The PrivaTe equity CFO & COO DigesT New ways of adding value to the firm, the fund and the portfolio company

Transcription

1 The PrivaTe equity CFO & COO DigesT 2013 New ways of adding value to the firm, the fund and the portfolio company

2 This chapter was first published in the The Private Equity CFO & COO Digest 2013 by PEI 7 Surviving an independent review of the firm s internal controls: The ISAE 3402 By Philippe Bucher, Adveq Management AG Introduction Background and overview With the new set of assurance standards for services organisations (such as an alternative asset management firm) known as the ISAE 3402 having been introduced back in June 2011 it is now a good time to review and assess their impact and effectiveness in the context of the alternative fund management industry. This chapter considers the benefits and weaknesses of the ISAE 3402, sets out what a private equity firm can expect from a review of their internal controls and concludes with some practical tips for surviving the process. The ISAE 3402, together with their US sister standard SSAE 16 (considered to be substantially equivalent to ISAE 3402) replaced the previous US standards, SAS 70, as the authoritative guidance for reporting on service organisations. The International Standard on Assurance Engagements (ISAE) are set and issued by the International Auditing and Assurance Standards Board (IAASB), an independent standard-setting board founded in 1978 and operating within the International Federation of Accountants. ISAE 3402 is the latest international standard designed by the IAASB and was developed to provide the first global assurance standard for public accountants issuing reports to user organisations (such as a pension fund) and their auditors on the controls in place at a service organisation. ISAE 3402 focuses on controls that are likely to impact, or comprise part of, the user organisation s system of internal controls and sets even stricter requirements for service organisations and their auditors compared to its predecessor. Evolution of standards control The auditor s consideration of a firm s internal controls and the impact a service organisation may have on its own controls has long been an area of focus in designing an acceptable audit approach. The first Statement on Auditing Procedure (SAP) was issued in 1939 and statements relating to internal controls have been modified periodically ever since, taking into account the evolving economic landscapes. A key milestone statement was SAS 94, The Effect of Information Technology on the Auditor s Consideration of Internal Control in a Financial Statement Audit; the first to require consideration of technology and communications on internal controls. The original intent of the SAS 70 auditing standard was a report primarily designed for use by auditors; it was not geared towards the increasing requirements of bodies (such as regulatory agencies, international bodies, governmental entities and user organisations. The financial crisis brought a host of regulations and internal controls at financial services organisations into focus and forced many to examine their control 2

3 Surviving an independent review of the firm s internal controls: The ISAE 3402 environment. ISAE 3402 grew out of this pressure, which exposed some of the limitations inherent in SAS 70 and was a further step towards accounting standards that are less bifurcated by region and more internationally accepted. SAS 70 vs. ISAE 3402 The first important point to note is that ISAE 3402 is an attestation standard, while SAS 70 was an auditing standard. The reason for this change in terminology is that the IAASB believed that examining a service organisation s systems and controls should not be considered an audit of financial statements and that to label it as such would be misleading. The second important difference is that under ISAE 3402 the management of the service organisation must provide a description of its controls system along with a written assertion, whereas SAS 70 simply called for a description of controls. The definition of a controls system is quite broad, so the new requirement entails careful planning and a full understanding to ensure it is met. As a result of this change, and to ensure the new standards are met, some service organisations may find themselves making significant changes to their previous description of controls. Related to this, another important change is that in some circumstances sub-service organisations working with or alongside the service organisation must also provide similar written assertions that the system is fairly presented. Type I and Type II auditor reports In ISAE 3402 (as in SAS 70) auditor reports are classified as either Type I or Type II. In a Type I report, the auditor evaluates the design and existence of internal controls within a service organisation at the specific reporting date and also their description in the ISAE 3402 internal controls report. A Type II report includes the same information, but it also examines the operating effectiveness of controls during a specific time period. The difference between Type I and Type II reports can therefore be compared to that between a snapshot picture and a movie. Achieving Type II certification is far more valuable than simply obtaining Type I as it demonstrates a firm is applying its standards, not just paying lip-service to them. One change to a Type II report is that the auditor also gives its opinion on the suitability of design of controls throughout the entire period under review, as opposed to at a specific date, which was the case under SAS 70. Traditional audit vs control functions report A traditional audit focuses only on the financial accounting and reporting aspects of an organisation. It looks at how business transactions are processed and recorded in the accounting system, weighs regulations and examines whether a company s financial statements represent a true and fair view of a company s financial situation. In short, it focuses on accounting and financial reporting of the business. It doesn t examine the business processes themselves. For example, an audit of a car manufacturer would opine 3

