In today’s interdependent marketplace, it’s up to fund families to evaluate the compliance controls of their various vendors and service providers. Taking into account the number of service providers a fund typically employs, the scale and complexity of these obligations becomes clear…
How did the industry arrive at this point and what options exist for fund complexes to perform effective third-party oversight? Let’s take a closer look at the industry’s outsourcing trend, regulations, compliance challenges, and how fund companies can build resilient oversight programs through consistent, high-quality audit report review.
Compliance Realities of Outsourcing
Outsourcing is an essential and natural part of mutual fund operations, where certain processes are almost universally performed by third parties. There are three main factors driving this reliance on outsourcing in the asset management world:
- Certain activities are necessarily performed by specially-regulated or independent entities
- Any activity not perceived as fundamental to the fund’s core investment performance can be a candidate for outsourcing to a specialized service provider
- Back-office operations can become cost centers, and thus a logical choice for outsourcing if the responsibility can be more economically undertaken by a third party
As such, fund companies routinely employ service providers for a number of key functions (e.g. transfer agency, custody, fund accounting, pricing, literature fulfillment, etc.). Funds may also work with a service provider for functions commonly outsourced across industries, such as web hosting and human resources.
Regardless of whether an operation is outsourced, responsibility for performance and risk (reputational, financial, regulatory, etc.) remains substantially with the fund. That’s why it’s imperative for funds to create or refine oversight programs to ensure the compliance of these outsourced operations — particularly as the regulatory landscape continues to evolve.
The Regulatory Imperative of Oversight
The growing scale of outsourcing in asset management has impacts down the line for oversight of service provider operations. There is essentially a like-for-like relationship between outsourcing and oversight: That is, as funds outsource more and more activities, their oversight obligations similarly increase.
While a general fiduciary and reputational imperative has always existed for third-party oversight, the SEC’s Compliance Rule of 2004 formalized the requirements and regulatory expectations for appropriately monitoring outsourced operations. As part of that rule, funds are required to adopt, implement, and annually review policies and procedures designed to prevent violations of federal securities laws – including the prevention of securities law violations in operations performed by a third-party.
Specifically, Rule 38a-1 requires that “[a fund’s] procedures must provide for the oversight of compliance by the fund’s advisers, principal underwriters, administrators and transfer agents (collectively, ‘service providers’) through which the fund conducts its activities.” Importantly, the SEC noted that while it uses the term “service provider” in relation to the aforementioned provider types, the textual limitation of the term does not lessen the fund’s obligation to oversee other service provider types, such as pricing agents and custodians.
Challenges to Effective, Efficient Third-Party Oversight
Funds have had years to adjust to Rule 38a-1, but as budgets shrink and oversight obligations grow, they can be caught in a compliance conundrum. This dilemma presents some notable, practical challenges for mutual funds in meeting their third-party oversight obligations.
Increasing External Reliances
As previously mentioned, there are a number of reasons why fund companies typically work with a plethora of service providers. While outsourcing allows funds to more efficiently focus on the asset management strategies that differentiate them from peers, this necessarily heightens the importance of establishing a strong third-party oversight and compliance program.
The challenge is securing the time, money, and personnel to effectively oversee a wide and diverse network of service provider control environments. While some funds may have the scale and resources to do this, it can come at a high price. Other funds may be at risk of exhausting resources in pursuit of effective oversight, potentially to the detriment of core fund operations.
Looking at the other side of the coin, many service providers are almost industry utilities in that they support the day-to-day operations of hundreds of funds. Being responsive to each fund’s oversight demands can be extremely burdensome and may result in a reluctance to accommodate unique requests for compliance information. This means any single fund family’s ability to really “dig into” the compliance and operations of a service provider is largely restricted.
Site Visits, Questionnaires, and Attestations/Certifications
What options are available to a fund for overseeing the operations of their third-party providers? In the next section we’ll address why audit reports are at the center of effective oversight, but first let’s examine three common alternatives (which can be used in combination):
- On-site visits to examine a third-party’s operational controls
- Due diligence questionnaires (DDQs) to inquire about a third-party’s controls
- Attestations/certifications from the third-party about their controls
Each of these tools can be effective for conducting service provider oversight, yet each is also subject to downsides. For example, on-site visits are resource-intensive, and regardless of the strength of the relationship, a fund won’t be given access to perform tests of operational effectiveness and “kick-the-tires” in the same way that an independent auditor will be permitted as part of an examination engagement.
