Title: Title slide default type size 60 pt Times New Roman
1Mutual Fund Directors Forum Directors Guide to
Internal Control Presented by Deloitte Touche
LLP
Deloitte Touche LLP August 2, 2005
2Agenda
- Introduction What is Enterprise Risk Management
and Internal Control? - Conceptual Framework (COSO) and SAS 70s
- Requirements for Mutual Funds Regarding Internal
Controls
3What is Enterprise Risk Management
- a process, effected by an entity's board of
directors, management and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, and manage risks to
be within its risk appetite, to provide
reasonable assurance regarding the achievement of
entity objectives. - Source COSO Enterprise Risk Management
Integrated Framework. 2004. COSO.
4What is Internal Control
- A process effected by people, including an
entitys board of directors, management and other
personnel. - A process designed to provide reasonable
assurance regarding the achievement of objectives
in the following categories
Reporting Reliability of Reporting
Strategic High level goals aligned with and
supporting the mission
Operations Effective and efficient use of
resources
5An Effective Internal Control System
What is it?
How do you accomplish it?
Why is it important?
- An effective internal control system enables you
to manage significant risks and monitor the
reliability and integrity of financial and
operating information. It includes - An ethical environment
- Risk assessment and control activities
- Policies and procedures
- Segregation of duties
- Supervisory review
- Data security (limited access)
- Policies and procedures
- Segregation of duties
- Appropriate supervision
- Structured training
- Straight Through Processing (STP)
- Hiring the best
- Vendor/counterparty due diligence
- Tone from the top
- Data Integrity
- Safeguarding of assets
- Accountability
- Consistency, therefore, comparability
- Ability to detect issues, deviations more quickly
- Deterrent to fraud (not designed to avoid fraud)
6Benefits of Systems of Internal Control
1. Compliance with laws and regulations
8. Higher probability of achieving business
objectives
2. Integrity of information
7. Effective and efficient operations
3. Timely information
6. Greater likelihood of preventing, detecting
and correcting undesired events
- 4. Reliable financial reporting
5. Confidentiality, as needed
7Importance of Internal Controls to a Mutual Fund
Why are Internal Controls so important in a
mutual fund environment?
- US Mutual Funds close their books every day
- Shareholders transact daily at a stated NAV
- Low materiality threshold for errors (NAVs and
income distribution) - On a daily basis, high volume of (electronic)
transactions - Focus on compliance with federal securities laws
and other applicable regulations - Heightened risk of a regulatory violation
8Evolution of Internal Controls
Sarbanes-Oxley
Treadway Commission
CCO
SAS 70
COSO
2003 Rules 38a-1 206(4)-7 Adopted
1985 Treadway Commission Formed
1992 AICPA Issues Statement on Auditing
Standards No.70 (SAS70)
1992 Internal Control An Integrated Framework
Published by COSO
2002 Sarbanes-Oxley Legislation
2004 COSO Enterprise Risk Management
Integrated Framework
9Agenda
- Introduction What is Internal Control?
- Conceptual Framework (COSO), SAS 70s and
Sarbanes-Oxley - Requirements for Mutual Funds Regarding Internal
Controls
10COSO Background and Overview
- The Treadway Commission was formed in 1985 to
deal with what was perceived as an unacceptably
high incidence of fraudulent financial reporting.
- The Committee of Sponsoring Organizations of the
Commission (COSO), comprised of key public and
professional bodies, noted that poor control was
a root cause of many business failures. - Accordingly, COSO recommended that businesses
provide assertions on the effectiveness of their
control systems through a framework of internal
control. - The Internal Control Integrated Framework was
published by COSO in 1992 - The COSO Enterprise Risk Management Integrated
Framework was published by COSO In 2004
CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
11COSO An Integrated Framework
- COSO offers an integrated framework that defines
internal control by eight interrelated
components - Internal Environment
- Objective Setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information Communication
- Monitoring
CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
12COSO An Integrated Framework
Tone at the top
- The internal environment encompasses the tone of
an organization and sets the basis for how risk
is viewed and addressed by an entitys people,
including risk management philosophy and risk
appetite, integrity and ethical values and the
environment in which they operate - An effective internal control environment exists
when employees understand their responsibilities,
authority, and are committed to acting ethically.
13COSO An Integrated Framework
Establishing managements control objectives
- Objectives must exist before management can
identify potential events affecting their
achievement. - Objectives chosen should support and align with
the entitys mission and be consistent with its
risk appetite.
14COSO An Integrated Framework
Event Identification
- Internal and external events affecting
achievement of an entitys objectives should be
identified
15COSO An Integrated Framework
Identify Risks to Determine Required Response and
Control Activities
- Risk assessment starts with identifying risks
associated with business objectives linked
through all levels of the organization including
entity-wide and activity-level risks - Risk assessment requires evaluation of external
and internal factors and the impact on
operations, financial reporting, compliance, and
reporting
16COSO An Integrated Framework
- Management needs to choice how they will respond
to an identified risk avoiding, accepting,
reducing or sharing risk - Develop a set of action plans to align the
identified risks with the organizations risk
tolerances and risk appetite
Responding to the risks identified
17COSO An Integrated Framework
- Control activities are policies and procedures
that help to ensure that actions identified to
manage risks are effectively carried out. - The control activities should be embedded within
the operations of the business and used to manage
risks to reasonable levels. Focuses on
prevention, detection, correction. - Disciplinary action should be established,
communicated, and consistently administered for
noncompliance.
