Documentos de Académico
Documentos de Profesional
Documentos de Cultura
I. Introduction
Financial intermediary relationships are complicated arrangements, demanding significant commitment
from fund complexes for management and oversight. As regulatory initiatives continue to create new or
expanded regulatory compliance requirements, and because many intermediaries have moved away from
holding individual broker controlled accounts on the books of fund companies in favor of aggregated
omnibus accounts,1 mutual fund complexes are challenging and continuing to enhance their oversight
procedures to ensure that intermediaries are meeting their obligations.
Intermediary Oversight
Given the financial intermediarys direct control over and knowledge of its customers fund positions,
mutual fund oversight often includes monitoring certain intermediary activities to ensure adherence to
mutual fund regulations, contractual obligations, and compliance with the terms of fund prospectuses and
statements of additional information (SAIs).
Many fund sponsors have deployed policies and procedures to review the adequacy and effectiveness of
an intermediarys compliance controls, which may include onsite examinations, certifications, receipt
of transparency data, review of analytics, and questionnaires. However, some of these methods can be
duplicative and inefficient for intermediaries that have agreements with multiple fund complexes.
Omnibus accounts are held in the name of the intermediary on a mutual fund transfer agents records. The intermediary
maintains the underlying shareholder account information on its own recordkeeping systemsa process known
as subaccountingand reports share transactions to the funds on an aggregate basis. The intermediary handles all
communications and servicing of its customer accounts. As a result, the underlying shareholders in an omnibus account
do not directly interact with the fund organization, and the fund organization may have little, if any, knowledge or limited
transparency about such underlying shareholders.
The scope of the auditors examination is intended to be f lexible for the intermediary completing the
engagement. The specific details of the engagement are agreed upon by the auditor and the intermediary
firm. For example, if an omnibus firm has previously engaged an auditor to perform an examination under
SSAE 16, Reporting on Controls at a Service Organization (formerly SAS 70) covering certain aspects of its
operations, the FICCA assessment could be used to provide assurance on those areas not covered by the
SSAE 16 report.2 The intermediary also may provide the FICCA auditors report and other control reports
to all of the funds it represents, thereby reducing the need for overlapping compliance reviews by each
fund complex.
SSAE 16 reports, prepared in accordance with the AICPAs Auditing Standards Boards Statement on Standards for
Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, are specifically intended to meet
the needs of the management of user entities and the user entities auditors, as they evaluate the effect of the controls at the
service organization on the user entities financial statement assertions.
T he column in the 2008 version of the matrix titled Sample Control Objectives was renamed
Management Description or Controls Testing and now also indicates whether each area of focus
should be subject to controls testing or covered in a management narrative.
The Management Description or Controls Testing and Points to Consider for the areas of
focus were streamlined where appropriate to facilitate a more efficient engagement process for
intermediaries and audit firms.
Language was added to the Points to Consider section of the matrix to clarify that the points
provided are not intended to be a checklist or comprehensive listing of all relevant factors that may
be considered for each control environment or engagement.
Importantly, a key goal of the working group was to preserve f lexibility for intermediaries when providing
funds independent assessments of the 17 control areas defined in the matrix. Because intermediaries
may complete other attest engagements (such as an SSAE 16) in which certain controls defined on the
matrix are already tested, the working group agreed that intermediaries should not be required to
have independent audit firms perform duplicate testing or reporting. Consistent with the 2008 FICCA
framework, an intermediary may provide multiple reports that cover the 17 controls defined in the matrix
through either a combination of a FICCA report and other control report (e.g., SSAE 16) or through an allinclusive FICCA report.
Areas of Focus
Each of the areas of focus described in the matrix as listed below should be addressed on an annual
basis as part of the financial intermediarys controls and compliance engagements. This includes having
an independent auditor test the operating effectiveness of controls as well as providing additional
documentation to the fund complex to describe the policies, procedures, and controls that are in place for
areas of focus that do not require formal operating effectiveness testing.
The matrix identifies whether each focus area might be covered in a FICCA report or an SSAE 16 report.
The financial intermediary and its audit firm may use the Mapping Template for Control Reports provided
in Section V to indicate where the recommended audit coverage can be found.
1.
2.
3.
Third-Party Oversight
4.
Code of Ethics
5.
6.
7.
8.
9.
10.
11.
12.
Shareholder Communications
13.
14.
Fee Calculations
15.
16.
17.
