SOC 1 Type II Audit of Fund Administration Processes
Fund Administration now requires multiple competencies and the need to assume a much broader role in supporting multiple functions within risk and portfolio management.
Phoenix American fund administration clients rely on our systems to process and store sensitive data. That is why we pay special attention to security, reliability, and scalability in our fund administration solutions.
This means creating and maintaining a complete set of security procedures and processes to protect and secure our clients’ fund administration data. Phoenix American regularly completes the SSAE 18/ Service Organization Control 1 (SOC 1), Type II audit as part of our mission to provide the highest quality fund administration services for our clients.
SOC 1, Type II is an annual certification audit conducted by an independent auditor of all fund administration processes that extensively assess our procedures, private cloud hosting, application development and data security.
SOC 1 Type II Certification for Fund Administration Firms
The SOC 1, Type II certification confirms that Phoenix American has the necessary internal security and availability policies and processes in place for its fund administration processes. This reduces risk and ensures that our fund administration clients’ information is kept safe. Companies such as fund administration providers that are expected to comply with regulatory financial reporting standards such as Sarbanes-Oxley (SOX), particularly those that provide financial services, should use the SOC 1, Type II audit to demonstrate compliance with internal financial reporting controls.
There are several government requirements that apply to fund administration organizations including:
- Sarbanes-Oxley (SOX)
- Gramm-Leach-Bliley (GLBA)
- Health Insurance Profitability and Accountability Act (HIPAA)
These organizations mandate that companies audit their suppliers’ internal controls, including those who supply technology services. Many investment fund sponsors require a SOC 1, Type II audit of their fund administration and investor services provider.
The SOC 1, Type II certification confirms that Phoenix American has the necessary internal security and availability policies and processes in place for its fund administration processes. This reduces risk and ensures that our fund administration clients’ information is kept safe.
Obtaining a SOC 1 Type II Certification Report from Your Fund Administration Provider
The SOC 1, Type II audit is very pertinent to the fund administration and investor services that Phoenix American provides. We serve financial services businesses and others who are subject to these standards.
The AICPA restricts the use of the SOC 1, Type II report. However, current Phoenix American fund administration clients can obtain a copy of the report after signing a non-disclosure agreement.
The SOC 1, Type II audit is very pertinent to the fund administration and investor services that Phoenix American provides. We serve financial services businesses and others who are subject to these standards.
Fund Administration and Investor Services Processes Examined in a SOC 1 Type II Audit
The audit’s scope is broad, encompassing all fund administration processes, and takes significant time and effort to complete. The following Phoenix American control areas with regard to fund administration services are examined by the independent auditor:
- Administration and Organization
- Human Resource Management
- Fund Administration Information Security
- Physical Protection
- Network Monitoring
- Configuration Management
- Vulnerability Management
- Backup and Recovery of Fund Administration Data
- Application Development
- Incident Management
SOC 1 Reports are divided into two categories or types. Both SOC 1 reports attest to the controls and processes in place at a service organization, such as a fund administration, that may affect the internal control over financial reporting of their user entities.
- Type 1: This is an attestation of controls at a certain moment in time at a fund administration provider.
- Type 2: This is an attestation of controls over a minimum of six months at a fund administration provider.
The audit’s scope is broad, encompassing all fund administration processes, and takes significant time and effort to complete.
SOC 1 Audit Standards for Fund Administration and Investor Services Providers
The old SAS 70 audit was created to assist CPAs in reporting on controls at a service organization such as a fund administration provider that have an influence on the financial statements of user entities. It was not enough for reporting on a cloud hosting provider’s controls and how they affected consumer data privacy. Nonetheless, until 2011, SAS 70 remained the de facto norm for fund administration providers although it was always fraught with ambiguity.
As a result, the American Institute of Certified Public Accountants (AICPA) developed the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the SOC framework, which served as a new baseline for service firms including fund administration/investor services providers and superseded the SAS 70. Then, on May 1, 2017, SSAE No. 18 replaced SSAE 16 and became valid for service auditor reports on fund administration providers dated after that date. SSAE 19 took the place of SSAE 18 on July 15, 2021.
Phoenix American fund administration services adhere to SSAE 19 auditing standards, which focus on the controls of a service organization such as fund administration providers that are relevant to an audit of a user entity’s financial statements. This standard is now used to administer SOC reports for fund administration/investor services firms. The standard demonstrates that a fund administration firm’s controls and processes are appropriate.
The AICPA established three separate reports to suit the various demands of service firms that previously used the SAS 70: SOC 1, SOC 2, and SOC 3. All of these reports are overseen by an impartial third-party auditor.
Phoenix American maintains a SOC 1, Type II certification report for all fund administration service processes. SOC 1 reports are examination engagements performed by a service auditor (CPA) on fund administration processes in accordance with Statement on Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organization, to report on controls at a fund administration/investor services firm, according to the AICPA. Existing fund administration clients (not potential or future customers) and their auditors are the only ones who can access a SOC 1 report.
A major international accounting firm examines the design and effectiveness of Phoenix American’s fund administration controls on an annual basis. Our service and control environment is developed and deployed in adherence with the fund administration industry’s best practices. The report provides Phoenix American fund administration clients and the alternative investment community at large confirmation that the company has adequately described its fund administration service controls and that those controls are designed and operating effectively to achieve client objectives.
Alternative investment fund sponsors and their investors increasingly require a successful SOC I, Type II examination of fund administration service providers to satisfy their operational due diligence standards. Phoenix American has received an unqualified report on our fund administration control environment for fifteen consecutive years. This record reflects the robust nature of our fund administration service controls and testifies to the world-class service levels and advanced technology that are the hallmark of our fund administration service offering.
Learn why industry leaders trust us for their back office
Let’s discuss how Phoenix can elevate your investor experience