Design and implement control activities to manage
risk
18COSO An Integrated Framework
- Information and communication is needed to
effectively manage operations, prepare financial
statements and determine compliance - Requires that relevant external and internal
information be identified, captured, processed,
and communicated throughout the organization in a
timely manner. - Provided through various formal and informal
means. - The integrity of information quality is
imperative for making business decisions. - Requires internal control mechanisms to provide
reasonable assurance that information is
appropriate, current, timely, accurate, and
accessible.
Identify communicate information timely to
ensure controls are functioning
19COSO An Integrated Framework
- The purpose of monitoring is to determine whether
internal control is adequately designed,
executed, effective, and adaptive. - Internal control performance should be assessed
over time via some combination of ongoing
monitoring and periodic evaluations - Scope and frequency of monitoring activities
depend on significance of risks being controlled
and importance of controls in reducing risks. - Monitoring activities should be built into
normal, recurring operating activities of an
organization. - Deficiencies found should have defined escalation
path for reporting and follow-up and
accountability for corrective action.
Ongoing monitoring and periodic checks of the
internal control system
20What is SAS 70?
- AICPA Statement of Auditing Standards No. 70,
Service Organizations - Also commonly known as a Service Auditor Report
- Report on the processing of transactions by
service organizations as it relates to an audit
of financial statements - Provides for reporting on a service
organizations internal controls to - Service Provider Management
- Service Providers Clients and their Clients
Auditors
CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
21Benefits of SAS 70
- Provides an independent assessment of the
organizations control procedures - Establishes whether those controls met the
objectives stated by management - Demonstrates those controls to customers and
their auditors - Minimizes the number of requested audits over the
service organizations Internal Controls by
different customers and their auditors - Provides management with a level of reasonable
assurance over the control integrity of the
processing environment
22Where are SAS 70s Used in the Mutual Fund
Industry?
Custodian or Subcustodian
Fund Accountant
Transfer Agent
Fund Administration
Fund
SAS 70 Typically Performed
Pricing Service Provider
Investment Advisor
SAS 70 Sometimes Performed
SAS 70 Not Historically Performed
23Sarbanes-Oxley
- The Sarbanes-Oxley legislation, Sections 302 and
404 in particular, have increased the awareness
and scrutiny of the design and operating
effectiveness of internal controls - Recent industry and regulatory events have
required organizations to have greater awareness
over their service providers control environment
and controls in place to manage risk - Directors/Trustees have a fiduciary
responsibility to understand and manage the risks
presented by outsourcing critical aspects of
their operations - Increasing number of organizations are
outsourcing key components of their operations,
increasing the need and demand for third-party
attestation reports such as SAS 70 reports.
CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
24Sarbanes-Oxley
- Sarbanes-Oxley Legislation does not mandate the
production of SAS 70s, however, the Legislation
has - Increased the awareness and scrutiny of internal
controls - Required management to evaluate the significance
of outsourced activities, processes and functions
to the companys ICFR - Made obtaining a SAS 70 from external as well as
internal service organizations a sound and
prudent risk management practice - Made CEOs and CFOs responsible for establishing,
evaluating, and monitoring the effectiveness of
internal controls over financial reporting and
disclosure (required by Sections 302 and 404)
25Sarbanes 302 Recap
- Original Rules
- Requires that the Principal Executive Officer and
Principal Financial Officer certify to
Disclosure Controls and Procedures - Created new form N-CSR as the conduit for the
certification - Amended Rules
- Include certification that the Officers have
established and maintained internal control over
financial reporting was effective for first
annual report for fiscal years ended after
11/15/04 - Further amendments to the 33, 34 and 40 Acts
added two further requirements - Managements Discussion of Fund Performance to be
included in the annual report (and thus
certified) - Quarterly schedule of portfolio holdings to be
filed and certified via Form N-Q
26Sarbanes 302 Key Concepts
- Definition of Disclosure Controls and
Procedures - Designed to ensure that information required to
be disclosed is recorded, processed, summarized,
and reported in the time periods specified in
SEC rules and forms - Should be designed to ensure required information
is accumulated and communicated to management to
allow timely decisions regarding relevant
disclosure - Definition of Internal Control Over Financial
Reporting - A process designed by (or under supervision of)
principal officers - Provide reasonable assurance regarding the
reliability of financial reporting - Reasonable assurance relatively low risk that
material misstatements will not be prevented or
detected on a timely - Includes procedures that address
- Maintenance of records Recording of
transactions and Prevention or timely detection
of unauthorized acquisition, use or disposition
of the registrant's assets
27Sarbanes-Oxley 302 vs. 404 Requirements
