Why Hedge Fund Technology Vendors Need A SOC Report
The pace of outsourcing by hedge funds has picked up. Many standard activities that were once part of the internal routine of funds are now being carried on by external partners. Outsourcing is a fact of life in hedge fund management and there are many reasons for it, among them tapping into cost savings and leveraging the excellence of the services of third parties.
Outsourcing is now a key competitive differentiator for many asset managers, not just hedge funds. Forty-five per cent of the fund managers interviewed recently by Deloitte said they were in the process of implementing outsourcing activities with another 14% planning to begin doing so.
Outsourcing partnerships will be an area of scrutiny
Outsourcing is also being scrutinised by investors. While hedge fund investors appreciate the reasons for outsourcing, they also want to reassure themselves that the partners a hedge fund manager works with are also up to scratch. This means a fund manager can expect his/her service providers to be under a high level of scrutiny as part of any operational due diligence process.
Operational due diligence has become an industry within itself, with its own standards and guidelines, some of them driven by AIMA, others introduced organically.
AIMA has published a comprehensive set of guidelines which are now routinely followed by investors and which have formed the platform for thousands of ODD processes. They cover fund strategy, governance, and risk management but importantly stretch to outsourced service providers, data sources and vendor technology.
The need for independent standards
Heavier emphasis upon outsourcing arrangements has driven the need for independent standards that can be verified outside of an organization. This helps to reduce the time and costs associated with ODD and also frees up the manager, giving him/her more time to focus on the more critical parts of the process.
For some time, public companies have relied on service organizations which can bring attested processes and controls to the table. We already see this across a broad range of sectors. As there is more emphasis on cyber security now than ever before (the recent hack of Twitter yet again demonstrates that we can never let down our guard), expectations have gone up that even small firms managing client data and funds will meet stringent security criteria.
Again, according to Deloitte, cybersecurity was the number one ranked risk fund managers feel they are facing in the future, with 23% ranking it top and 15% ranking it second.
SOC certification – why is it important for technology service providers
SOC, or System and Organization Controls, are a way for firms to reassure stakeholders that risks are being properly managed. It is an internationally recognized third party assurance audit designed for service organizations. If a service provider can affect the internal controls at a customer entity – a hedge fund, for example – then
SOC 1 represent a thorough, independent audit and certification process that saves time in the due diligence process in the long run. They can also help with meeting contractual obligations and demonstrate to investors that risks are being proactively address across an organization.
Having a SOC audit in place with service providers ensures that a hedge fund can leverage the same established standards that large institutions rely on. Plan sponsors in the US, for example, have been using the SOC 1 as the only applicable reference point for internal controls over financial reporting, superseding the earlier SSAE 16 and SAS 70 standards. The reports enable plan management to understand control objectives that are in place with service providers. These reports also feed into the ERISA audits plan sponsors need to complete.
“SOC 1 standards are now widely accepted and highly regarded by asset management and investment management entities within the United States, and are gaining traction in other regions as well,” according to Ben Osbrach, National Risk Advisory Leader at Marcum LLP. “Investors are looking for that extra layer of reassurance from the technology vendors used by fund managers, and a SOC 1 Type II report can provide that. It assures that the safeguards and controls are there to protect and secure customer data, in line with industry best practices and standards.”
As the hedge funds industry becomes yet more institutionalized, so investors will demand to see independent standards of the kind referred to above in place with hedge funds and their key service providers.
Dave Shastri is Head of International Strategy at Truss Edge
© The Sortino Group Ltd
All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency or other Reprographic Rights Organisation, without the written permission of the publisher. For more information about reprints from AlphaWeek, click here.