4 The Private Equity CFO & COO Digest 2013 on its financial situation and not on whether the manufacturer produces good cars. This is why a controls report is critical. It reviews areas that a traditional financial audit is not concerned with. Controls report: objectives, scope and phases Objectives With the general trend towards outsourcing operations, especially in the area of financial services, internal controls (and reviews of those controls) are increasingly important. In addition, the financial crisis has greatly increased the focus on the internal processes employed by asset managers and financial service organisations from both regulators and institutional investors. For many institutional investors, understanding the internal controls at an asset management firm or investee fund will form a component part of their due diligence. This is especially true with respect to alternative fund managers, which tend to be subject to less regulation and oversight and therefore have historically been less transparent in terms of their investment process and operations. Demonstrating the credibility and quality of services being offered has, therefore, never been more important. Scope of the report The typical scope of the controls report addresses many different areas. The primary and overarching duty of any organisation is to ensure strict adherence to the client s investment objectives, including the selection and monitoring of third-party managers and investee funds; this will therefore form a key part of the controls report. Other important areas that the auditor will review include: trade execution and settlement; portfolio positions valuation and reconciliations; investment and performance reporting; proper calculation of management and performance fees as well as critical IT processes and data security. With the proliferation of technology systems to manage various processes (see Chapters 4 and 5) data security is an increasing concern. Ensuring a firm can demonstrate the strength of the security governing the data it holds is therefore vitally important and will become ever more so as the breadth and complexity of these systems grow. Phases Phase 1: Scoping the report The controls report examination will typically consist of four phases. During the first phase, the scope of the controls report is determined on the basis of contractual obligations of the service organisation towards its clients and a gap analysis conducted which examines expected controls against existing controls. To understand the controls in place, the auditor will conduct a review of standard contracts with user organisations to gain an understanding of the firm s contractual obligations. It will also review the organisational structure, including segregation of functional responsibilities, policy statements, personnel policies and procedure manuals. While the controls review focuses on processes that are often technical and legal in 4

5 Surviving an independent review of the firm s internal controls: The ISAE 3402 nature, it cannot rely solely on an examination of paperwork. A significant amount of the review involves face-to-face discussions between the auditor, management and other relevant personnel at the organisation. This can include an observation of the firm s personnel in the performance of their assigned procedures and a walk-through of selected processes and controls. The last stage of phase one involves the auditor developing recommendations for any identified gaps in the controls process. Phase 2: Implementing recommendations Phases 3/4: Report generation and feedback In the second phase, the recommendations developed in Phase one are implemented to eliminate any gaps in the process. This could result in additional controls being put in place, an improvement of the controls documentation or a modification of how the controls are designed. A description of the controls will be prepared and the potential for a Type I report to be issued will exist. Phases three and four are the lengthiest parts of the process. These phases involve generating a report detailing the track-record of the suggested controls and then testing these controls in terms of their operating effectiveness. During phase four, feedback will be provided and further recommendations for control modifications can be made. The final stage is the representation letter and management assertion, followed by the issuance of the Type II report. Successful certification: Benefits for organisations and investors Trust and confidence The trend of outsourcing management services in the financial services sector has grown strongly in recent years, resulting in more choice than ever for investors. As in any marketplace, with increased choice comes increased opportunities for good and bad practice. Caveat emptor applies just as keenly in financial services as in any other sector. As a result, ensuring early and full compliance with the most up-to-date international transparency, governance, regulatory and accounting standards has become crucial to win trust and generate new business. Whereas previously a nice to have, demonstrating a strong internal control process through an independent verification process is increasingly a must have for any serious asset manager. It demonstrates a commitment on the part of the manager to ensuring clients receive best-practice service levels and Type II certification can be a crucial differentiator in a crowded market. A controls report enables investors to have confidence in the asset manager to whom they have entrusted their capital. An asset manager with these controls in place demonstrates to an investor they are willing to allocate the necessary resource to ensuring the best service. Transparency The financial crisis has quite rightly spurred calls for increased transparency across financial services, including the alternative asset management industry. A firm compliant with ISAE 3402 standards will produce improved reporting for investors and help satisfy these transparency demands. It is an effective operational risk management element and helps promote the organisation s risk culture. 5

