and report(or other similar internal organization);and»» Monitored by the compliance departmentmanner;»» Communicated to employees in a timely»» Subcontractor/vendor compliance.etc.; and»» The location of records: image system, microfilm, boxes,unintended alterations to records;»» Tracking of changes to documents and the prevention of»» Document destruction practices;retained;»» How historical accounting records (since inception) areControls should address the process for:»» Provisions to put a “hold” on the records.unintended alterations to records; and,»» Tracking of changes to documents and the prevention of»» Time periods for retention of documents;»» Formally documented;appropriate governing body);The company should have a Document Retention andRecordkeeping Policy that contains provisions in accordancewith applicable regulatory requirements. For example:Points to ConsiderControls provide reasonable assurance thatthe company’s Document Retention andRecordkeeping Guidelines have been:Management Descriptionor Controls Testing
16 FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS8) SecurityMaster Setup andMaintenanceArea of FocusReporting rtySSAE 16Intermediary Vendor SSAEReportFICCA Report 16 ReportContinued from previous pageControls provide reasonable assurance thatnew mutual funds and changes to existingfunds are authorized and entered in thesecurity master file in a complete, accurate,and timely manner.Management Descriptionor Controls Testingconsiderations at subaccounting platforms where thesecontrols may be performed).»» Oversight of subservice providers (e.g., user controlcomplex) management of those matters that requirejudgment (exceptions and/or overrides); and»» Monitoring and escalation process to notify client (fundwas authorized and performed completely and accurately.»» Reviewing the setup and maintenance activity to ensure itin the security master file (e.g., new funds, changes toprospectus and fund policies)»» Setting up and modifying key fund data that is maintainedControls should address the process for:Points to Consider
FINANCIAL INTERMEDIARY CONTROLS AND COMPLIANCE ASSESSMENT ENGAGEMENTS 179) TransactionProcessing—Financial andNonfinancial(e.g., AccountSetup andMaintenance)Area of FocusReporting rtySSAE 16Intermediary Vendor SSAEReportFICCA Report 16 ReportContinued from previous page»» Transactions received through various communicationare recorded and paid or reinvested, basedon authorized amounts, in an accurate andtimely manner.»» Dividends and capital gain distributionscontained in mutual fund prospectusesand statements of additional informationgoverning shareholder transactions;»» Specified transactions meet requirementsconsiderations at subaccounting platforms where thesecontrols may be performed).»» Oversight of subservice providers (e.g., user controlredemption fees); and»» Compensation activity (e.g., 12b-1s, commissions, CSDC, Corrective processing (as-of activity). Customer-initiated trades (e.g., buy, sell, exchange), and Fund-initiated events (e.g., gains, divs, NAVs), Market timing monitoring,regulatory requirements (including exception identification,escalation, and resolution). Examples include, but are notlimited to:»» Executing transactions in accordance with prospectus andcredited with dividends);»» Mid-month account closeout (how investor accounts arechannels (e.g., phone, fax, Internet, mail);Controls should address the process for:»» Specified transactions and adjustments,including as-of transactions, areauthorized, processed accurately andtimely, and are effected at the propershare price;Financial:Controls provide reasonable assurance that:Points to ConsiderFinancial:Management
(broker-dealer firms) conducted their first FICCA engagements and provided their reports to mutual fund transfer agents tasked with overseeing the financial intermediary's activities. As the use of this oversight tool continued to expand, a working group of ICI member firms, representatives of the four national
![Financial Advisory and Intermediary Services Act [No. 37 of 2002]](/img/30/a37-020.jpg)