Description of the
Area of Focus
Area of Focus
Financial
Intermediary
FICCA Report
Third-Party
Vendor SSAE
16 Report
Financial
Intermediary
SSAE 16 Report
Reporting Mechanism
Management Description
or Controls Testing
The FICCA matrix is organized in a table, and heading definitions are as follows:
Points to Consider
1) Management
Reporting
(Quality Control)
2) Risk
Governance
Program
Area of Focus
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Reporting Mechanism
Management Description
Management Description
Management Description
or Controls Testing
Information technology;
Points to Consider
3) Third-Party
Oversight
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Management Description
Management Description
or Controls Testing
Communication protocols;
subcontractors;
Points to Consider
Area of Focus
4) Code of Ethics
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Formally documented;
Management Description
or Controls Testing
Points to Consider
5) Information
Security Program
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
regulations, and
(subcontractors).
operations;
information;
Points to Consider
Formally documented;
Management Description
or Controls Testing
6) AntiMoney
Laundering
(AML) and the
Prevention
of Terrorist
Financing
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Formally documented;
Management Description
or Controls Testing
Points to Consider
7) Document
Retention and
Recordkeeping
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
manner;
Subcontractor/vendor compliance.
etc.; and
retained;
Formally documented;
appropriate governing body);
Points to Consider
Management Description
or Controls Testing
8) Security
Master Setup and
Maintenance
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Management Description
or Controls Testing
Points to Consider
9) Transaction
Processing
Financial and
Nonfinancial
(e.g., Account
Setup and
Maintenance)
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Financial:
Points to Consider
Financial:
Management Description
or Controls Testing
9) Transaction
Processing
Financial and
Nonfinancial
(e.g., Account
Setup and
Maintenance)
(continued)
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Proxy activities
remitting of withholding)
Nonfinancial:
Points to Consider
Nonfinancial:
Management Description
or Controls Testing
10) Cash
and Share
Reconciliations
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Points to Consider
Monitoring by management.
and,
Management Description
or Controls Testing
12) Shareholder
Communications
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Management Description
or Controls Testing
Management monitoring.
statements (confirmations, monthly, quarterly, and yearend communications) and tax reporting (e.g., information
reporting and withholding/remittance to shareholders
and the IRS) get shipped or communicated (including
electronically), and
Points to Consider
13) Subaccount
Billing, Invoice
Processing
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Management Description
or Controls Testing
Points to Consider
14) Fee
Calculations
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
types, if applicable;
Points to Consider
Management Description
or Controls Testing
15) Information
Technology
(Including
Internet and
VRU)
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Security infrastructure;
Physical security:
Network security;
Technology services;
certain clients?);
Points to Consider
Management Description
or Controls Testing
16) Business
Continuity/
Disaster
Recovery
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
systems recoverability.
manner;
Formally documented;
Management Description
or Controls Testing
Facilities; and,
People;
Systems;
processes;
offsite locations;
annual, semiannual);
general provisions;
Points to Consider
Area of Focus
Reporting Mechanism
Financial
Intermediary
Financial
Third-Party
SSAE 16
Intermediary Vendor SSAE
Report
FICCA Report 16 Report
Management Description
or Controls Testing
Points to Consider
Term
Definition
General
AT 101 report
AT 101 reports are intended to meet the needs of a broad range of users that need
to understand internal control at a service organization. These reports are intended
for use by stakeholders (e.g., customers, regulators, business partners, suppliers,
directors) of the service organization that have a thorough understanding of the
service organization and its internal controls. These reports can form an important
part of stakeholders:
Control activities are the policies and procedures that help ensure that
management directives are carried out.
Control environment
The control environment sets the tone of an organization, influencing the control
consciousness of its people. It is the foundation for all other components of internal
control, providing discipline and structure.
Control objective
Operating effectiveness
SSAE 16 report
of the service organizations system and the suitability of the design and
operating effectiveness of the controls to achieve the related control objectives
included in the description throughout a specified period.
Section
Term
Definition
General
Third-party vendor
organization
Section 2
Internal control
Internal control is the set of policies and procedures designed, implemented, and
maintained by those charged with governance, management, and other personnel
to provide reasonable assurance about the achievement of the entitys objectives
with regard to reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws and regulations.
Risk assessment
Risk assessment is the entitys process for identifying and analyzing risks relevant
to achieve its objectives, as well as forming a basis for determining how those risks
should be managed.
