So, here we are, at the beginning of 2018, with the awesome task ahead of getting ready for the start of the industry’s NPORT/NCEN era. With just a few months to go before funds are required to compile and store completed Form N-PORT data sets (as a result of the SEC’s 12/8/2017 announcement filing in EDGAR will not begin until Spring 2019), there are a number of previous-made decisions that now require further review and action. As my colleague Paul Soltis wrote a few months ago, “…we should all be in good shape to hit” the SEC’s Form N-PORT compliance date. The big decisions have been made – insource versus outsource, data sources and maybe even data management systems, regulatory reporting technology has been chosen, and operating models have been determined. But what about oversight and control? What about reviews by the advisors / asset managers? While these decisions aren’t quite as tangible as data sources and technology, they are no less vital to long-term success.
Whether asset management firms decide to leverage their internal operation teams or outsource the work to complete the monthly Form N-PORT requirement to a third-party administrator, there are a number of oversight decisions to be made. Given that the focus to date has been all about getting ready to source and compile the data and then determine the best way to file the report, there has not been much focus on oversight. The time to focus on oversight is upon us.
Under Sarbanes-Oxley (SOX), top management must individually certify the accuracy of their fund’s financial information. In addition, penalties for fraudulent financial activity are much more severe. SOX also increases the oversight role of boards of directors and the required scope of independence for outside auditors who review the accuracy of a fund’s corporate financial statements. I find it interesting that SOX was passed 16 years ago, yet it is only with the introduction of Form N-PORT that each fund will soon begin to send a real depth of data to the regulator, and even so, certification is not required.
Before the corporate financial scandals that rocked the US in 2000-2002, there was a self-regulating environment that did not create strong control and oversight requirements across the industry, particularly in the areas of reporting. Since then, control and oversight have been built into the fabric of our industry and today we operate with internal control and procedures that, very appropriately, dominate our operating environments and the way that we conduct ourselves in the back office. As such, we look and operate very differently than we did prior to SOX and are significantly better for it. With the introduction of Form N-PORT without certification requirements, there are a multitude of options that exist for how each firm will oversee the Form N-PORT reporting process and the ultimate sharing of fund information with the public and the regulator.
So, how are we proceeding as an industry with the oversight of this new process? As you read this, have you really thought much about oversight procedures and protocol? Consider the following questions and whether your organization can answer these today or has a process in place to make these determinations:
- Will you run the Form N-PORT and Form N-CEN filings through funds’ Disclosure Control and Procedures (DCP) Committee despite the fact that there is not a requirement to do so?
- What types of assurances will fund compliance personnel require prior to filing in order to have confidence in the data within the filing and the controlled environment of the process by which it was completed?
- Who will ultimately own and be accountable for the accuracy of the data and the filing given that certifying officers are not required?
- Will you seek to have any part of the Form N-PORT process covered by SOC1 or SSAE16?
Over the past few months, I have spoken to a number of fund officers at asset management firms on this very topic and the difference in opinions as it relates to oversight models is significant. One treasurer indicated that his firm’s DCP will be extended to cover Form N-PORT. In his view, this will help ensure accuracy and confidence in the ultimate filing and they will simply stop short of the final certifications. Others that I have spoken to indicate that the DCP process is too onerous to complete for every fund, every month, and that alternative adequate procedures will be established to ensure accuracy of the data.
So, now what? Are you as convinced as I am that we need to focus on developing oversight controls and responsibilities associated with the Form N-PORT? I certainly hope that the rest of the industry is as focused on this as I am, because one thing I know is that whether they provide clear guidelines for oversight and despite the fact that this is not necessarily part of SOX, the SEC will be expecting well-documented procedures and oversight just as they do for other regulatory mandates. And we all need to be ready for that.