The SOC, 1 Type II Audit and Phoenix American Transfer Agent Services

For Phoenix American’s transfer agent and investor services clients, the SOC 1, Type II audit is critical. These criteria must also be followed by other financial services companies and other businesses with whom we collaborate. The American Institute of Certified Public Accountants (AICPA), which controls the usage of the SOC 1, Type II report, has tight guidelines. By signing a non-disclosure agreement, current Phoenix American transfer agent clients can receive a copy of our SOC report.

The scope of the SOC audit is extensive, encompassing all transfer agent processes, and it takes a long time to complete. In connection to transfer agent services, the independent auditor evaluates the following Phoenix American control areas:

• Transfer Agent Process Administration and Organization
• Human Resource Management for Transfer Agent Teams
• Security and Stewardship of Transfer Agent Data
• Physical Security
• Network Monitoring
• Configuration Management
• Vulnerability Management
• Backup and Recovery for Transfer Agent Client Data
• Incident Management
• Transfer Agent System and Application Development

SOC 1 reports are in two categories. Both attest to the controls and processes in place at a service organization, such as a transfer agent, that may affect internal controls over financial reporting.

Type I: This is an attestation of controls at a certain moment in time at a transfer agent.

Type II: This is a six-month minimum attestation of continuous controls at a transfer agent.

In years past, the SAS 70 audit supported CPAs in reporting on controls at service organizations, such as transfer agents, that had an impact on the financial statements of user entities. But reporting on a cloud hosting provider’s practices and how they impacted user data security, on the other hand, was insufficient. Despite the fact that it was always of ambiguous value, SAS 70 was the norm for transfer agents until 2011.

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the Service Organization Controls (SOC) framework were created by the American Institute of Certified Public Accountants (AICPA) in response to this situation. SAS 70 was replaced as the standard for service firms, such as transfer agents and investor services providers, by this framework. SSAE No. 18 replaced SSAE 16 on May 1, 2017, and it became effective for service auditor reports on transfer agents issued after that date. SSAE 19 took the place of SSAE 18 on July 15, 2021.

SSAE 19 auditing standards are used to examine Phoenix American transfer agent services. The SSAE 19 audit focuses on service organization controls that are crucial to an audit of the financial statements a user entity such as a transfer agent. This standard now governs SOC reports for transfer agents and investor services organizations. The standard establishes that the controls and processes of a transfer agent are adequate.

The AICPA introduced SOC 1, SOC 2, and SOC 3 to suit the needs of service firms that previously relied on the SAS 70, such as transfer agents. All of these reports are overseen by an impartial third-party auditor.

Phoenix American maintains a SOC 1, Type II certification report for all transfer agent service processes. According to the AICPA, SOC 1 is an examination of transfer agent processes by a service auditor, a CPA, in accordance with the SSAE 19 standard on controls at a service organization, such as a transfer agent/investment services firm. The Phoenix American SOC 1 report is only available to current transfer agent clients (not potential or future clients) and their auditors.

A prestigious international accounting firm analyzes the design and efficacy of Phoenix American’s transfer agent controls on a yearly basis. In the creation and deployment of our service and control environment, we adhere to the transfer agent industry’s best practices. The report reassures Phoenix American transfer agent clients and the alternative investing community at large that the company has appropriately disclosed its transfer agent service controls and that they are in place and performing effectively to satisfy transfer agent client goals.

Alternative investment fund sponsors and their investors are increasingly requesting a successful SOC I, Type II examination of transfer agent service providers to meet their operational due diligence standards. Phoenix American has received an unqualified grade on our transfer agent control environment for the past fifteen years. This record attests to our transfer agent service offering’s world-class service levels and innovative technology, as well as the robustness of our transfer agent service controls.