Section 4
Code of ethics
Section 6
AML (antimoney
laundering)
Congress passed the Bank Secrecy Act (BSA) in 1970 as the first laws to fight
money laundering in the United States. The BSA requires businesses to keep
records and file reports that are determined to have a high degree of usefulness in
criminal, tax, and regulatory matters. The documents filed by businesses under the
BSA requirements are heavily used by law enforcement agencies, both domestic
and international, to identify, detect, and deter money laundering whether it is
in furtherance of a criminal enterprise, terrorism, tax evasion, or other unlawful
activity.
The Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury
administers and enforces economic and trade sanctions based on U.S. foreign
policy and national security goals against targeted foreign countries and regimes,
terrorists, international narcotics traffickers, those engaged in activities related to
the proliferation of weapons of mass destruction, and other threats to the national
security, foreign policy, or economy of the United States.
Subaccounting platform
Controls that the service organization assumes, in the design of its service, will
be implemented by the user entity, and which, if necessary to achieve control
objectives, are identified in the description of its system.
Account closeout
As-of transaction
A transaction that receives an effective date prior to its trade (processing) date.
Beneficial owner
Term for the underlying investor who owns fund shares in an account held on the
intermediarys books and records. The shares, in turn, are held in an aggregate
omnibus account registered to the intermediary firm on the fund transfer agents
recordkeeping system.
Section 8
Section 9
Section
Section 9
Term
Definition
Statement of additional
information (SAI)
Brokerage platform
CUSIP
A means of uniformly describing and identifying all stocks and registered bonds
in numeric form developed by the Committee on Uniform Security Identification
Procedure (CUSIP).
Omnibus position
Transfer agent
Abandoned property
Assets such as cash, stocks, bonds, mutual funds, uncashed checks, land, life
insurance policies, and the contents of safe deposit boxes that have been turned
over to the state after prescribed periods of inactivity.
The primary U.S. government agency responsible for the regulation of the day-today operations and disclosure obligations of registered investment companies.
Section 13
Subaccount billing
Fees calculated and billed to mutual fund complexes by financial intermediaries for
shareholder servicing, recordkeeping, and reporting functions.
Section 14
A fee imposed by some mutual funds when shares are redeemed (sold back) during
the first few years of ownership. CDSCs typically decline over a specified number
of years, eventually falling to zero. Under specific prospectus provisions, the CDSC
is triggered if the investor redeems fund shares before a given number of years of
ownership (typically six to eight years for Class B shares).
Free shares
Acquired shares that are not subject to a commission (e.g., shares are no longer, or
were never, subject to front- or back-end sales charges).
Amounts charged for the sales of some mutual fund shares. Charges may vary
depending on the amount invested and the fund chosen. By regulation, mutual
fund sales charges are capped.
Lot tracking
Recording of the investors share purchase and redemption activity to enable the
calculation and tax treatment for compliance and reporting upon sale.
Redemption fees
The amount a shareholder may pay to the fund when redeeming fund shares
within a specified period of time. This fee is to cover the costs associated with the
redemption and to deter market timing activity.
Section 10
Section 11
Section
Section 14
Term
Definition
Right of accumulation
Share aging
Tracking of the investors share purchase and sale activity for load funds so the
appropriate fees and sales charges are applied based on purchase date and sale
date.
Share class
Many mutual funds offer investors different types, or classes, of shares (e.g.,
Class A, Class C, institutional shares). Each class will invest in the same portfolio
of securities and will have the same investment objectives and policies, but each
class will have different shareholder profiles and services and/or distribution
arrangements with different fees and expenses and, therefore, different expense
ratios. A multiclass structure offers investors the ability to select a fee and expense
structure that is most appropriate for their investment goals (including the time
that they expect to remain invested in the fund).
12b-1 fee
A mutual fund fee, named for the SEC rule that permits it, used to pay distribution
costs and administrative service fees such as compensation to financial advisers for
initial and ongoing assistance. If a fund has a 12b-1 fee, it will be disclosed in the
fee table of the funds prospectus.
Waiver
Section 15
Section 17
E
L
P
M
A
S
accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any
evaluations of effectiveness to future periods is subject to the risk that controls may become
inadequate because of changes in conditions, that the degree of compliance with such controls may
deteriorate, or that changes made to the system or controls, or the failure to make needed changes
to the system or controls, may alter the validity of such evaluations.
