Title slide default type size 60 pt Times New Roman

1
Mutual Fund Directors Forum Directors Guide to
Internal Control Presented by Deloitte Touche
LLP
Deloitte Touche LLP August 2, 2005
2
Agenda

• Introduction What is Enterprise Risk Management
  and Internal Control?
• Conceptual Framework (COSO) and SAS 70s
• Requirements for Mutual Funds Regarding Internal
  Controls

3
What is Enterprise Risk Management

• a process, effected by an entity's board of
  directors, management and other personnel,
  applied in strategy setting and across the
  enterprise, designed to identify potential events
  that may affect the entity, and manage risks to
  be within its risk appetite, to provide
  reasonable assurance regarding the achievement of
  entity objectives.
• Source COSO Enterprise Risk Management
  Integrated Framework. 2004. COSO.

4

What is Internal Control

• A process effected by people, including an
  entitys board of directors, management and other
  personnel.
• A process designed to provide reasonable
  assurance regarding the achievement of objectives
  in the following categories

Reporting Reliability of Reporting
Strategic High level goals aligned with and
supporting the mission
Operations Effective and efficient use of
resources
5
An Effective Internal Control System
What is it?
How do you accomplish it?
Why is it important?

• An effective internal control system enables you
  to manage significant risks and monitor the
  reliability and integrity of financial and
  operating information. It includes
• An ethical environment
• Risk assessment and control activities
• Policies and procedures
• Segregation of duties
• Supervisory review
• Data security (limited access)

• Policies and procedures
• Segregation of duties
• Appropriate supervision
• Structured training
• Straight Through Processing (STP)
• Hiring the best
• Vendor/counterparty due diligence
• Tone from the top

• Data Integrity
• Safeguarding of assets
• Accountability
• Consistency, therefore, comparability
• Ability to detect issues, deviations more quickly
• Deterrent to fraud (not designed to avoid fraud)

6
Benefits of Systems of Internal Control
1. Compliance with laws and regulations
8. Higher probability of achieving business
objectives
2. Integrity of information
7. Effective and efficient operations
3. Timely information
6. Greater likelihood of preventing, detecting
and correcting undesired events

• 4. Reliable financial reporting

5. Confidentiality, as needed
7
Importance of Internal Controls to a Mutual Fund
Why are Internal Controls so important in a
mutual fund environment?

• US Mutual Funds close their books every day
• Shareholders transact daily at a stated NAV
• Low materiality threshold for errors (NAVs and
  income distribution)
• On a daily basis, high volume of (electronic)
  transactions
• Focus on compliance with federal securities laws
  and other applicable regulations
• Heightened risk of a regulatory violation

8
Evolution of Internal Controls
Sarbanes-Oxley
Treadway Commission
CCO
SAS 70
COSO
2003 Rules 38a-1 206(4)-7 Adopted
1985 Treadway Commission Formed
1992 AICPA Issues Statement on Auditing
Standards No.70 (SAS70)
1992 Internal Control An Integrated Framework
Published by COSO
2002 Sarbanes-Oxley Legislation
2004 COSO Enterprise Risk Management
Integrated Framework
9
Agenda

• Introduction What is Internal Control?
• Conceptual Framework (COSO), SAS 70s and
  Sarbanes-Oxley
• Requirements for Mutual Funds Regarding Internal
  Controls

10
COSO Background and Overview

• The Treadway Commission was formed in 1985 to
  deal with what was perceived as an unacceptably
  high incidence of fraudulent financial reporting.
  