Questionnaires are popular, but responding to fund-specific requests can require significant time and resources from the third party. As a result, response rates and quality may vary depending on the dynamics of the service provider relationship (e.g. a large industry vendor may be less likely to accommodate the individual questionnaire demands of hundreds of clients). When service providers are willing to respond to unique questionnaires, answers can be incomplete or vague because they may not be drafted and proofed for widespread dissemination. In the absence of any other reporting, though, questionnaires can provide useful feedback.
Attestations and certifications are usually clear and comprehensive enough for distribution to a wide audience. However, they’re typically limited to providing assurance around a single issue (e.g. an Anti-Money Laundering certificate). At best, attestations and certifications can supplement areas of concern that aren’t addressed in the audit report.
Audit Reports as the Foundation of Effective Oversight
For fund families, audit reports offer advantages in the exact areas where the aforementioned methods fall short, namely in their efficiency, economy, specificity, and reliability. While those other tools can serve as a secondary or supplemental element of understanding and gaining comfort with an outsourced operation, they cannot fulfill the advantages of audit reports as the primary and initial means of oversight.
Independent Nature
On-site visits, questionnaires, and attestations inherently rely on the fund or service provider’s judgment. Audit reports, on the other hand, describe the service provider’s control environment from an independent auditor’s perspective.
It’s the independence and reliability (as well as the professional drafting and clear scope of coverage) that truly set audited control reports apart as the foremost dependable means of conducting third-party oversight and establishing a well-structured program.
Regulatory Backing
Because of this independent nature, the SEC backs audit reports as the primary oversight mechanism. In recognizing that complexes may be hard-pressed to directly oversee each provider, Rule 38a-1 states that a fund is considered to satisfy its regulatory requirements “if the fund uses a third-party report on the service provider’s procedures instead of the procedures themselves.”
The Commission goes on to note that “the third-party report must describe the service provider’s compliance program as it relates to the types of services provided to the fund, discuss the types of compliance risks material to the fund, and assess the adequacy of the service provider’s compliance controls.”
Benefits to Service Providers
Audit reports are to the advantage of both the service provider and the fund company user organization. While it can be expensive and time-consuming for a service provider to engage an audit firm to examine their operational controls, there are significant benefits:
- An examination engagement is an acceptable means of allowing someone to come into their shop and actually test operations. This is because the auditor is not a client and is entirely disinterested/impartial (a permissiveness which would be unthinkable to extend even to the closest vendor/client relationships)
- These engagements culminate in a report that will comprehensively address their operations and should be acceptable to all users of their services. The desired result is that they won’t need to respond to individual oversight requests
A Better Way to Review Audit Reports
For the noted reasons, it’s clear that audit reports are the gold-standard for service provider oversight. Looking deeply into each document should give fund families invaluable comfort in knowing their third parties have accurate, suitably designed, and effective controls to carry out the contracted services.
That said, funds may not have the time or expertise to review audit reports beyond topline exceptions and qualified opinions. Capturing control data, analyzing findings, and drawing conclusions from each report can be especially difficult to do consistently for numerous reports and over long periods of time. The same resource, time, and cost limitations that can impair general oversight efforts may afflict audit report review.
This is where NQR steps in. When partnering with NQR, fund families can gain access to specialized services for reviewing audit reports so they can leverage detailed insights for compliance operations and oversight.
The NQR Review Team averages over 20 years of industry experience in audit, operations, and compliance/legal, assessing hundreds of audited documents each year. Leveraging our trained professionals allows funds to focus on the priority areas for their own businesses instead of the time-consuming, manual review of audit reports. Most importantly, funds benefit from consistency and granular detail in review when working with NQR:
- Our team maps 100% of report content to standardized control frameworks so funds have a consistent lens through which to assess individual control environments. This also allows for point-by-point comparisons across service providers
- Our review frameworks capture report content in both general control areas (e.g. business continuity and risk governance) as well as service-specific controls that are unique to particular services, such as transaction processing, share pricing, and fund distributions for transfer agents
- Our online platform categorizes every control detail so you can filter and focus on the areas applicable to your specific oversight responsibilities
Oversight Solutions Trusted by the Industry
Mutual fund companies face dual headwinds when it comes to achieving service provider compliance, driven both by increased oversight responsibilities and by budget strains forcing that oversight to become more efficient.
While reviewing audit reports is only one piece of the oversight puzzle, it’s a critical, cost-effective one. And given the stakes, an experienced and specialized partner to review reports can provide funds with the necessary expertise and bandwidth to:
- Pinpoint relevant exceptions and gaps
- Target follow-up to high-priority controls
- Understand dependencies on fourth-party providers
- Map user entity controls to internal documentation
- Reduce duplication and redundancy across divisions
- Streamline Board reporting
- And much more
Want to learn more about NQR’s audit report review services? Contact us today.