A core compliance activity for mutual fund managers is monitoring the operations of their intermediary partners that distribute fund shares.
The most reliable and efficient means of satisfying these oversight obligations lies with audited control reports (SOC, FICCA) that describe each intermediary’s operating environment.
Throughout the span of more than a decade, National Quality Review (NQR), a Delta Data Company, has received and reviewed hundreds of these such reports on behalf of fund companies. This analysis serves as critical component of the funds’ intermediary oversight program operation. As a result, NQR has gathered extensive data to identify which controls related to fund distribution typically are – or are not – sufficiently addressed in intermediary SOC and FICCA reports.
So, where do exceptions most frequently occur in intermediary distribution operations, and why?
What Counts as an Exception?
An exception is a deviation in the operating effectiveness of an intermediary in comparison to their stated controls, processes, and policies. It occurs when, over the course of third-party testing, the auditor observes that a control does not perform up to the described standards.
An acceptable intermediary audit report review focuses only on controls related to mutual fund distribution as identified by the Investment Company Institute’s (ICI) Financial Intermediary Controls and Compliance Assessment (FICCA) framework.
Regardless of the report type provided, it’s critical to perform a gap analysis between each report’s content at 82 underlying control descriptions derived from the FICCA’s 17 Areas of Focus.
The analysis reflects whether each FICCA-based control description is (1) Addressed, (2) Tested, and (3) Sufficient as described by the report. If the auditor notes that a certain control description was tested but had failed to meet the described standards, it is deemed an exception (“Insufficient”) for that control description within the encompassing Area of Focus.
Exception Trends
In 2022, which was the last full year of available data, NQR, a Delta Data Company, examined data for 98 firms – just under 150 audit documents.
Nearly two-thirds of the exceptions that appeared were in the Information Technology area of focus. The majority of those were logical access, followed by change control. The next largest area of exceptions fell under Transaction Processing.
The reason those two areas (Information Technology and Transaction Processing) come up most frequently is because they’re the broader operational areas. There is a lot of manual intervention as part of Information Technology, in particular, that draws a lot of focus – constant actions being taken with a lot of changes. All of those multiple systems affect how the exceptions tend to lean into these distinctive operational areas.
In the grand scheme of Intermediary Oversight, exceptions are significant pieces of the puzzle that must be included in the monitoring process in anticipation of the report results auditors may or may not reveal.
Reviewing Beyond Exceptions
Understanding exceptions is important because they indicate a discrepancy between the way an intermediary describes its controls and how it actually performs. This intelligence is essential to funds satisfying their third-party oversight requirements.
However, it is important to note that when reviewing audit reports, exceptions are just one piece of a more in-depth analysis, which identifies not only the FICCA framework content that is addressed by an audit report, but also the FICCA content that is not addressed.
Contact Delta Data to learn how you can improve efficiency in your intermediary oversight program.