A core compliance activity for mutual fund managers is monitoring the operations of their intermediary partners that distribute fund shares. The most reliable and efficient means of satisfying these oversight obligations lies with audited control reports (SOC, FICCA) that describe each intermediary’s operating environment.
Since 2013, NQR has reviewed hundreds of these reports on behalf of fund companies as part of the funds’ intermediary oversight programs. As a result, NQR has gathered extensive data regarding which controls related to fund distribution typically are – or are not – sufficiently addressed in intermediary SOC and FICCA reports.
This white paper shares some of our insight by diving deeper into a very specific component of audit report review: exceptions. Where do exceptions most frequently occur in intermediary distribution operations, and why?
What Counts As an Exception?
Before we discuss how the upcoming data is collected from NQR’s review, let’s cover the basics. In simplest terms, an exception is a deviation in the operating effectiveness of an intermediary in comparison to their stated controls, processes, and policies. An exception occurs when, through the course of third-party testing, the auditor observes that a control does not perform up to the described standards.
NQR’s intermediary audit report review focuses only on controls related to mutual fund distribution as identified by the Investment Company Institute’s Financial Intermediary Controls and Compliance Assessment (FICCA) framework. Regardless of the report type provided, NQR performs a gap analysis between each report’s content and 82 underlying control descriptions derived from the FICCA’s 17 Areas of Focus.
The analysis reflects whether each FICCA-based control description is (1) Addressed, (2) Tested, and (3) Sufficient as described by the report. If the auditor notes that a certain control description was tested but had failed to meet the described standards, it is deemed an exception (“Insufficient”) for that control description within the encompassing Area of Focus.
Where Do Exceptions Most Frequently Occur?
According to NQR data, the frequency of distribution-related exceptions is far from uniform. This can be explained by a number of factors:
- Testing: In the absence of testing, deviations will not occur. The FICCA Areas of Focus of Management Reporting, Risk Governance Program, and Third-Party Oversight usually go untested in both SOC and FICCA reports because they are management descriptions. Thus, exceptions in these areas are rare.
- Audit Type: SOC 1 reports are designed to focus on internal controls related to financial reporting versus mutual fund distribution. As a result, some Areas of Focus in the FICCA framework, such as Anti-Money Laundering and Fee Calculations, may not be addressed or subject to testing in a SOC 1.
- Automation: Operations that do not rely on manual work or data input are generally less likely to result in deviations because of their highly automated nature. Areas of Focus such as Security Master Setup and Maintenance and Cash and Share Reconciliations, for example, are highly automated and involve limited personnel.
Frequency by Area of Focus
Although certainly occurring in other areas, exceptions are most frequently found in the areas of Transaction Processing and Information Technology. From 2016 to 2021, in reports reviewed by NQR:
- Transaction Processing exceptions averaged 19.9% of all exceptions
- Information Technology exceptions averaged 63.5% of all exceptions
Together, control deviations observed in Transaction Processing and Information Technology accounted for roughly 83% of all exceptions in that time span.
Why is that share so high? This is primarily because operations in these areas are addressed in both FICCA and SOC reports. Also, these operations, in comparison with other Areas of Focus, are more reliant on manual processing, the involvement of numerous personnel, and the use of multiple applications and systems.
Frequency by Control Description
At a deeper level, some exception types within these broader Areas of Focus occur more frequently than others. In regard to the Transaction Processing Areas of Focus, exceptions related to Authorization/Good Order, Accuracy and Completeness, Timeliness, and Exception Processing occur more often than deviations for Share Pricing and Fund Distributions. The same factors contribute to this higher frequency — that is, reliance on manual workflows and operational complexity.
Within the Information Technology focus area, exceptions are mostly concentrated in Logical Access, Physical Access, and Change Control Processes. By comparison, Network Infrastructure/Security, Processing Control and Management, Data Transmissions, and Data Backup are highly automated, daily operations that involve only Information Technology personnel and are less likely to produce deviations from control objectives.
Reviewing Beyond Exceptions
Understanding exceptions is important because they indicate a discrepancy between the way an intermediary describes its controls and how it actually performs. This intelligence is essential to funds satisfying their third-party oversight requirements.
However, it is important to note that NQR does not endorse searching only for exceptions when reviewing audit reports. Exceptions are just one piece of our recommended, much more in-depth analysis, which identifies not only the FICCA framework content that is addressed by an audit report, but also the FICCA content that is not addressed.
Because NQR’s team highlights these distribution-related exceptions and content gaps, funds can shift focus from manual review to assessing the implications of the report findings. This might entail deciphering whether particular findings are material to their business – and then deciding how to quickly remediate any issues with the intermediary.
If you would like to learn more about how NQR can improve efficiency in your intermediary oversight program, contact us at: