Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Bank Examinations >Trust Examination Manual




Trust Examination Manual

Section 11 - Audits

Every registered transfer agent should develop an audit program that, in view of the volume and complexity of securities transfer activity, provides adequate assurance that securities transfer operations are performed in a satisfactory manner and in compliance with applicable laws and regulations.  A strong audit program establishes a proper internal control environment and promotes the accurate and efficient processing of securities transfers, as well as compliance with applicable laws and regulations.  In addition, a well-functioning audit program promotes the early identification and correction of operational deficiencies and violations of applicable laws and regulations before they become systemic.

Ideally, the audit program would consist of a full time, continuous internal audit program coordinated with a well-planned external audit.  In small transfer agent operations, however, limited resources may make the implementation of a full time internal and external audit impractical.  Notwithstanding, transfer agent management should ensure that audit coverage is adequate for the size and scope of transfer agent activity.

Internal Audits

To be effective, internal audits should be performed by individuals having adequate training and knowledge of transfer agent operations and applicable laws and regulations. Internal auditors should be independent of transfer agent function management and free of duties or responsibilities that could adversely affect audit findings and recommendations.  Audit findings should be reported to an appropriate level of bank management, preferably the Board of Directors, Audit Committee, or other appropriate committee of the Board.  The management of the transfer agent function should be required to respond to the findings of internal audit reports.   Management's response should be made within an acceptable timeframe and include corrective measures as appropriate.  Corrective measures promised by transfer agent management should receive follow-up review.

Frequency and Scope
Audits should normally be performed at least annually.  More frequent audits, however, should be conducted when conditions require it.   For example, when operations evidence continued unsatisfactory operations, or if the size and complexity of securities transfers indicates that more frequent audit coverage is warranted.  Some larger transfer agents may implement a continuous audit process in which specific areas of the transfer agent's operations are audited at various intervals that depend on the perceived degree of risk.  Such an approach is acceptable.  Examiners should, however, ensure that audit coverage is provided at appropriate intervals and that no significant aspect of the transfer agent's operations goes without audit coverage.

While the scope of a registered transfer agent will vary depending upon the type, complexity and volume of activity, the activities listed below should, to the extent applicable to the transfer agent's operations, be included in the scope of the audit:

  • Compliance with SEC operational rules and regulations, e.g. Section 240.17Ad of the SEC's Rules and Regulations, as well as SEC rules 17f-1 and 17f-2.
  • Review of documents evidencing the institution's appointment as transfer agent by the issuers of the securities transferred.
  • Review of internal controls governing securities transfer activities.
  • Proof of securityholder records, including Master Securityholder files, Control books, and other subsidiary records.
  • Review of any record differences that have occurred since the last audit, the reasons why they occurred, and, if there were any record differences that became aged record difference.
  • Review of unissued securities and checks and the internal controls in place to protect and safeguard customer securities and funds.
  • Review of dividend and interest payment activities, including the adequacy of reconcilement procedures over all payment-related accounts.
  • Review of management's response to any prior internal audit findings.

Generally, at a minimum, the internal audit program should be designed to provide reasonable, but not necessarily absolute certainty, that securities transfers are effected in a accurate (i.e. without excessive record differences) and prompt (i.e. within the SEC's designated turnaround standards) manner, and that customers' funds and securities are safeguarded from loss, theft or misuse.

External Audits
SEC Requirements
SEC Regulation 17Ad-13, "Annual Study and Evaluation of Internal Accounting Control," requires every registered transfer agent, except as discussed below, to file annually a study (the Accountant's Report, or report), conducted by an independent accountant, reporting on the effectiveness of the system of internal control and related procedures for effecting securities transfers and safeguarding the securities transferred and the funds related therewith.  Registered transfer agents, unless exempted, must file the accountant's report with the SEC, and, for those registered transfer agents for whom the SEC is not the ARA, the transfer agent's ARA.  The report must be filed within 90 calendar days of the date of the study.  The accountant's report must:

  • State whether the report was made in accordance with generally accepted auditing standards.  See discussion below concerning the objectives of a registered transfer agent's internal controls.