6 The Private Equity CFO & COO Digest 2013 Investor due diligence Facilitating audit process at investor level Improvement and benchmarking For institutional investors, ensuring a prospective asset manager has the right controls in place is a key element of due diligence and as such has its own unique benefits. An institutional investor is likely to increase its own due diligence effectiveness and efficiency by including the prospective asset managers controls process in its due diligence. It may reveal gaps or throw up questions that had not been previously asked/answered or simply confirm statements previously made. Institutional investors, such as pension funds, are subject to audits themselves. Their auditor will have to review the internal controls around the outsourced operations such as investment management. If the asset manager provides a Type II ISAE-3402 controls report, the auditor of the investor can place reliance on it, which helps facilitate the audit process and increases confidence. The purpose of an ISAE 3402 is not limited to the auditor finding the asset manager to have a faultless process or detecting any deviations. A successful audit should actually reveal areas for improvement in a manager s internal control process. The controls report should improve the internal process by challenging the asset manager to continuously take proactive steps to ensure best practice processes are in place. A controls report forces an organisation to constantly reflect on its processes and ask what could be done differently. The most committed firms do not view a controls report as a one-off exercise but an evolving process throughout the year a real learning opportunity. Regular dialogue with the auditor is important. It provides an organisation with the ability to benchmark in an informal way its controls performance against its peers by asking questions and keeping abreast of industry developments. An investment manager with Type II certification will have plugged any gaps in the process that might previously have existed and the most committed are also looking for these gaps on a regular basis. As it does for the firm itself, the controls report also provides investors with the ability to benchmark prospective asset managers and make the best-informed allocation decision possible. As a matter of fact, great processes and effective controls have a significant positive impact on investment performance. Disadvantages and questions to ask Disclosing weaknesses Resource The numerous advantages of controls reporting and the push to more effective international standards should not preclude a discussion of the potential disadvantages. A process designed to highlight potential issues in a transparent manner increases the risk of disclosing control weaknesses to clients. Although flagging weaknesses is the point of the process and provides a manager with the opportunity to rectify them, some investors may not look kindly on such weaknesses. The reaction of an investor is likely to be dependent on the nature of the controls gap, even minor weaknesses could present difficulties for the relationship. Furthermore, keeping internal controls in place requires additional capacity and resources in terms of personnel and capital. While for a large organisation allocating this additional resource is not a significant burden and the costs of an auditor examination are not 6

