Asset Manager’s Guide to SOC 1

SOC 1 reports are typically requested by the customers of asset managers, such as pension funds and mutual funds. Asset Management firms issue the reports to demonstrate that sound internal controls and safeguards are in place, particularly around areas of operations and technology, and describes the responsibilities for the asset manager and auditor. These baseline areas were developed to improve the quality and consistency of reporting for the industry. Grant Thornton and SIFMA AMG have provided this information as a guide on baseline control objectives. It is not intended as a substitute for the guidelines defined in the AICPA’s attestation standards and reporting guides.

The updated Asset Manager’s Guide to SOC 1 reports discusses the AICPA changes to the SSAE 18 and the resulting changes to the SOC 1 reports. (Updated June 2017)

 

Excerpt

Executive Summary

The Asset Management Group (AMG) of the Securities Industry and Financial Markets Association (SIFMA) has updated the Asset Manager’s System and Organization Controls (SOC) 1 reports guide as a result of the American Institute of Certified Public Accountants’ (AICPA) Clarity Project.

This Asset Manager’s Guide to SOC 1 reports was developed by Grant Thornton LLP, applying the Asset Manager Guide to SAS 70 (issued in October of 2007, and available at http://www.sifma.org/uploadedfiles/newsroom/press_releases/assetmanagerguidesas-70.pdf), Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification (effective as of May 1, 2017), and AICPA’s Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting (SOC 1(R)) guide (updated as of January 1, 2017).

The current updates are meant to provide the following:

• Background of the AICPA’s Attestation Clarity Project
• Changes to the SSAE No. 18, Attestation Standards
• Changes from the AT-C sections impacting SOC 1 reports

The recommended asset manager baseline areas of scope and control objectives within this guide include asset management operations and Information Technology (IT) general computer controls. The baseline areas were developed to improve the quality and consistency of reporting for the industry. This document is meant to serve as a guide for defining the scope of a SOC 1, and is not a substitute for the guidelines defined in the AICPA’s attestation standards and reporting guides.