Memo #
21890

AICPA Issues Guidance for Auditors Performing Engagements Relating to Service Providers' Compliance Controls
| Print

 

[21890]

 

October 24, 2007

TO: ACCOUNTING/TREASURERS MEMBERS No. 34-07
BROKER/DEALER ADVISORY COMMITTEE No. 68-07
COMPLIANCE MEMBERS No. 63-07
OPERATIONS MEMBERS No. 22-07
SEC RULES MEMBERS No. 141-07
TRANSFER AGENT ADVISORY COMMITTEE No. 76-07 RE: AICPA ISSUES GUIDANCE FOR AUDITORS PERFORMING ENGAGEMENTS RELATING TO SERVICE PROVIDERS' COMPLIANCE CONTROLS

 

The AICPA Auditing Standards Board recently released Statement of Position 07-2, Attestation Engagements That Address Specified Compliance Control Objectives and Related Controls at Entities That Provide Services to Investment Companies, Investment Advisers, or Other Service Providers (the “SOP”). [1]  The SOP provides guidance to auditors who examine and report on a service provider’s compliance controls.  The SOP enables auditors to report on the suitability of the design and operating effectiveness of a service provider’s controls in achieving specified compliance control objectives.

Background

Rule 38a-1 under the Investment Company Act requires funds to adopt and implement written procedures reasonably designed to prevent violations of the federal securities laws.  The rule requires the fund’s policies and procedures to provide for the oversight of compliance by the fund’s investment adviser, principal underwriter, administrator, and transfer agent.  Funds must review annually the adequacy of their service providers’ policies and procedures, as well as the effectiveness of their implementation.   The rule also requires designation of a CCO who must report to the board annually on the operation of the fund’s and its service provider’s policies and procedures.  The auditor’s report provided pursuant to the SOP may assist funds and their CCOs in satisfying the obligation to review and report on the adequacy of their service providers’ policies and procedures and the effectiveness of their implementation.

Engagement

Under the engagement, management of the service provider would be responsible for providing a written assertion that it has established controls that were suitably designed to provide reasonable assurance that specified compliance control objectives would be achieved and that those controls were operating with sufficient effectiveness to provide reasonable assurance that the specified compliance control objectives were achieved.  Management’s assertion regarding the suitability of design and the operating effectiveness of the controls would specify the “as of” date and the period covered.  Management of the service provider would also be responsible for providing a written description of the compliance control objectives and the related controls intended to ensure the objectives are achieved.

The auditor’s report would express an opinion on management’s assertion. In particular, the auditor’s report would state whether management’s assertion is fairly stated in all material respects based on the specified compliance control objectives.  Both i) management’s assertion, and ii) management’s description of the compliance control objectives and the related controls, would be provided to the fund and its CCO as part of the auditor’s report.  The auditor’s report would indicate that it was not engaged to report on the service provider’s compliance with the federal securities laws or its compliance with its contractual obligations to its clients.

The SOP includes: i) a sample auditor’s report, ii) a sample service provider assertion; and, iii) sample compliance control objectives and descriptions of related controls.

Service Provider Responsibilities

Under the engagement, management of the service provider is responsible for:

  1. Specifying compliance control objectives and related controls that are relevant to the services provided to client organizations and their internal control over compliance with federal securities laws or elements thereof,
  2. Preparing and providing the auditor with a written description of the specified compliance control objectives and related controls,
  3. Preparing and providing the auditor with a written assertion regarding the suitability of the design and operating effectiveness of the controls in achieving the specified compliance control objectives; and,
  4. Preparing and providing the auditor with a representation letter that, among other things: i) acknowledges management’s responsibility for the suitability of the design and operating effectiveness of the controls in achieving the compliance control objectives; ii) discloses all deficiencies in the design or operation of the service provider’s internal control over compliance; and iii) discloses any instances of the service provider’s noncompliance with federal securities laws.

Auditor Responsibilities

The auditor is responsible for obtaining an understanding of the nature of the services provided and determining whether the specified compliance control objectives are relevant to the services provided.  The auditor must also obtain management’s description of the specified compliance control objectives and the related controls that are relevant to client organizations and their internal control over compliance with the federal securities laws.  The auditor must consider the linkage between the controls and the compliance control objectives, and the ability of the controls to prevent or detect errors.  The auditor must obtain sufficient evidence regarding the suitability of design and the operating effectiveness of the controls in achieving the compliance control objectives.  Evidence gathering procedures may include inquiry of appropriate personnel, observation of the application of controls, inspection of documents and reports, and tracing transactions through the applicable system.

Compliance Control Objectives

Since the federal securities laws encompass a significantly comprehensive set of obligations and responsibilities, the control objectives presented by management of the service provider would not normally include all conceivable compliance control objectives related to the federal securities laws.  The SOP indicates that in establishing compliance control objectives, management of the service provider should consider:

  1. The nature of the services provided to fund client organizations,
  2. The service provider’s contractual obligations to user organizations,
  3. The information and assurance needs of fund client organizations, including the relevancy of the compliance control objectives and related controls to the services provided to user organizations and their compliance and internal control over compliance with the federal securities laws; and,
  4. The compliance matters and areas identified by the SEC in its release adopting rule 38a-1 that are relevant to the services provided.

Service Provider’s Noncompliance with Federal Securities Laws

If during the performance of procedures at a service provider the auditor becomes aware of matters constituting noncompliance with the federal securities laws, the auditor should determine whether such information has been communicated to fund client organizations.  If the service provider has not communicated the information and is unwilling to do so, the auditor should inform management of the service provider and those charged with its governance.  If management of the service provider does not respond in an appropriate manner, the auditor should consider withdrawing from the engagement.

Agreed-Upon Procedures Engagements

The SOP also describes a separate type of engagement that does not result in the expression of an opinion on an assertion.  In an agreed-upon procedures engagement, the parties to the engagement (the specified parties) agree upon procedures to be performed.  The parties to the engagement assume responsibility for the sufficiency of the procedures performed for their own purposes.  The auditor’s report on agreed-upon procedures is in the form of procedures performed and findings.  Use of an agreed-upon procedures report is restricted to the specified parties that agree upon the procedures and accept responsibility for the sufficiency of the procedures.  The SOP indicates that the auditor may add a nonparticipant party as a specified party so long as that party agrees to the procedures performed and their sufficiency.

 

Gregory M. Smith
Director - Operations/Compliance & Fund Accounting

endnotes

 [1]  Copies of the SOP may be purchased from the AICPA by calling 888-777-7077.