Transfer Agent Processes and the SOC 1, Type II Audit

The SOC 1, Type II audit evaluates and certifies the protocols, private cloud hosting, application development and data security of service organizations including transfer agents..


Transfer Agent Processes and the SOC 1 Type II Audit

Systems and processes at a transfer agent deal with sensitive client data. That is why Phoenix American transfer agent solutions place a premium on security, dependability, and scalability. We have developed and maintain a comprehensive set of security rules and processes that safeguard and secure the data of our transfer agent clients.

As part of our aim to provide the highest quality transfer agent services to our clients, Phoenix American performs the SSAE 19/ Service Organization Control 1 (SOC 1), Type II audit on a regular basis.

SOC 1, Type II is an annual certification audit of all transfer agent processes undertaken by an independent auditor. This audit evaluates and certifies our protocols, private cloud hosting, application development and data security.

Transfer Agents with SOC 1 Type II Certification

Phoenix American has all of the essential internal security and availability policies and processes in place for its transfer agent processes, according to the SOC 1, Type II certification. This eliminates operational risk and ensures that the vital information of our transfer agent clients is kept secure. Organizations required to comply with regulatory financial reporting standards such as the Sarbanes-Oxley (SOX) legislation include transfer agents.

The SOC 1, Type II audit is intended for organizations that provide financial services, such as transfer agents, to ensure compliance with internal financial reporting controls. Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA) and the Health Insurance Profitability and Accountability Act (HIPAA) are just a few of the government regulations that apply to transfer agents These regulations require companies to audit the internal controls of their vendors, including those that provide technological services as transfer agents. A SOC 1, Type II audit of their transfer agent and investor services provider is required by many investment fund sponsors.

Transfer Agent Certification and Obtaining a SOC 1, Type II Report

The SOC 1, Type II audit is extremely important for Phoenix American’s transfer agent and investor services clients. Financial services companies and other firms we work with also must adhere to these guidelines. The use of the SOC 1, Type II report is strictly limited by the American Institute of Certified Public Accountants (AICPA) which governs its use. Current Phoenix American transfer agent clients can request a copy of our SOC report by signing a non-disclosure agreement.

A SOC 1, Type II Audit Looks Closely at Transfer Agent Processes.

The SOC audit’s scope is vast, covering all transfer agent processes, and it takes a long time to complete. The independent auditor examines the following Phoenix American control areas in relation to transfer agent services:

  • Transfer Agent Process Administration and Organization
  • Transfer Agent Team Human Resource Management
  • Information Security for Transfer Agent Data
  • Physical Defense
  • Network Surveillance
  • Management of Configuration
  • Management of Vulnerabilities
  • Transfer Agent Data Backup and Recovery
  • Application Development for Transfer Agent Processes
  • Management of Incidents

There are two groups into which SOC 1 reports are classified. Both groups attest to the controls and processes in place at a service organization, such as a transfer agent, that could affect their user entities’ internal control over financial reporting.

Type I: This is an attestation of controls at a transfer agent at a specific point in time.

Type II: This is an attestation of ongoing controls at a transfer agent over a minimum period of six months.

Transfer Agent SOC 1 Audit Standards

In the past, the SAS 70 audit was aided CPAs in reporting on controls at service organizations, such as a transfer agents, that had impact on user entities’ financial statements. However, reporting on a cloud hosting provider’s procedures and how they affected consumer data security was inadequate. Nonetheless, until 2011, SAS 70 was the standard for transfer agents, despite the fact that it was always of ambiguous value.

Because of this ambiguity, the American Institute of Certified Public Accountants (AICPA) produced the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the Service Organization Controls (SOC) framework. This framework replaced SAS 70 as the standard for service organizations, including transfer agents and investor services providers. On May 1, 2017, SSAE No. 18 took the place of SSAE 16 and became effective for service auditor reports on transfer agents issued after that date. On July 15, 2021, SSAE 19 replaced of SSAE 18.

Phoenix American transfer agent services are audited in accordance with SSAE 19 auditing standards. The SSAE 19 audit focuses on the controls of a service organization, such as transfer agents, that are important to an audit of a user entity’s financial statements. SOC reports for transfer agent/investment services firms are now administered under this standard. The standard establishes that a transfer agent’s controls and processes are sufficient.

SOC 1, SOC 2, and SOC 3 were created by the AICPA to meet the needs of service firms, such as transfer agents, who previously relied on the SAS 70. An independent third-party auditor oversees all of these reports.

For all transfer agent service processes, Phoenix American maintains a SOC 1, Type II certification report. According to the AICPA, SOC 1 is an examination of transfer agent processes by a service auditor, a CPA, in accordance with the SSAE 19 reporting on controls at a service organization, namely a transfer agent/investment services firm. Only current transfer agent clients (not potential or future clients) and their auditors have access to the Phoenix American SOC 1 report.

On a yearly basis, a prominent international accounting firm evaluates the design and efficacy of Phoenix American’s transfer agent controls. The transfer agent industry’s best practices are followed in the development and deployment of our service and control environment. The report assures Phoenix American transfer agent customers and the alternative investing community at large that the company has adequately disclosed its transfer agent service controls and that they are established and working effectively to meet transfer agent client objectives.

To meet their operational due diligence standards, alternative investment fund sponsors and their investors are increasingly requiring a successful SOC I, Type II assessment of transfer agent service providers. For the past fifteen years, Phoenix American has earned an unqualified rating on our transfer agent control environment. This record attests to the world-class service levels and innovative technology that are the hallmarks of our transfer agent service offering, as well as the robust nature of our transfer agent service controls.

Learn why industry leaders trust us for their back office

Let’s discuss how Phoenix can elevate your investor experience