Other information provided by [Client Name]
E
L
The information included in Section Five, Other Information Provided by [Client Name]
(unaudited), is presented by management of the Company to provide additional information
and is not a part of managements assertion. Information about the Companys [Additional
Information] has not been subjected to the procedures applied in the examination of managements
assertion and of the suitability of the design and operating effectiveness of controls to achieve
the specified control objectives stated in managements assertion and accordingly, we express no
opinion on it.
Opinion
A
S
P
M
In our opinion, managements assertion referred to above is fairly stated, in all material respects,
based on the specified control objectives set forth in managements assertion.
Description of tests of controls
The specific controls tested and the nature, timing, and results of those tests are listed in Section
Four.
Restricted use
This report, including the description of tests of controls and results thereof in Section Four,
is intended solely for the information and use by the management of the Company, and by the
user organizations of the Companys financial intermediary functions during the period [Period
Start] to [Period End] and is not intended to be and should not be used by anyone other than these
specified parties.
[Signature]
[Date]
E
L
Managements description identifies the framework areas of focus that are excluded from
managements description or addressed in another report on [Client Name]s controls.
Additionally, as stated in managements description, [Client Name] uses the following subservice
organizations:
P
M
A
S
We have evaluated whether [Clients Name]s controls were suitability designed and operating
effectively to achieve the specified control objectives throughout the period [Period Start] to
[Period End]. The criteria against which the controls were evaluated are the specified control
objectives included in managements description. Based on our evaluation, we assert that:
The controls were suitably designed as of [Period End] to provide reasonable assurance
that the specified control objectives would be achieved, if those controls were complied
with satisfactorily and user organizations applied the user control considerations
contemplated in the design of [Client Name]s controls as of [Period End].
The controls were operating with sufficient effectiveness to provide reasonable
assurance that the specified control objectives were achieved throughout the
period [Period Start] to [Period End], if user organizations applied the user control
considerations contemplated in the design of [Client Name] controls throughout the
period [Period Start] to [Period End].
[Sign]
[Date]
1 The
2
Recommended
Audit Coverage
Management
Description
Management
Description
3. Third-Party Oversight
Management
Description
4. Code of Ethics
Controls Tested
Controls Tested
Controls Tested
SSAE 16 Report
for the period
[date] to [date]
Controls Tested
Controls Tested
Controls Tested
Controls Tested
Controls Tested
Controls Tested
Controls Tested
Controls Tested
Controls Tested
Controls Tested
Third-Party
Vendor SSAE 16
Report for the
period [date] to
[date]
AICPA
Standard
AT Section
801
Engagement Type
Report Includes
Reporting on
Controls at a Service
Organization
Relevant to User
Entities Internal
Control over Financial
Reporting
Restrictions on the
Use of the Report
Examples
Management of the
service organization,
user entities, and the
auditors of the user
entities financial
statements
SAS 70/SSAE
16 reports
Report covering
one or more of
the Trust Services
Principles
Soc 2
AT Section
101
Reporting on
Controls at a Service
Organization
Relevant to Security
Availability,
Processing Integrity,
Confidentiality, or
Privacy
SOC 3
AT Section
101
Reporting on
Controls at a Service
Organization
Relevant to Security
Availability,
Processing Integrity,
Confidentiality, or
Privacy
SysTrust or
WebTrust
AT101
AT Section
101
Reporting on a
Service Providers
Controls to Achieve
Compliance Control
Objectives Relevant
to SEC Rules 38a-1
and 206(4)-7
17Ad-13,
Custody Rule,
Financial
Intermediary
Controls and
Compliance
Assessment
(FICCA),
CCO/38a-1
Chief compliance
officers, management,
boards of directors,
and independent
auditors of the service
provider and of the
entities that use the
services of the service
provider
Common
Name
AgreedUpon
Procedures
(AUP)
AICPA
Standard
AT Section
201
Engagement Type
Performing the
Agreed-Upon
Procedures Referred
to in Paragraph 3 of
SSAE No. 16
Report Includes
Performing and reporting
Restrictions on the
Use of the Report
Examples
Equity
Compensation,
or Specific
calculations
Limited number
of parties who
established the
criteria or can
be presumed to
understand the
criteria
Vendor Contract
Compliance, Reg
AB
Compliance
Attestation
AT Section
601
Reporting on
Controls over
Compliance with
Laws and Regulations
1401 H Street, NW
Washington, DC 20005
202-326-5800
www.ici.org