  • Describe any material inadequacies found to exist as of the date of the study and evaluation and any corrective action taken.  If no material inadequacy existed, the report should so state.

  • Comment on the current status of any material inadequacy described in the immediately preceding report.

The study and evaluation of the transfer agent's system of internal controls should cover the following areas:

  • Processes for transferring ownership of securities (i.e. the cancellation of certificates or other instruments evidencing prior ownership and the issuance of new certificates)

  • Processes for maintaining books and records reflecting ownership and changes in ownership

  • Processes for registering changes in ownership related to corporate actions (e.g. issuance, retirement, redemptions, liquidations, conversions, exchanges, tender offers, etc.)

  • Processes for paying dividends and interest

  • Administration of dividend reinvestment programs

  • Processes for distributing initial statements related to initial offers of securities.

The transfer agents' system of internal controls should be designed to provide reasonable, but not absolute, assurance that securities transfer activities are performed promptly and accurately and that securities and funds are protected against unauthorized use or disposition.

If material inadequacies are revealed by the study and evaluation of the transfer agent's system of internal control, the transfer agent must file a report with the SEC and the ARA in writing.  The report must be filed by the transfer agent no later than 60 calendar days after the receipt of the report.  The report must state the actions being taken by the transfer agent to correct the material inadequacies discovered.

For the purposes of 17Ad-13, a material inadequacy is a condition where the established procedures or the compliance with established procedures do not reduce to a relatively low level the risk of errors or irregularities that would adversely affect to a significant degree the transfer agent's ability to promptly and accurately effect securities transfers and to protect the securities and funds of investors, or that errors or irregularities would not be detected in a timely manner in the course of personnel performing their assigned functions.

A significant adverse effect could result from any condition or conditions that individually, or taken as a whole, would reasonably:

  • Inhibit the transfer agent from promptly and accurately discharging its contractual responsibilities to the issuer.

  • Result in a material financial loss to the transfer agent.

  • Result in violations of SEC Rules 17Ad-2 (Turnaround Standards), 17Ad-10 (Prompt Posting and Buy-Ins) and 17Ad-12 (Safeguarding of Funds and Securities).

The accountant's report and any documents required under Rule 17Ad-13 must be retained for at least three years, the first year in an easily accessible place

Exceptions

Banks and financial institutions regulated by the FDIC, the Federal Reserve or the OCC are exempt from the audit requirements of 17Ad-13, provided that the bank or financial institution's Federal bank regulatory authority has not notified it to the contrary and the bank or financial institution prepares for its Board of Directors or audit committee a report that is similar in scope to that described in the preceding section.

Small transfer agents, i.e. transfer agents that qualify for exempt status under 17Ad-4, are exempted totally from the requirements of 17Ad-13, as are transfer agents that perform mutual fund transfers for mutual funds for which there are fewer than 1,000 accountholders.  In addition, a transfer agent that performs transfer agent functions solely for 1) its own securities; 2) the securities of a subsidiary in which it owns 51 percent or more of the subsidiary's capital stock; or 3) securities issued by another corporation that owns 51 percent or more of the capital stock of the transfer agent.

SAS 70 Reports

Institutions sometimes enter into servicing arrangements whereby a third-party or affiliated entity will perform SEC Rule 17Ad-9(k) defines the term "service company" as a registered transfer agent engage by a named transfer agent to perform transfer agent functions for a named transfer agent.  A "named transfer agent" is the transfer agent engaged by the issuer to perform transfer agent functions for an issue of securities, but has engaged a service company to perform some or all of those functions.  In addition, the SEC defines a "recordkeeping transfer agent," which is a transfer agent that maintains and updates the master securityholder file, and "co-transfer agent," which is a registered transfer agent that transfers securities, but does not maintain and update the master securityholder file.

Registered transfer agents that engage a service company should obtain and review the SAS 70 Report of the service company in order to evaluation the adequacy of the internal controls and internal control environment of the service company.

 

    Last Updated 05/10/2005

supervision@fdic.gov