Are controls reports fit for purpose?
By Fiona Gaskin, Director of Performance Assurance, PwC Dublin
Published: 14 October 2016
Typically organisations who have outsourced a function receive controls reports in response to either specific questions posed to their current/potential service organisation or are provided with one as a matter of course once a year. Anecdotally we know that many of these reports are simply filed away without being adequately analysed, despite the fact that boards/operations teams may be referring to the reports when demonstrating to regulators their oversight of service providers. Based on feedback from various regulators it is clear that such an approach is not adequate, and individual risks must be considered.
Taking the fund industry as an example, the Central Bank of Ireland (the CBI) believes that enhancing the effectiveness of fund management companies, their boards and investment fund boards better protects investors. In June, the CBI issued the third consultation paper on Fund Management Company Effectiveness – Delegate Oversight (CP86). This paper set out a number of proposed initiatives which were designed to further underpin substantive control by fund management companies (including self-managed investment companies, which are regulated as management companies), acting on behalf of investment funds, over the activities of their delegates.
A new concept of an “Organisational Effectiveness (OE) role” was introduced in CP86. The OE rule requires fund management companies to have an independent director who does not fulfil any other designated person functions to ensure that the fund management company continues to be organised and resourced in the most appropriate manner on an on-going basis. Examples of the types of matters which the OE person will be involved in include monitoring compliance with the procedures and structures agreed by the board for the on-going monitoring of work delegated to third parties, and overseeing how well the arrangements for the supervision of delegates are working. The purpose of this rule is to obligate one person to oversee the totality of the delegate arrangements put in place to provide assurance that they all work well together.
Under the Irish law, the board of directors assumes ultimate responsibility for the management of the company. In light of the new OE rule requirement, fund directors can use third party controls reports issued by independent auditors when fulfilling the OE role as part of their responsibilities set out by the CBI as long as the controls reports are fit for purpose.
The following are some key areas to be considered when deciding if a controls report is fit for purpose:
Are my risks being addressed?
This may seem like a very basic place to begin, but a surprising number of users of controls reports simply take the report, check if it has an unqualified opinion and then file it away without really considering if it addresses their areas of concern. When any activity has been outsourced, an assessment of the risks relating to that outsourcing arrangement should be considered. The outsourcer then needs to consider how comfort may be obtained over each individual risk. In some cases that will be through detailed oversight which can be exercised within the outsourcer organisation (e.g. the completion of their own independent cash reconciliations). However, for other areas, there will be a reliance on the service provider. An analysis of where that reliance exists should then drive an appropriate level of oversight controls, including, for example, completing on site visits, reviewing a controls report, using SLA data each day, etc. Whatever the method or combination of methods, the key point is that the oversight must address the relevant risks.
Where reliance on a controls report has been identified as part of the oversight controls, the actual scope of the report should be mapped back to the key risks identified by the outsourcer. Spending time looking at the scope of any controls report is fundamental to relying on it. Firstly it is useful to consider the main key areas you are interested in. Taking an example, if you have outsourced your fund administration process you may have within your lists of related risks areas such as:
- NAV errors
- NAV is released late
- Loss of data – accidental
- Loss of data – due to hacking
- Regulatory return errors
A typical controls report which focuses on financial reporting (SSAE16/ISAE3402/SOC1) will likely address the first two of these risks, and elements of the third risk in that they frequently cover backups. However, the fourth risk is not addressed in this type of report. If this is your concern, then you need to ask specific questions on this topic, and consider the relevance of requesting your service provider to complete an alternative controls report such as a SOC 2 (controls report focusing on security, confidentiality, privacy, processing integrity and/or availability).
Likewise the accuracy of a regulatory return will not be included in a report focusing on financial reporting, but the risk of lodging an incorrect regulatory return for the outsourcer could be substantial in terms of fines and sanctions. In these cases either specific on site work by those who have outsourced the activity may need to be completed and/or a request to the service organisation to provide a specific controls report be completed by the service organisation relating to this area (e.g. an ISAE 3000 report).
Secondly in relation to scope, once you have established that your areas of interest are in scope, there is still a need to look at the specifics of the scope. Sometimes looking for what has been omitted is as important as looking at what has been included, for example, does the report list out a number of transaction types which are included in the scope, but stay silent on the area of derivatives? Are supporting IT general controls for all key applications included in the scope? If not, the reliance you can place on the report is significantly reduced unless some other form of assurance over those controls is available.
Am I an intended user?
The service auditor’s opinion should clearly state who the intended users are, for example, a controls report relating to financial reporting is usually the service organisations’ current customers and their auditors. A Soc2 report is permitted to have a slightly wider definition of intended users. It is an important section of the opinion as it establishes if you can place reliance on the report.
Is it a “clean” opinion?
The service auditor’s opinion contained in controls reports generally follows a reasonably defined structure (other than an ISAE 3000/AT101). It is important that you review the opinion to see if overall the independent service auditor concluded that the controls are fairly presented, designed correctly and, if relevant, operating effectively over a defined period.
Are there exceptions?
Exceptions occur when the testing of a control indicates that it is either not designed correctly or that one or more instances did not operate as expected. A significant amount of auditor judgement is required in determining if an exception should lead to an overall opinion qualification. Regardless of whether or not the report is qualified, to use the report you should read through all exceptions including management’s response if provided. Management’s response may or may not be validated by the service auditor – if it is not, then you should consider asking the service organisation for their response and evidence of any follow up action they have taken to correct the exception.
Is there a gap period?
As service providers in the asset management industry are servicing funds with lots of different period end dates, it can be the case that the report is not available at a time which works well for your oversight. It may lead to a large gap period (i.e. period between the report end date and the period end of your fund) in which case you might want to consider how you obtain alternative comfort for that gap period.
Are sub-service organisations included or excluded?
When the service organisation you have engaged also outsources activities relevant to the processing of your transactions, this extension of the outsourcing chain is known as a sub-service organisation. A controls report can use either a carve-in approach (i.e. the controls operated by the sub service organisation are included in the report) or a carve-out (excluded) approach. If they are carved out, you need to consider if the areas excluded from the report impact your risk areas and if so, what alternative work do you need to complete to demonstrate adequate oversight.
Are there complementary user control considerations?
Most control reports will include one or more sections which detail out “complementary user control considerations”. These are key if you are looking to rely on the report, as basically the opinion is stating that the controls are only effective in meeting the control objectives if the outsourcer has these controls in place. Such controls may include things like making the service organisation aware of changes in who is allowed to authorise transactions, providing authorisation for some transactions etc. When relying on a report, it is important to map each one of these expected controls back to actual controls within your organisations. If no such control exists and the area is relevant, then a control should be implemented.
Who is the service auditor?
When determining the sufficiency and appropriateness of the assurance provided by a controls report, users of the report should also consider the service auditor’s professional competence and qualifications. Controls reports are specialised in nature and not all controls report are equal. The service auditor's experience of completing similar reports and their technical ability to cover the areas involved contribute to their professional competence significantly.
Controls reports can be of great benefit to an organisation who has outsourced a function, but only if the user of the report appropriately analyses the content and ensures all key risks are addressed. If the risks are not addressed then the outsourcer has some options, including supplementing the controls report with their own independent testing and/or requesting the service organisation to amend the scope going forward. Given the costs involved in any detailed independent testing, the most cost effective method is usually demanding a report which is fit for purpose from your service providers – after all, your Regulator is likely to demand evidence of a high degree of formal outsourcing oversight from you.