• The Committee of Sponsoring Organizations of the
  Commission (COSO), comprised of key public and
  professional bodies, noted that poor control was
  a root cause of many business failures.
• Accordingly, COSO recommended that businesses
  provide assertions on the effectiveness of their
  control systems through a framework of internal
  control.
• The Internal Control Integrated Framework was
  published by COSO in 1992
• The COSO Enterprise Risk Management Integrated
  Framework was published by COSO In 2004

CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
11
COSO An Integrated Framework

• COSO offers an integrated framework that defines
  internal control by eight interrelated
  components
• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information Communication
• Monitoring

CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
12
COSO An Integrated Framework
Tone at the top

• The internal environment encompasses the tone of
  an organization and sets the basis for how risk
  is viewed and addressed by an entitys people,
  including risk management philosophy and risk
  appetite, integrity and ethical values and the
  environment in which they operate
• An effective internal control environment exists
  when employees understand their responsibilities,
  authority, and are committed to acting ethically.

13
COSO An Integrated Framework
Establishing managements control objectives

• Objectives must exist before management can
  identify potential events affecting their
  achievement.
• Objectives chosen should support and align with
  the entitys mission and be consistent with its
  risk appetite.

14
COSO An Integrated Framework
Event Identification

• Internal and external events affecting
  achievement of an entitys objectives should be
  identified

15
COSO An Integrated Framework
Identify Risks to Determine Required Response and
Control Activities

• Risk assessment starts with identifying risks
  associated with business objectives linked
  through all levels of the organization including
  entity-wide and activity-level risks
• Risk assessment requires evaluation of external
  and internal factors and the impact on
  operations, financial reporting, compliance, and
  reporting

16
COSO An Integrated Framework

• Management needs to choice how they will respond
  to an identified risk avoiding, accepting,
  reducing or sharing risk
• Develop a set of action plans to align the
  identified risks with the organizations risk
  tolerances and risk appetite

Responding to the risks identified
17
COSO An Integrated Framework

• Control activities are policies and procedures
  that help to ensure that actions identified to
  manage risks are effectively carried out.
• The control activities should be embedded within
  the operations of the business and used to manage
  risks to reasonable levels. Focuses on
  prevention, detection, correction.
• Disciplinary action should be established,
  communicated, and consistently administered for
  noncompliance.

Design and implement control activities to manage
risk
18
COSO An Integrated Framework

• Information and communication is needed to
  effectively manage operations, prepare financial
  statements and determine compliance
• Requires that relevant external and internal
  information be identified, captured, processed,
  and communicated throughout the organization in a
  timely manner.
• Provided through various formal and informal
  means.
• The integrity of information quality is
  imperative for making business decisions.
• Requires internal control mechanisms to provide
  reasonable assurance that information is
  appropriate, current, timely, accurate, and
  accessible.

Identify communicate information timely to
ensure controls are functioning
19
COSO An Integrated Framework

• The purpose of monitoring is to determine whether
  internal control is adequately designed,
  executed, effective, and adaptive.
• Internal control performance should be assessed
  over time via some combination of ongoing
  monitoring and periodic evaluations
• Scope and frequency of monitoring activities
  depend on significance of risks being controlled
  and importance of controls in reducing risks.
• Monitoring activities should be built into
  normal, recurring operating activities of an
  organization.
• Deficiencies found should have defined escalation
  path for reporting and follow-up and
  accountability for corrective action.

Ongoing monitoring and periodic checks of the
internal control system
20
What is SAS 70?

• AICPA Statement of Auditing Standards No. 70,
  Service Organizations
• Also commonly known as a Service Auditor Report
• Report on the processing of transactions by
  service organizations as it relates to an audit
  of financial statements
• Provides for reporting on a service
  organizations internal controls to
• Service Provider Management
• Service Providers Clients and their Clients
  Auditors

CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
21
Benefits of SAS 70

• Provides an independent assessment of the
  organizations control procedures
• Establishes whether those controls met the
  objectives stated by management
• Demonstrates those controls to customers and
  their auditors
• Minimizes the number of requested audits over the
  service organizations Internal Controls by
  different customers and their auditors
• Provides management with a level of reasonable
  assurance over the control integrity of the
  processing environment

22
Where are SAS 70s Used in the Mutual Fund
Industry?
Custodian or Subcustodian
Fund Accountant
Transfer Agent
Fund Administration
Fund
SAS 70 Typically Performed
Pricing Service Provider
Investment Advisor
SAS 70 Sometimes Performed
SAS 70 Not Historically Performed
23
Sarbanes-Oxley

