Atransfer agent’s clients rely on special systems and procedures to process and store sensitive data. Special attention must be paid to security, reliability and scalability in outsourced transfer agent solutions. This means creating and maintaining a complete set of security procedures and processes to protect and secure client data. The SSAE 19/ System and Organization Controls 1 (SOC 1), Type II audit is a protocol designed to provide assurance of the highest security and controls environment of service organizations such as transfer agents involved in financial reporting.
SOC 1, Type II is an annual certification audit conducted by an independent auditor of all transfer agent processes that assesses procedures, private cloud hosting, application development and data security.
SOC 1 Type II Certification
The SOC 1, Type II certification confirms that a firm has the necessary internal security and availability policies and processes in place for transfer agent processes. This greatly reduces operational risk for clients and ensures that their information is kept safe. Companies such as transfer agents that are expected to comply with regulatory financial reporting standards such as Sarbanes-Oxley (SOX), particularly those that provide financial services, use the SOC 1, Type II audit to demonstrate compliance with internal financial reporting controls.
There are several government legislative requirements that apply to financial services organizations including:
- The Sarbanes-Oxley Act (SOX)
- The Gramm-Leach-Bliley Act (GLBA)
- The Health Insurance Profitability and Accountability Act (HIPAA)
These pieces of legislation mandate that companies audit their suppliers’ internal controls, including those who supply technology services. Many investment fund sponsors require a SOC 1, Type II audit of their transfer agent and/or investor services provider.
Obtaining a SOC 1 Type II Certification Report from Your Transfer Agent Provider
The SOC 1, Type II audit is very pertinent to the transfer agent and investor services functions for alternative fund sponsors. Not all financial services businesses are subject to these standards. Those who are accept the SOC audit as a part of doing business. Many transfer agent firms are not subject to these standards but submit to the annual audit as validation of the security of their systems and controls. Many prospective fund clients require the completion of a SOC audit as part of their due diligence in considering a transfer agent partner.
The American Institute of Certified Public Accountants (AICPA) restricts the dissemination of the SOC 1, Type II report. However, transfer agent clients can obtain a copy of the report after from their provider upon signing a non-disclosure agreement.
Processes Examined in a SOC 1 Type II Audit
The audit’s scope is broad, encompassing all transfer agent processes, and takes significant time and effort to complete. The following control areas with regard to transfer agent services are examined by the independent auditor:
- Administration and Organization
- Human Resource Management
- Fund Administration Information Security
- Physical Protection
- Network Monitoring
- Configuration Management
- Vulnerability Management
- Backup and Recovery of Fund Administration Data
- Application Development
- Incident Management
Types of SOC Audits
The AICPA established three separate reports to suit the various demands of service firms that previously used the SAS 70: SOC 1, SOC 2 and SOC 3. All of these reports are overseen by an impartial third-party auditor.
SOC 1 audits are divided into two categories or types. Both SOC 1 reports attest to the controls and processes in place at a service organization, such as a transfer agent, that may affect the internal control over financial reporting of their user entities.
- Type 1: This is an attestation of controls at a certain moment in time at a transfer agent services provider.
- Type 2: This is an attestation of controls over a minimum of six months.
SOC 2 audits are also divided into two categories and are concerned with systems and the controls surrounding data stewardship and cybersecurity.
- Type 1: This evaluates an organization’s cybersecurity controls at a single point in time. The goal is to determine whether the internal controls put in place to safeguard customer data are sufficient and designed correctly.
- Type 2: This is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services.
SOC 3 reports are similar to SOC 2 but are drafted to be presented to a general audience.
SOC 1 Audit Standards
The old Statement on Audit Standards 70 (SAS 70) audit was created to assist CPAs in reporting on controls at a service organization that have an influence on the financial statements of user entities. It was not enough for reporting on a cloud hosting provider’s controls and how they affected consumer data privacy. Nonetheless, until 2011, SAS 70 remained the de facto norm for transfer agents although it was always fraught with ambiguity.
As a result, the AICPA developed the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the SOC framework, which served as a new baseline for service firms including transfer agents and superseded the SAS 70. Then, on May 1, 2017, SSAE No. 18 replaced SSAE 16 and became valid for service auditor reports on transfer agent providers dated after that date. SSAE 19 took the place of SSAE 18 on July 15, 2021.
Whether or not they are required to do so, transfer agent service providers should adhere to SSAE 19 auditing standards, which concern the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that a transfer agent firm’s controls and processes are appropriate.
A transfer agent firm should maintain a SOC 1, Type II certification report for all transfer agent service processes. SOC 1 reports are examination engagements performed by a service auditor (CPA) on transfer agent processes in accordance with Statement on Standards for Attestation Engagements (SSAE) 19, Reporting on Controls at a Service Organization, to report on controls at a transfer agent firm, according to the AICPA. Only existing transfer agent clients (not potential or future customers) and their auditors can access a SOC 1 report.
Phoenix American’s Control Environment
A major international accounting firm examines the design and effectiveness of Phoenix American’s transfer agent controls on an annual basis. Our service and control environment is developed and deployed in adherence with the transfer agent industry’s best practices. The report provides Phoenix American transfer agent clients and the alternative investment community at large confirmation that the company has comprehensively described its transfer agent service controls and that those controls are operating effectively to ensure client security and achieve client objectives.
Alternative investment fund sponsors and their investors increasingly require a successful SOC I, Type II examination of transfer agent service providers to satisfy their operational due diligence standards. Phoenix American has received an unqualified report on the company’s transfer agent control environment for sixteen consecutive years. This record reflects the robust nature of our transfer agent service controls and testifies to the world-class service levels and advanced technology that are the hallmark of our transfer agent service offering.