7 Surviving an independent review of the firm s internal controls: The ISAE 3402 prohibitive, for a smaller organisation these costs can end up being quite substantial, relative to its size. For an organisation with stretched resources, undergoing an internal controls review is therefore not a straightforward calculation. However, if a firm has a real commitment to undertaking the process, it can be completed. It is not a question of technical know-how, but of time, and the playing field here is level, regardless of size. Differentiator? Alongside these potential disadvantages, there are also salient questions that should be asked about controls reporting. All firms that have passed an independent audit of their controls will claim this as a differentiator, but if the vast majority of firms in a given sector have all passed a similar (or the same) examination, to what extent can it be claimed to be a differentiator? A firm may be able to differentiate itself from those that do not have a Type II controls report and an investor should ask probing questions of a firm with only a Type I certification. This is unlikely, however, to provide a game-changing advantage over a competitor organisation on its own. In this context it is very important to demonstrate long-term consistency of internal controls and a commitment to best practice regardless of the wider regulatory environment. It is also useful for a firm to move as early as possible to incorporate the latest international standards. This holds especially true today with increased transparency trends and high regulatory requirements to stay for a decade. The right controls? Surviving a controls review Preparation Documentation Top-down support However, even in the case of early adoption and a long-term commitment to leading industry standards, one must ask whether the standards themselves achieve their stated objectives. The ISAE 3402 controls report is issued and maintained by individual firms, which define the nature of their internal controls, with the auditor then assessing their strengths and weaknesses. Although the scope and design of controls must be in line with contractual obligations of the investment manager towards its clients, clients will still need to assess if the most relevant processes have been chosen and, with that, the respective controls. The danger is to blindly rely on the report. It is absolutely crucial that investors themselves ask whether the processes and controls chosen are the right ones. As previously stated, a controls review should be seen as a process, not a one-time event. To ensure a firm has a constant watch on its processes, individuals should be designated to undertake periodic reviews during the year prior to the audit itself. If, for example, a firm has divided its controls process between investment management, fund administration and IT, an individual within each of these departments could be assigned to manage the controls process throughout the year. Managing controls in this way will put an organisation in the strongest position when the auditor arrives to start the formal process. Because examination of internal controls under ISAE 3402 is based on a formal design and evidence of execution of controls, it is important that controls are duly formalised in terms of their definition (for example, using flow-charts or process flow diagrams) and are not only properly carried out but also that the historical evidence of their execution is formally documented. It is vital that everyone in the organisation truly understands the benefits of sound 7

8 The Private Equity CFO & COO Digest 2013 processes and controls (report), especially senior management. Without the buy-in of senior management, successfully achieving Type II certification will be more difficult. As the process can be time consuming some may view it as intruding on their day-to-day work activities. It is important that the managers in charge of the process make clear that effective internal controls are now as much a part of every individuals day job as their core activity. Without complete buy-in across the organisation, a sense of resentment may develop and generate unnecessary and unhelpful obstacles to completing the process. Culture Ultimately, internal controls should be embedded in the culture and value-system of an organisation and should not be seen as a tick-box exercise. With trust in financial services falling to all-time lows following the financial crisis, it has never been more important for firms, including those in the alternative asset management industry, to ensure strong ethics underpin their entire approach to doing business. Philippe Bucher is Adveq s CFO/COO and a member of Adveq s Executive Management Group. Since 2005, he has led Adveq s global operations team responsible for fund administration and services, legal and tax, group finance and information technology. Philippe serves on the Board and as director of various group companies in the US, China, Curaçao, the Cayman Islands, Scotland and Europe including the German GmbHs. Before joining Adveq, Philippe led a wide range of corporate finance mandates in the valuation and strategy practice at PricewaterhouseCoopers from 2003 to Before 2003, he worked as an audit and business advisory manager at Arthur Andersen and as an analyst at UBS. Philippe graduated from the University of Zurich with a Master s degree in Economics. He has also earned the Swiss Certified Public Accountant (CPA) and the Chartered Financial Analyst (CFA) designations and completed an executive programme at the Harvard Business School in the US. Founded in 1997, Adveq is a leading asset manager investing in private equity and real asset funds globally. It offers specialized investment solutions which allow the firm s clients to access select private market segments globally. To date, Adveq has invested in more than 400 funds on behalf of its clients and generated consistent returns throughout economic cycles. Adveq s client base comprises institutional investors such as pension funds, insurance companies, family offices and other financial institutions located in Europe, North America and the Asia-Pacific region. Many of Adveq s investors are repeat, long-term clients with whom the firm has developed a role as a trusted partner for private market investing. Adveq has offices in Zurich, Frankfurt, New York, Beijing, Shanghai and Hong Kong, as well as a representative office in Sydney. 8