Back in December, we posted about a new SEC rule requiring that financial advisors with “custodial” access to funds under a controls audit to ensure that client data is being handled appropriately. Specifically, a “Custodial Controls Review” was required to be performed by a PCAOB approved CPA firm.
Recent, the SEC provided an update including several FAQs on the final ruling. Of note are the following question and answer pairs.
Q: Rule 206(4)-2(a)(6) requires that an adviser or its related person that maintains client assets as a qualified custodian must obtain (or receive from the related person) a written internal control report (e.g., Type II SAS 70 report) regarding the adviser’s or its related person’s custodial practices. What is the compliance date for the internal control report?
A: The compliance date for obtaining an internal control report is September 12, 2010 for advisers subject to the requirement on March 12, 2010. Advisers that are newly subject to Rule 206(4)-2(a)(6) (e.g., newly maintaining, or having a related person maintaining, client assets as a qualified custodian after March 12, 2010) must obtain the internal control report within six months of becoming subject to the requirement.
Q: [With regards to the same requirement] Does the internal control report need to address the effectiveness of controls over custodial services prior to March 12, 2010, the effective date of the amended rule?
A: No, the internal control report does not need to address the effectiveness of controls over custodial services prior to March 12, 2010, the effective date of the amended rule, even if it results in a shortened examination period for the 2010 internal control report.
Q: Currently, qualified custodians often obtain custody-related SAS 70 reports prepared on a regular reporting cycle. If a qualified custodian obtained a SAS 70 report in 2009 and plans to obtain a SAS 70 report in 2010, is the qualified custodian expected to alter its reporting cycle to meet (or allow its related person investment adviser to meet) the initial September 12, 2010 compliance date?
A: No, a qualified custodian that obtained a custody-related SAS 70 report in 2009 is not expected to alter its reporting cycle in 2010.
In summary, the deadline is obtain a control report is either September 12th of this year or six month after being considered a custodial advisor under the requirements. The only exception is that if you are already under a schedule to perform SAS 70 audits. Given the amount of time that most audits take from planning to report, if you haven’t spoken to your IT audit firm… you are very behind!