28Chief Compliance Officer (CCO) Rules 38(a)-1
and 206(4)-7
- General Overview
- The SEC adopted rules under the Investment
Advisers Act (Rule 206(4)-7) and the Investment
Company Act (Rule 38a-1) which require the
implementation of Compliance Programs - The Compliance Programs must incorporate
- Written PPs reasonably designed to prevent
violations of the federal securities laws
(Compliance Controls) - A CCO who shall be responsible for the
administration of the compliance PPs (a mutual
funds CCO generally performs oversight) - An annual review of the PPs for their adequacy
and the effectiveness of their implementation and
reporting of results
CCO
Treadway Commission
Sarbanes-Oxley
SAS 70
COSO
29Compliance Program Rules Annual Review
- Investment Companies
- A fund Board must review its compliance PPs
annually and those of the Investment Adviser, TA,
Distributor, and Administrator - The Board may rely upon a review submitted by the
funds CCO in his or her annual report submitted
to the Board - The annual report of the CCO should address, at a
minimum - The operation of the compliance PPs of the fund
and each service provider - Any material changes to the PPs since the last
report - Any recommendations for material changes to the
funds PPs - Any material compliance matters since the date of
the last report
- Investment Advisers
- Any compliance matters that arose during the
previous year - Any changes in the business activities of the
investment adviser or its affiliates that may
require amendments to the PPs - Any changes to the adopted PPs that may be
appropriate because of regulatory changes
30Agenda
- Introduction What is Internal Control?
- Conceptual Framework (COSO) and SAS 70s
- Requirements for Mutual Funds Regarding Internal
Controls
31The Current Environment Focus on Internal
Controls
- The Compliance Program Rules, N-SAR requirements,
Sarbanes-Oxley and other regulatory initiatives
are forcing the industry to understand risk
management concepts and are driving risk and
control evaluation initiatives - Risk assessments, control activities, monitoring
and testing are concepts that are quickly
becoming ingrained in our collective conscience - Why is this?
- Need a consistent, structured process to address
the various rule requirements - Compliance Program Rules require an annual review
of PPs, including Sarbanes, for their adequacy
and the effectiveness of their implementation - Senior management certification requirements
require complete, accurate and timely information - Some CCOs and others will likely be certifying to
the Funds controls partially in reliance on
controls of third-party service providers
32Certifications Under Form N-CSR and N-Q
- Certifications Under Form N-CSR and N-Q
- are responsible for establishing and
maintaining disclosure controls and
proceduresand internal control over financial
reporting - Designed such disclosure controls and procedures
to ensure that material information is made known
to us - Designed such internal control over financial
reporting to provide reasonable assurance
regarding the reliability of financial reporting - Evaluated the effectiveness of the registrants
disclosure controls and procedures and presented
our conclusions about the effectiveness - Disclosed in this report any change in the
registrants internal control over financial
reporting that occurred - The registrants other certifying officer(s) and
I have disclosed to the registrants auditors and
the audit committee - All significant deficiencies and material
weaknesses in the design or operation of internal
control over financial reporting - Any fraud, whether or not material.
33QUESTIONS?
34About Deloitte Deloitte refers to one or more of
Deloitte Touche Tohmatsu, a Swiss Verein, its
member firms and their respective subsidiaries
and affiliates. Deloitte Touche Tohmatsu is an
organization of member firms around the world
devoted to excellence in providing professional
services and advice, focused on client service
through a global strategy executed locally in
nearly 150 countries. With access to the deep
intellectual capital of 120,000 people worldwide,
Deloitte delivers services in four professional
areas, audit, tax, consulting and financial
advisory services, and serves more than one-half
of the worlds largest companies, as well as
large national enterprises, public institutions,
locally important clients, and successful,
fast-growing global growth companies. Services
are not provided by the Deloitte Touche Tohmatsu
Verein and, for regulatory and other reasons,
certain member firms do not provide services in
all four professional areas. As a Swiss Verein
(association), neither Deloitte Touche Tohmatsu
nor any of its member firms has any liability for
each others acts or omissions. Each of the
member firms is a separate and independent legal
entity operating under the names Deloitte,
Deloitte Touche, Deloitte Touche Tohmatsu
or other related names. In the US, Deloitte
Touche USA LLP is the US member firm of Deloitte
Touche Tohmatsu and services are provided by the
subsidiaries of Deloitte Touche USA LLP
(Deloitte Touche LLP, Deloitte Consulting LLP,
Deloitte Financial Advisory Services LLP,
Deloitte Tax LLP and their subsidiaries), and not
by Deloitte Touche USA LLP. The subsidiaries of
the US member firm are among the nation's leading
professional services firms, providing audit,
tax, consulting and financial advisory services
through nearly 30,000 people in more than 80
cities. Known as employers of choice for
innovative human resources programs, they are
dedicated to helping their clients and their
people excel. For more information, please visit
the US member firms web site at
www.deloitte.com/us.