Are You A Broker-Dealer? Have You Considered A Service Audit Report?

Are You A Broker-Dealer? Have You Considered A Service Audit Report?

Broker-dealers play a key role in the securities and derivatives trading process in the financial services industry. Since the recent recession and failures of several major financial institutions, the demand for strong internal controls and transparency by clients and regulators has never been stronger.

Broker-dealers can demonstrate an adequate system of internal controls to their clients by engaging an independent public accounting firm to perform a service audit, namely a Service Organization Controls (SOC 1) examination. SOC 1 examinations (formerly SAS 70s) are performed in accordance to the Statement of Standards for Attestation Engagements (SSAE) 16 for Reporting on Controls at a Service Organization issued by the AICPA (American Institute of Certified Public Accountants). SSAE 16 mirrors its international “assurance” equivalent, ISAE 3402, which was issued by the International Auditing and Assurance Standards Board (IAASB), a standard-setting board of the International Federation of Accountants (IFAC).

SOC 1 reports focus on controls of the broker-dealer that would be relevant to an audit of a client’s financial statements. Two types of reports can be Issued: a Type I and a Type II. Key differences between them are as follows:
SCOPE OF REPORT/OPINION TYPE I TYPE II
Period covered Report is issued as of a specified date Report is issued for a specified period
Fairness of the presentation of management’s description of the broker-dealer’s system Covered Covered
Suitability of the design of the controls to achieve the related control objectives included in the description Covered Covered
Operating effectiveness of the controls to achieve the related control objectives included in the description Not Covered Covered
RELIANCE BY CLIENT’S (USER) AUDITOR:
Does it assist User Auditor in obtaining sufficient understanding of the broker-dealer’s internal controls in order to plan the financial statement audit? Yes Yes
Does it provide the User Auditor with a basis for reducing the assessed level of control risk and thereby reducing substantive procedures? No Yes

As can be seen from the above table, a Type II report is the preferred route as it includes testing of the operational effectiveness of controls. It thereby provides the auditors of the user entities with a reasonable basis to evaluate the Internal Controls over Financial Reporting (ICFR) of the broker-dealer.

CONTROLS SURROUNDING

  • Client Account Setup and Maintenance
  • Authorization and Processing of Client Transactions
  • Processing of Income and Action Transactions
  • Reconciliation of Funds and Securities to Depositories and other Custodians
  • Client Reporting and Billing
  • IT General Controls – Physical Security and Environmental Controls
  • IT General Controls – Logical Security
  • IT General Controls – Data Backup & Retention
  • IT General Controls – Change Management
  • IT General Controls – Computer Operations

KEY STEPS INVOLVED IN ISSUING A SOC 1 REPORT READINESS ASSESSMENT (NON-ATTESTATION)
READINESS ASSESSMENT (NON-ATTESTATION)

  • Can be performed by the Service Auditor or Management
  • Involves understanding of existing processes and relevant controls
  • Control weaknesses and gaps in controls are identified
  • List of control objectives and underlying control activities formulated

REMEDIATION OF CONTROL GAPS

  • Performed by Management
  • Identified control gaps remediated
  • Controls in place and operating effectively ensured
  • Management reviews the design and operating effectiveness of the control objectives and related control activities
  • Management prepares written assertion and description of its system

SOC 1 TYPE I OR TYPE II EXAMINATION (ATTESTATION)

  • Performed by the Service Auditor for a specified date (Type 1) or for the defined audit period (Type II, typically annually, but generally not less than 6 months)
  • Auditor to provide opinion on:
  • The description was fairly presented
  • The controls were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively
  • Type II Only: The controls were operating effectively to provide reasonable assurance that the control objectives were achieved
  • Issuance of SOC 1 Report

If you are a company in need of SOC 1 report services or would like to understand how such SOC reports can assist you in your business, please reach out to Vivek Agarwal ([email protected]) or your local WS+B advisor.

Learn More About our SOC Audits Services>>learnMore

How Can We Help?

Previous Post

Next Post