KPMG s National Broker-Dealer Practice Survey Results

Transcription

1 KPMG s National Broker-Dealer Practice Survey Results Insights into how brokerdealers are implementing the recent SEC Rule 17a-5 Amendments kpmg.com

2 2 KPMG s National Broker-Dealer Practice Survey Results International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

3 KPMG s National Broker-Dealer Practice Survey Results 3 Contents International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

4 4 KPMG s National Broker-Dealer Practice Survey Results Introduction This has been an especially busy year for registered broker-dealers due to recent Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB) regulations and standards being finalized. On July 30, 2013, the SEC adopted final amendments to its broker-dealer reporting rule aimed at strengthening independent audit requirements and enhancing oversight of broker-dealer custody practices. Beginning with fiscal years ending on or after June 1, 2014, brokerdealers are required to file one of two new reports a compliance report or an exemption report in addition to annual audited financial statements and supplemental schedules as required by Rule 17a-5 of the Securities and Exchange Act of 1934 (Rule 17a-5). To establish requirements aligned with the auditor s responsibility under the amended Rule 17a-5, the PCAOB adopted two new attestation standards: Attestation Standard No. 1, Examination Engagements Regarding Compliance Reports of Brokers and Dealers, and Attestation Standard No. 2, Review Engagements Regarding Exemption Reports of Brokers and Dealers. The PCAOB also adopted a new standard for auditing supplemental information that accompanies the financial statements, which applies to, among other things, the supplemental schedules of broker-dealers required by SEC Rule 17a-5. These standards became effective for audits of financial statements and examinations of compliance reports or reviews of exemption reports for fiscal years ending on or after June 1, 2014, which coincides with the effective date for the broker-dealer reporting requirements issued in the SEC Rule 17a-5 amendments. Given these new compliance and reporting requirements, broker-dealers are currently implementing a number of internal control programs to demonstrate their compliance with the new reporting requirements and are looking for insights into how their own efforts compare to those of other broker-dealers which are undergoing similar initiatives. This need for further insight into how the industry is implementing the new 17a-5 reporting requirements prompted KPMG s National Broker- Dealer Practice to conduct a survey on how firms are dealing with these new requirements. In September 2014, KPMG surveyed leading broker-dealer organizations involved in a variety of business activities (large institutional and retail firms, mid-sized firms, as well as certain smaller firms) across the United States. The following table provides a summary of the excess net capital of the participating firms represented in this survey: What is your company s Excess Net Capital $0 $250,000 $250,001 $1,000,000 $1,000,001 $5,000,000 3 % 5 % 5 % $5,000,001 $10,000,000 Over $10,000,000 5 % 82 % International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

5 KPMG s National Broker-Dealer Practice Survey Results 5 Additionally, of the firms that participated in the survey, 79 percent are required to file a Compliance Report, while 21 percent were subject to an Exemption Report. KPMG s survey consisted of a number of questions. However, we have elected to analyze and provide further insights into the following: (1) Formality of governance processes implemented by firms; (2) Scope and approach to Rule 17a-5 compliance reporting and related documentation and testing efforts; and (3) Extent of relevant information technology (IT) systems and third-party service organizations impacting compliance and how firms are addressing the impact of these on their internal control over compliance efforts. About the Authors Jim McConekey Jim is a partner in KPMG s New York Financial Services Audit practice with over 24 years of experience primarily serving clients in the securities industry. As a member of KPMG s Audit practice, Jim s experience includes providing assurance-related services to broker dealers, global investment banks, and other securities industry participants. In this regard, he works closely with audit committees; interacts with senior business management teams; and has daily involvement with finance organizations on technical accounting, financial reporting, and auditing issues. Dan McIsaac Dan is a director in KPMG s New York Regulatory Advisory practice with over 30 years of experience in the financial services industry, specializing in securities broker dealers, investment banks, and futures commission merchants. Dan is experienced in analyzing and interpreting financial and regulatory rules and regulations, establishing processes to meet the reporting requirements, and responding to regulatory and other inquiries. Chris Trattou Chris is an Audit partner in KPMG s Financial Services practice and serves as KPMG s National Audit Industry leader, Capital Markets. He has approximately 30 years of experience serving globally systemically important financial institutions. Chris has extensive banking and capital markets industry issue experience with audit, accounting, SEC reporting, advisory, transactional, risk management and Board of Director interaction experience along with a working knowledge of certain regulatory capital and compliance issues. International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