• The Sarbanes-Oxley legislation, Sections 302 and
  404 in particular, have increased the awareness
  and scrutiny of the design and operating
  effectiveness of internal controls
• Recent industry and regulatory events have
  required organizations to have greater awareness
  over their service providers control environment
  and controls in place to manage risk
• Directors/Trustees have a fiduciary
  responsibility to understand and manage the risks
  presented by outsourcing critical aspects of
  their operations
• Increasing number of organizations are
  outsourcing key components of their operations,
  increasing the need and demand for third-party
  attestation reports such as SAS 70 reports.

CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
24
Sarbanes-Oxley

• Sarbanes-Oxley Legislation does not mandate the
  production of SAS 70s, however, the Legislation
  has
• Increased the awareness and scrutiny of internal
  controls
• Required management to evaluate the significance
  of outsourced activities, processes and functions
  to the companys ICFR
• Made obtaining a SAS 70 from external as well as
  internal service organizations a sound and
  prudent risk management practice
• Made CEOs and CFOs responsible for establishing,
  evaluating, and monitoring the effectiveness of
  internal controls over financial reporting and
  disclosure (required by Sections 302 and 404)

25
Sarbanes 302 Recap

• Original Rules
• Requires that the Principal Executive Officer and
  Principal Financial Officer certify to
  Disclosure Controls and Procedures
• Created new form N-CSR as the conduit for the
  certification
• Amended Rules
• Include certification that the Officers have
  established and maintained internal control over
  financial reporting was effective for first
  annual report for fiscal years ended after
  11/15/04
• Further amendments to the 33, 34 and 40 Acts
  added two further requirements
• Managements Discussion of Fund Performance to be
  included in the annual report (and thus
  certified)
• Quarterly schedule of portfolio holdings to be
  filed and certified via Form N-Q

26
Sarbanes 302 Key Concepts

• Definition of Disclosure Controls and
  Procedures
• Designed to ensure that information required to
  be disclosed is recorded, processed, summarized,
  and reported in the time periods specified in
  SEC rules and forms
• Should be designed to ensure required information
  is accumulated and communicated to management to
  allow timely decisions regarding relevant
  disclosure
• Definition of Internal Control Over Financial
  Reporting
• A process designed by (or under supervision of)
  principal officers
• Provide reasonable assurance regarding the
  reliability of financial reporting
• Reasonable assurance relatively low risk that
  material misstatements will not be prevented or
  detected on a timely
• Includes procedures that address
• Maintenance of records Recording of
  transactions and Prevention or timely detection
  of unauthorized acquisition, use or disposition
  of the registrant's assets

27
Sarbanes-Oxley 302 vs. 404 Requirements
28
Chief Compliance Officer (CCO) Rules 38(a)-1
and 206(4)-7

• General Overview
• The SEC adopted rules under the Investment
  Advisers Act (Rule 206(4)-7) and the Investment
  Company Act (Rule 38a-1) which require the
  implementation of Compliance Programs
• The Compliance Programs must incorporate
• Written PPs reasonably designed to prevent
  violations of the federal securities laws
  (Compliance Controls)
• A CCO who shall be responsible for the
  administration of the compliance PPs (a mutual
  funds CCO generally performs oversight)
• An annual review of the PPs for their adequacy
  and the effectiveness of their implementation and
  reporting of results

CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
29
Compliance Program Rules Annual Review

• Investment Companies
• A fund Board must review its compliance PPs
  annually and those of the Investment Adviser, TA,
  Distributor, and Administrator
• The Board may rely upon a review submitted by the
  funds CCO in his or her annual report submitted
  to the Board
• The annual report of the CCO should address, at a
  minimum
• The operation of the compliance PPs of the fund
  and each service provider
• Any material changes to the PPs since the last
  report
• Any recommendations for material changes to the
  funds PPs
• Any material compliance matters since the date of
  the last report

