Every registered transfer agent should develop an audit
program that, in view of the volume and complexity of securities transfer activity,
provides adequate assurance that securities transfer operations are performed in a
satisfactory manner and in compliance with applicable laws and regulations. A strong
audit program establishes a proper internal control environment and promotes the accurate
and efficient processing of securities transfers, as well as compliance with applicable
laws and regulations. In addition, a well-functioning audit program
promotes the
early identification and correction of operational deficiencies and violations of
applicable laws and regulations before they become systemic.
Ideally, the audit program would consist of a full time,
continuous internal audit program coordinated with a well-planned external audit. In
small transfer agent operations, however, limited resources may make the implementation of
a full time internal and external audit impractical. Notwithstanding, transfer agent
management should ensure that audit coverage is adequate for the size and scope of
transfer agent activity.
Internal Audits
To be effective, internal audits should be performed by
individuals having adequate training and knowledge of transfer agent operations and
applicable laws and regulations. Internal auditors should be independent of transfer agent
function management and free of duties or responsibilities that could
adversely affect
audit findings and recommendations. Audit findings should be reported to an
appropriate level of bank management, preferably the Board of Directors, Audit
Committee,
or other appropriate committee of the Board. The management of the transfer agent
function should be required to respond to the findings of internal audit reports.
Management's response should be made within an acceptable timeframe and include
corrective measures as appropriate. Corrective measures promised by transfer agent
management should receive follow-up review.
Frequency and Scope
Audits should normally be performed at least annually. More frequent audits, however, should be conducted when conditions require it.
For example, when operations evidence continued unsatisfactory operations, or if
the size and complexity of securities transfers indicates that more frequent audit
coverage is warranted. Some larger transfer agents may implement a continuous audit
process in which specific areas of the transfer agent's operations are audited at various
intervals that depend on the perceived degree of risk. Such an approach is
acceptable. Examiners should, however, ensure that audit coverage is provided at
appropriate intervals and that no significant aspect of the transfer agent's operations
goes without audit coverage.
While the scope of a registered transfer agent
will vary depending upon the type, complexity and volume of activity, the
activities listed below should, to the extent applicable to the transfer
agent's operations, be included in the scope of the audit:
- Compliance with SEC operational rules and
regulations, e.g. Section 240.17Ad of the SEC's Rules and Regulations, as
well as SEC rules 17f-1 and 17f-2.
- Review of documents evidencing the
institution's appointment as transfer agent by the issuers of the
securities transferred.
- Review of internal controls governing
securities transfer activities.
- Proof of securityholder records, including
Master Securityholder files, Control books, and other subsidiary records.
- Review of any record differences that have
occurred since the last audit, the reasons why they occurred, and, if
there were any record differences that became aged record difference.
- Review of unissued securities and checks and
the internal controls in place to protect and safeguard customer
securities and funds.
- Review of dividend and interest payment
activities, including the adequacy of reconcilement procedures over all
payment-related accounts.
- Review of management's response to any prior
internal audit findings.
Generally, at a minimum, the internal audit
program should be designed to provide reasonable, but not necessarily
absolute certainty, that securities transfers are effected in a accurate
(i.e. without excessive record differences) and prompt (i.e. within the
SEC's designated turnaround standards) manner, and that customers' funds and
securities are safeguarded from loss, theft or misuse.
External Audits
SEC Requirements
SEC Regulation
17Ad-13, "Annual Study and Evaluation of Internal Accounting Control,"
requires every registered transfer agent, except as discussed below, to file
annually a study (the Accountant's Report, or report), conducted by an
independent accountant, reporting on the effectiveness of the system of
internal control and related procedures for effecting securities transfers
and safeguarding the securities transferred and the funds related
therewith. Registered transfer agents, unless exempted, must file the
accountant's report with the SEC, and, for those registered transfer agents
for whom the SEC is not the ARA, the transfer agent's ARA. The report must
be filed within 90 calendar days of the date of the study. The accountant's
report must:
-
State whether the
report was made in accordance with generally accepted auditing standards.
See discussion below concerning the objectives of a registered transfer
agent's internal controls.