6 6 KPMG s National Broker-Dealer Practice Survey Results Governance process By now, all broker-dealers should have established a plan for how they will ensure compliance with the recent amendments to Rule 17a-5. The key question is whether the processes and controls implemented by firms will be sufficient to support management s statements in their year-end Compliance Report or Exemption Report. Firms that have established a formal governance structure to monitor compliance with the new reporting requirements appear to be in a better position to assess current processes and controls and answer that question. Among our survey respondents, 54 percent had established a governance program around Rule 17a-5, including some kind of formalized committee and sign-off on compliance. The formality of such governance structure can be scaled based on the size and scope of the broker-dealer s activities and resulting degree of complexity inherent in their regulatory compliance responsibilities. In fact, our findings show that smaller firms 1 were less likely to have established governance programs around Rule 17a-5 (29 percent) than large firms 2 (58 percent). For those firms that have established a formal governance committee, most respondents indicated that formal committee status meetings are held either monthly or quarterly. Considering the various departments within the broker-dealer organization that may impact compliance with the new Rule17a-5 reporting requirements, the governance oversight committee should include representatives from Finance, Operations, IT, Compliance, and Regulatory Reporting at a minimum. Among the respondents, almost one third assign the role to Finance (30 percent) and 49 percent said they use a combination of Finance, Compliance, Operations, Internal Audit, and external consultants. Approaches vary from firm to firm. 1 Firms with excess net capital of $10 million or less 2 Firms with excess net capital greater than $10 million International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

7 KPMG s National Broker-Dealer Practice Survey Results 7 Who has primary responsibility for documenting and evidencing management s Internal Control Over Compliance related to the new Financial Responsibility Rules? 49 % Combination 30 % Finance 11 % Compliance 8 % Internal Audit 3 % Operations 0 % Does not equal 100% due to rounding External Consultants Individual control activities likely cut across multiple departments within the broker-dealer. For this reason, implementing a compliance program that leverages functional expertise between different groups such as Finance, Operations, and IT will likely result in a more comprehensive compliance effort, as compared to delegating the entire responsibility to any one group. An important element in the governance oversight process is the mechanism by which compliance exceptions are identified, tracked, escalated, remediated, and ultimately evaluated for potential impact on the Compliance Report or Exemption Report. Among the respondents, 85 percent have some kind of escalation process in place. For example, a leading practice that some companies have implemented is the development of a subcertification process to identify, escalate and assess the severity of any issues that arise, and remediate those issues accordingly. More than one quarter of broker-dealers (27 percent) said that their preimplementation reviews conducted prior to June 1, 2014 identified control gaps that required remediation. However, since the effective date of June 1, 2014, none of the participating firms in our survey indicated they had any known instances of noncompliance noted. As management s oversight process matures and appropriate documentation is established to demonstrate compliance, the governance oversight process should consider additional ways in which key processes and controls can be further enhanced, automated, and monitored to help ensure continued compliance in the future. International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

8 8 KPMG s National Broker-Dealer Practice Survey Results Scope and Approach to 17a-5 Compliance The size and complexity of a broker-dealer s operations should determine its approach to Rule 17a-5 compliance including which business processes are relevant and the number and type of controls management should rely on to demonstrate compliance. To gain insight on the scope of compliance, we asked respondents whether they considered controls over market, credit, and liquidity risks to be components of Internal Control Over Compliance, and firms were evenly split. We believe firms that use detailed walkthroughs of compliance-related information will be more likely to identify relevant risk points and key controls necessary for compliance. Overall, 51 percent of firms used a walk-through approach to identify relevant risk points and related controls, while others used reviews of policy and procedures manuals, or other methods to assess which controls were most relevant. How has your organization identified the relevant Internal Control Over Compliance risk points and corresponding relevant control points? 8 14 Walkthrough of Information Flow 51 Review of Policy and Procedure Manual Narratives 27 Other Firms reported a wide range in the number of key controls identified relative to internal control over compliance. However, larger firms tended to have more controls: for example, 21 percent of the larger firms reported more than 100 controls being identified, whereas none of the smaller firms did. Likewise, larger firms tended to believe that Internal Control Over Compliance effectiveness is dependent, in part, on Internal Control Over Financial Reporting effectiveness. In total, how many internal controls does your organization expect to identify, document and test as part of management s Internal Control Over Compliance? 25% 28% 14% 14% 19% >100 Almost all firms (95 percent) identified daily operational controls as part of their overall Rule 17a-5 compliance efforts. Does your organization consider daily operational controls a part of your compliance? Yes 95% No 5% International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

9 KPMG s National Broker-Dealer Practice Survey Results 9 To facilitate an efficient and effective review by an external auditor, companies should consider documenting, in sufficient detail, which key controls it has in place and how it has evaluated them in terms of design, implementation, and operating effectiveness. In practice, a combination of risk and control matrices, policy and procedure manuals, process narratives, and system flowcharts are the predominant documentation methods used by broker-dealers, according to our survey results. In our view, a well-designed risk and control matrix seems to capture the necessary information in an easily reviewable format which should help facilitate an efficient review by the external auditor. How has your organization documented and evidenced its Internal Control Over Compliance? 11 8 Risk and Control Matrix Policy and Procedure Manuals Narratives Flowcharts 25 Other Does not equal 100% due to rounding Developing some level of management testing plan should be a key component to ensuring overall compliance with the new reporting requirements. An independent testing function by an internal audit department or external advisor, for example provides management with additional assurance that appropriate controls have been identified, evaluated, and tested to support management s assertions prior to the examination of the compliance or review of the exemption report by the external auditor. Most of the broker-dealer respondents (58 percent) used internal resources to document and test their internal controls. However, a substantial number (34 percent) used a combination of internal and external consultants. Is your organization documenting and testing its Internal Control Over Compliance using internal resources, external consultants, or a combination thereof? 58 % 34 % 8 % Internal Resources Combination External Consultants Half of respondents conducted self-assessments of the effectiveness of their Internal Control Over Compliance and half rely on an independent testing function. For firms that are required to file an exemption report, all respondents indicated that they have established internal controls to monitor adherence to their specific exemption requirements. Generally, firms that were exempt from the requirements of SEC Rule 15c3-3 participating in the survey indicated that they have established procedures to ensure any customer monies or securities that are received by the introducing broker-dealer are promptly transmitted to the clearing broker-dealer. International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

