Space considerations prevent publishing here the appendix to SOP 07-2. Since the appendices often are important to understanding SOPs, readers are advised to obtain complete copies. To obtain a copy of SOP 07-2 (product no. 014946), visit www.cpa2biz.com/store or contact the AICPA at 888-777-7077.
This Statement of Position (SOP) is an interpretive publication and represents the recommendations of the Chief Compliance Officers Task Force of the AICPA Auditing Standards Board (ASB) regarding the application of Statements on Standards for Attestation Engagements (SSAE) primarily to examination engagements in which a practitioner reports on the suitability of the design and operating effectiveness of a service provider's controls in achieving specified compliance control objectives. Examples of the service providers addressed by this SOP are investment advisers, custodians, transfer agents, administrators, and principal underwriters that provide services to investment companies (including business development companies), investment advisers, or other service providers (user organizations). A practitioner's report on the suitability of the design and operating effectiveness of a service providers controls in achieving specified compliance control objectives is used primarily by user organizations because aspects of a user organization's compliance or internal control over compliance with laws, regulations, and rules may be affected by or include controls at service providers. The ASB has found the recommendations in this SOP to be consistent with existing standards covered by Rule 202, Compliance With Standards, of the AICPA Code of Professional Conduct (AICPA, Professional Standards, vol. 2, ET sec. 202.01).
Interpretive publications are not as authoritative as pronouncements of the ASB; however, if a practitioner does not apply the attestation guidance included in this SOP, the practitioner should be prepared to explain how he or she complied with the provisions of SSAE addressed by this SOP
TABLE OF CONTENTS Introduction and Background/1-5 Objective of the Examination Engagement/6-7 Subject Matter of the Examination Engagement/8 Management's Responsibilities/9 Criteria/10 Reference to Laws, Regulations, and Rules/11 Practitioner's Responsibilities/12-13 Matters Addressed by the Compliance Control Objectives/14-18 Evaluating Deficiencies in Controls/19-20 User Organizations Affected by a Service Provider's Noncompliance With Federal Securities Laws or Elements Thereof/21-22 Management Assertion/23-24 Management Representational/25-27 Reporting/28-33 Agreed-Upon Procedures/34-36 Effective Date/37 Appendix A: Appendix A-1--Illustrative Practitioner's Examination Report on a Service Providers Assertion Regarding Specified Compliance Control Objectives and Related Controls Appendix A-2--Illustrative Practitioner's Examination Report on a Service Provider's Assertion Regarding Specified Compliance Control Objectives and Related Controls When the Service Provider Uses a Subservice Provider and the Subservice Provider's Control Objectives and Related Controls are Excluded From the Description and the Scope of the Practitioner's Engagement Appendix A-3--Illustrative Management Assertion Regarding a Service Providers Specified Compliance Control Objectives and Related Controls Appendix A-4--Illustrative Service Provider's Description of Specified Compliance Control Objectives and Related Controls Appendix B--Illustrative Practitioner's Examination Report Containing a Qualified Opinion on the Suitability of the Design and Operating Effectiveness of a Service Providers Controls in Achieving Specified Compliance Control Objectives Appendix C--Additional Illustrative Compliance Control Objectives Appendix D--Matters Identified in Securities and Exchange Commission Release Nos. IC-26299 and IA-2204 Adopting Rules 38a-1 and 206(4)-7 Pertaining to Compliance Policies and Procedures of Funds and Investment Advisers Appendix E Illustrative Practitioner's Agreed-Upon Procedures Report INTRODUCTION AND BACKGROUND
In December 2003, the Securities and Exchange Commission (SEC) adopted Rule 38a-1 under the Investment Company Act of 1940 and Rule 206(4)-7 under the Investment Advisers Act of 1940. The rules were adopted to protect investors by ensuring that (a) each investment company registered with the SEC under the Investment Company Act of 1940, and each business development company(1) (collectively, funds) has an internal program to enhance compliance with federal securities laws (2) and (b) each investment adviser registered with the SEC has an internal program to enhance compliance with the Investment Advisers Act of 1940, including SEC rules issued thereunder.