-
Describe any
material inadequacies found to exist as of the date of the study and
evaluation and any corrective action taken. If no material inadequacy
existed, the report should so state.
-
Comment on the
current status of any material inadequacy described in the immediately
preceding report.
The study and
evaluation of the transfer agent's system of internal controls should cover
the following areas:
-
Processes for
transferring ownership of securities (i.e. the cancellation of
certificates or other instruments evidencing prior ownership and the
issuance of new certificates)
-
Processes for
maintaining books and records reflecting ownership and changes in
ownership
-
Processes for
registering changes in ownership related to corporate actions (e.g.
issuance, retirement, redemptions, liquidations, conversions, exchanges,
tender offers, etc.)
-
Processes for
paying dividends and interest
-
Administration of
dividend reinvestment programs
-
Processes for
distributing initial statements related to initial offers of securities.
The transfer agents'
system of internal controls should be designed to provide reasonable, but
not absolute, assurance that securities transfer activities are performed
promptly and accurately and that securities and funds are protected against
unauthorized use or disposition.
If material
inadequacies are revealed by the study and evaluation of the transfer
agent's system of internal control, the transfer agent must file a report
with the SEC and the ARA in writing. The report must be filed by the
transfer agent no later than 60 calendar days after the receipt of the
report. The report must state the actions being taken by the transfer agent
to correct the material inadequacies discovered.
For the purposes of
17Ad-13, a material inadequacy is a condition where the established
procedures or the compliance with established procedures do not reduce to a
relatively low level the risk of errors or irregularities that would
adversely affect to a significant degree the transfer agent's ability to
promptly and accurately effect securities transfers and to protect the
securities and funds of investors, or that errors or irregularities would
not be detected in a timely manner in the course of personnel performing
their assigned functions.
A significant adverse
effect could result from any condition or conditions that individually, or
taken as a whole, would reasonably:
-
Inhibit the
transfer agent from promptly and accurately discharging its contractual
responsibilities to the issuer.
-
Result in a
material financial loss to the transfer agent.
-
Result in
violations of SEC Rules 17Ad-2 (Turnaround Standards), 17Ad-10 (Prompt
Posting and Buy-Ins) and 17Ad-12 (Safeguarding of Funds and Securities).
The accountant's
report and any documents required under Rule 17Ad-13 must be retained for at
least three years, the first year in an easily accessible place
Exceptions
Banks and financial
institutions regulated by the FDIC, the Federal Reserve or the OCC are
exempt from the audit requirements of 17Ad-13, provided that the bank or
financial institution's Federal bank regulatory authority has not notified
it to the contrary and the bank or financial institution prepares for its
Board of Directors or audit committee a report that is similar in scope to
that described in the preceding section.
Small transfer
agents, i.e. transfer agents that qualify for exempt status under 17Ad-4,
are exempted totally from the requirements of 17Ad-13, as are transfer
agents that perform mutual fund transfers for mutual funds for which there
are fewer than 1,000 accountholders. In addition, a transfer agent that
performs transfer agent functions solely for 1) its own securities; 2) the
securities of a subsidiary in which it owns 51 percent or more of the subsidiary's
capital stock; or 3) securities issued by another corporation that owns 51
percent
or more of the capital stock of the transfer agent.
SAS 70 Reports
Institutions sometimes enter
into servicing arrangements whereby a third-party or affiliated entity will
perform SEC Rule 17Ad-9(k) defines the term "service company" as a
registered transfer agent engage by a named transfer agent to perform
transfer agent functions for a named transfer agent. A "named transfer
agent" is the transfer agent engaged by the issuer to perform transfer agent
functions for an issue of securities, but has engaged a service company to
perform some or all of those functions. In addition, the SEC defines a
"recordkeeping transfer agent," which is a transfer agent that maintains and
updates the master securityholder file, and "co-transfer agent," which is a
registered transfer agent that transfers securities, but does not maintain
and update the master securityholder file.
Registered transfer agents
that engage a service company should obtain and review the SAS 70 Report
of the service company in order to evaluation the adequacy of the internal controls
and internal control environment of the service company.
|