• Investment Advisers
• Any compliance matters that arose during the
  previous year
• Any changes in the business activities of the
  investment adviser or its affiliates that may
  require amendments to the PPs
• Any changes to the adopted PPs that may be
  appropriate because of regulatory changes

30
Agenda

• Introduction What is Internal Control?
• Conceptual Framework (COSO) and SAS 70s
• Requirements for Mutual Funds Regarding Internal
  Controls

31
The Current Environment Focus on Internal
Controls

• The Compliance Program Rules, N-SAR requirements,
  Sarbanes-Oxley and other regulatory initiatives
  are forcing the industry to understand risk
  management concepts and are driving risk and
  control evaluation initiatives
• Risk assessments, control activities, monitoring
  and testing are concepts that are quickly
  becoming ingrained in our collective conscience
• Why is this?
• Need a consistent, structured process to address
  the various rule requirements
• Compliance Program Rules require an annual review
  of PPs, including Sarbanes, for their adequacy
  and the effectiveness of their implementation
• Senior management certification requirements
  require complete, accurate and timely information
• Some CCOs and others will likely be certifying to
  the Funds controls partially in reliance on
  controls of third-party service providers

32
Certifications Under Form N-CSR and N-Q

• Certifications Under Form N-CSR and N-Q
• are responsible for establishing and
  maintaining disclosure controls and
  proceduresand internal control over financial
  reporting
• Designed such disclosure controls and procedures
  to ensure that material information is made known
  to us
• Designed such internal control over financial
  reporting to provide reasonable assurance
  regarding the reliability of financial reporting
• Evaluated the effectiveness of the registrants
  disclosure controls and procedures and presented
  our conclusions about the effectiveness
• Disclosed in this report any change in the
  registrants internal control over financial
  reporting that occurred
• The registrants other certifying officer(s) and
  I have disclosed to the registrants auditors and
  the audit committee
• All significant deficiencies and material
  weaknesses in the design or operation of internal
  control over financial reporting
• Any fraud, whether or not material.

33
QUESTIONS?
34
About Deloitte Deloitte refers to one or more of
Deloitte Touche Tohmatsu, a Swiss Verein, its
member firms and their respective subsidiaries
and affiliates. Deloitte Touche Tohmatsu is an
organization of member firms around the world
devoted to excellence in providing professional
services and advice, focused on client service
through a global strategy executed locally in
nearly 150 countries. With access to the deep
intellectual capital of 120,000 people worldwide,
Deloitte delivers services in four professional
areas, audit, tax, consulting and financial
advisory services, and serves more than one-half
of the worlds largest companies, as well as
large national enterprises, public institutions,
locally important clients, and successful,
fast-growing global growth companies. Services
are not provided by the Deloitte Touche Tohmatsu
Verein and, for regulatory and other reasons,
certain member firms do not provide services in
all four professional areas. As a Swiss Verein
(association), neither Deloitte Touche Tohmatsu
nor any of its member firms has any liability for
each others acts or omissions. Each of the
member firms is a separate and independent legal
entity operating under the names Deloitte,
Deloitte Touche, Deloitte Touche Tohmatsu
or other related names. In the US, Deloitte
Touche USA LLP is the US member firm of Deloitte
Touche Tohmatsu and services are provided by the
subsidiaries of Deloitte Touche USA LLP
(Deloitte Touche LLP, Deloitte Consulting LLP,
Deloitte Financial Advisory Services LLP,
Deloitte Tax LLP and their subsidiaries), and not
by Deloitte Touche USA LLP. The subsidiaries of
the US member firm are among the nation's leading
professional services firms, providing audit,
tax, consulting and financial advisory services
through nearly 30,000 people in more than 80
cities. Known as employers of choice for
innovative human resources programs, they are
dedicated to helping their clients and their
people excel. For more information, please visit
the US member firms web site at
www.deloitte.com/us.