Many operations of funds and, in some instances, operations of investment advisers are carried out by entities that provide services to the funds or investment advisers. In this Statement of Position (SOP), such entities are termed service providers. Service providers have their own compliance policies and procedures that may affect or be part of a fund's or investment adviser's compliance or internal control over compliance with federal securities laws, individual statutes or provisions thereof, or corresponding SEC rules (federal securities laws or elements thereof). (3) Rule 38a-1 requires each fund to adopt and implement written policies and procedures reasonably designed to prevent violation of federal securities laws by the fund or any of the following service providers named in the rule: investment advisers, principal underwriters, administrators, and transfer agents. Accordingly, a fund's compliance policies and procedures provide for oversight of the compliance procedures performed by the named service providers. Further, Rule 206(4)-7 requires an investment adviser to adopt and implement written policies and procedures reasonably designed to prevent violation by the investment adviser and its supervised persons of the Investment Advisers Act of 1940 and SEC rules issued thereunder. In this SOP, the term service providers refers to the service providers named in Rule 38a1 as well as other service providers, such as custodians. The term user organization generally refers to a fund or investment adviser that uses the services of a service provider. In some instances, a single entity may be a service provider and a user organization. For example, Administrator A, in its capacity as a service provider to a fund, may be responsible for monitoring whether the fund's registration statement filed with the SEC complies with SEC disclosure requirements, but may subcontract that function to Administrator B that specializes in that area. In this situation, Administrator A is also a user organization because it uses the services of Administrator B. In this SOP, Administrator B is referred to as a subservice provider. In applying the guidance in this SOP, a subservice provider is considered a service provider.
Among other provisions, the rules mentioned in paragraph 1 require funds and investment advisers to;
* Adopt and implement written policies and procedures (4) reasonably designed to prevent violation of, in the case of funds, federal securities laws and, in the case of investment advisers, the Investment Advisers Act of 1940, including SEC rules issued thereunder
* Review those policies and procedures at least annually for their adequacy and the effectiveness of their implementation (5)
* Designate a chief compliance officer (CCO) to be responsible for administering the policies and procedures (for funds, the CCO must report directly to the fund's board of directors)
SEC Release Nos. IC-26299 and 1A-2204 adopting the rules note that it may be impractical for a fund or its CCO to directly review all of its named service providers' policies and procedures, particularly if one or more of the service providers are not affiliated with the fund. In these circumstances, the SEC considers the fund to have satisfied the requirements of Rule 38a-1 if the fund's board of directors, in evaluating whether to approve the service provider's compliance program, uses a "third-party report" on the service provider's policies and procedures. (6) In the United States fund industry, in connection with the audit of a fund's financial statements, a number of service providers are accustomed to engaging an independent auditor to report on the suitability of the design and operating effectiveness of controls at the service provider that may be relevant to the fund's internal control over financial reporting. These engagements are performed under AU section 324, Service Organizations (AICPA, Professional Standards, vol. 1), as amended, and reports issued thereunder are used by the funds' independent auditor when auditing the funds financial statements. Similarly, since the adoption of the rules in December 2003, service providers have received requests from funds and investment advisers for information and assurance regarding the suitability of the design and operating effectiveness of the service provider's controls in achieving compliance control objectives. Also, in some circumstances, subservice providers (service providers that provide services to other service providers, for example, a service organization that reports fund share balances and transactions of retirement plan participants, in aggregate, to a fund's transfer agent and maintains records thereof) have received similar requests from service providers. Such information assists funds and investment advisers in fulfilling their responsibilities to perform an annual review of specified compliance activities and assists service providers and subservice providers in their consideration of their own controls.
For specific information about the rules, readers should refer to "Compliance Programs of Investment Companies and Investment Advisers" at the United States SEC Web site at http://wwwsec.gov/...