SOC 1 Type II Audit of Transfer Agent Processes
Transfer Agent services now require multiple competencies and the need to assume a much broader role in supporting multiple functions within risk and portfolio management.
Phoenix American transfer agent clients rely on our systems to process and store sensitive data. That is why we pay special attention to security, reliability, and scalability in our transfer agent solutions.
This means creating and maintaining a complete set of security procedures and processes to protect and secure our clients’ transfer agent data. Phoenix American regularly completes the SSAE 18/ Service Organization Control 1 (SOC 1), Type II audit as part of our mission to provide the highest quality transfer agent services for our clients.
SOC 1, Type II is an annual certification audit conducted by an independent auditor of all transfer agent cesses that extensively assess our procedures, private cloud hosting, application development and data security.
SOC 1 Type II Certification for Transfer Agent Firms
The SOC 1, Type II certification confirms that Phoenix American has the necessary internal security and availability policies and processes in place for its transfer agent processes. This reduces risk and ensures that our transfer agent clients’ information is kept safe. Companies such as transfer agent providers that are expected to comply with regulatory financial reporting standards such as Sarbanes-Oxley (SOX), particularly those that provide financial services, should use the SOC 1, Type II audit to demonstrate compliance with internal financial reporting controls.
There are several government requirements that apply to transfer agent organizations including:
- Sarbanes-Oxley (SOX)
- Gramm-Leach-Bliley (GLBA)
- Health Insurance Profitability and Accountability Act (HIPAA)
These organizations mandate that companies audit their suppliers’ internal controls, including those who supply technology services. Many investment fund sponsors require a SOC 1, Type II audit of their transfer agent and investor services provider.
The SOC 1, Type II certification confirms that Phoenix American has the necessary internal security and availability policies and processes in place for its transfer agent processes. This reduces risk and ensures that our transfer agent clients’ information is kept safe.
Obtaining a SOC 1 Type II Certification Report from Your Transfer Agent Provider
The SOC 1, Type II audit is very pertinent to the transfer agent and investor services that Phoenix American provides. We serve financial services businesses and others who are subject to these standards.
The AICPA restricts the use of the SOC 1, Type II report. However, current Phoenix American transfer agent clients can obtain a copy of the report after signing a non-disclosure agreement.
The SOC 1, Type II audit is very pertinent to the transfer agent and investor services that Phoenix American provides. We serve financial services businesses and others who are subject to these standards.
Transfer Agent and Investor Services Processes Examined in a SOC 1 Type II Audit
The audit’s scope is broad, encompassing all transfer agent processes, and takes significant time and effort to complete. The following Phoenix American control areas with regard to transfer agent services are examined by the independent auditor:
- Administration and Organization
- Human Resource Management
- Fund Administration Information Security
- Physical Protection
- Network Monitoring
- Configuration Management
- Vulnerability Management
- Backup and Recovery of Fund Administration Data
- Application Development
- Incident Management
SOC 1 Reports are divided into two categories or types. Both SOC 1 reports attest to the controls and processes in place at a service organization, such as a transfer agent, that may affect the internal control over financial reporting of their user entities.
- Type 1: This is an attestation of controls at a certain moment in time at a transfer agent provider.
- Type 2: This is an attestation of controls over a minimum of six months at a transfer agent provider.
The audit’s scope is broad, encompassing all transfer agent processes, and takes significant time and effort to complete.
SOC 1 Audit Standards for Transfer Agent and Investor Services Providers
The old SAS 70 audit was created to assist CPAs in reporting on controls at a service organization such as a transfer agent provider that have an influence on the financial statements of user entities. It was not enough for reporting on a cloud hosting provider’s controls and how they affected consumer data privacy. Nonetheless, until 2011, SAS 70 remained the de facto norm for transfer agent providers although it was always fraught with ambiguity.
As a result, the American Institute of Certified Public Accountants (AICPA) developed the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the SOC framework, which served as a new baseline for service firms including transfer agent/investor services providers and superseded the SAS 70. Then, on May 1, 2017, SSAE No. 18 replaced SSAE 16 and became valid for service auditor reports on transfer agent providers dated after that date. SSAE 19 took the place of SSAE 18 on July 15, 2021.
Phoenix American transfer agent services adhere to SSAE 19 auditing standards, which focus on the controls of a service organization such as transfer agent providers that are relevant to an audit of a user entity’s financial statements. This standard is now used to administer SOC reports for transfer agent/investor services firms. The standard demonstrates that a transfer agent firm’s controls and processes are appropriate.
The AICPA established three separate reports to suit the various demands of service firms that previously used the SAS 70: SOC 1, SOC 2, and SOC 3. All of these reports are overseen by an impartial third-party auditor.
Phoenix American maintains a SOC 1, Type II certification report for all transfer agent service processes. SOC 1 reports are examination engagements performed by a service auditor (CPA) on transfer agent processes in accordance with Statement on Standards for Attestation Engagements (SSAE) 18, Reporting on Controls at a Service Organization, to report on controls at a transfer agent/investor services firm, according to the AICPA. Existing transfer agent clients (not potential or future customers) and their auditors are the only ones who can access a SOC 1 report.
A major international accounting firm examines the design and effectiveness of Phoenix American’s transfer agent controls on an annual basis. Our service and control environment is developed and deployed in adherence with the transfer agent industry’s best practices. The report provides Phoenix American transfer agent clients and the alternative investment community at large confirmation that the company has adequately described its transfer agent service controls and that those controls are designed and operating effectively to achieve client objectives.
Alternative investment fund sponsors and their investors increasingly require a successful SOC I, Type II examination of transfer agent service providers to satisfy their operational due diligence standards. Phoenix American has received an unqualified report on our transfer agent control environment for fifteen consecutive years. This record reflects the robust nature of our transfer agent service controls and testifies to the world-class service levels and advanced technology that are the hallmark of our transfer agent service offering.
Learn why industry leaders trust us for their back office
Let’s discuss how Phoenix can elevate your investor experience