10 10 KPMG s National Broker-Dealer Practice Survey Results Information Technology Control Considerations Firms should pay particular attention to internal controls that have some degree of IT dependency. To determine the effectiveness of a manual control which is dependent on system-generated reports or other system calculations, management needs to test relevant system application level controls and related general controls. The relevant key controls over compliance that broker-dealers have implemented likely include a combination of manually performed controls, automated system controls and certain manual controls which have an inherent IT system dependency (e.g., such as the systematic determination of possession or control segregation deficits which occur prior to the manual follow-up procedures performed by management to promptly resolve such deficits). Broker-dealers need to make certain that all relevant automated controls, as well as manual controls that have an IT dependency, are identified and tested to ensure the configuration logic and other general control considerations have been adequately addressed. In developing an approach to internal control over compliance, broker-dealer management teams should develop an inventory of key IT systems and applications affecting their compliance processes and control activities. Next, management needs to identify and test appropriate risk points in IT application controls to support an assertion that such controls are effective. A majority of the respondent firms (81 percent) have an IT environment that includes internal proprietary systems, as well as major brokerage industry thirdparty service provider systems. Is your Internal Control Over Compliance impacted by third-party service organizations (e.g., SUNGARD, BROADRIDGE, etc.)? Yes 81% No 19% Broker-dealers should ensure that any third-party service provider systems relied upon in connection with their internal control over compliance are evaluated in the same manner as they evaluate their own internal proprietary systems. The completeness and accuracy of systemgenerated reports produced by third-party service providers should be addressed in relevant SOC 1 reports (Reports on controls at a service organization relevant to user entities internal control over financial reporting prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16); if they are not, broker-dealers will need to perform alternative manual control procedures to ensure the completeness and accuracy of such information prior to utilizing such reports in their internal control efforts. Otherwise, broker-dealers will run the risk of placing inadvertent reliance on these key vendor-produced reports, which could impact their overall internal control over compliance conclusion. International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

11 KPMG s National Broker-Dealer Practice Survey Results 11 Has your organization performed testing over the completeness and accuracy of reports that are produced by a third-party service provider that are not specifically covered by control objectives included in the SSAE 16/SOC 1 service auditors report? Yes 31% No 69% Recent PCAOB Inspection Findings On August 18, 2014, the PCAOB issued its third report on the progress of its interim inspection program for auditors of brokers and dealers. Specifically, the PCAOB noted 31 audits where information produced by service organizations was utilized in connection with audit procedures that were not sufficiently tested and 15 audits where records and reports produced by brokerdealers were not sufficiently addressed. In light of these PCAOB findings, broker-dealers and their auditors need to pay particular attention to any system-generated records or reports and ensure appropriate consideration has been given to the completeness and accuracy of such records and reports that may impact a broker-dealer's internal control over compliance. CONCLUSION Many thanks to the professionals who participated in the survey. It is their valuable input that has made these insights possible. Most firms are well on their way to ensuring they establish an appropriate basis to support compliance with the new Rule 17a-5 reporting requirements. In analyzing the results of this survey, we believe that firms that have established an appropriate governance framework with cross-functional teams from finance, operations, compliance, and IT appear to be better positioned to identify the relevant internal controls most important for compliance. In closing, implementation of these new reporting requirements is not a one-size-fits-all approach. The more complex the firm, the more robust the governance process should be, and the more likely compliance exceptions will be identified and evaluated in a timely manner. Whatever the size of your firm, taking the necessary time to design a thoughtful approach which makes sense for the specific circumstances of your compliance profile is critical. This is going to be an annual requirement, so what you build today will be your foundation for a successful compliance track 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network record of independent tomorrow. member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS

12 About KPMG s National Broker-Dealer Practice KPMG s National Broker-Dealer practice is an industry leader, conducting more annual financial statement audits pursuant to SEC Rule 17a-5 than any other professional services firm. The National Broker-Dealer practice consists of dedicated Audit, Tax and Advisory partners and managing directors who serve the industry together throughout the U.S. Below are key members of this practice who participated in the development of this survey and can be contacted for further insights and discussion regarding this topic or any other relevant brokerage industry topic. For more information on our industry qualifications, click here, or contact key members of KPMG s Broker-Dealer practice today. Jeff Bierman St. Louis, MO [email protected] John Cavallone Roseland, NJ [email protected] Mike Dimitriou Chicago, IL [email protected] Doug Duer Charlotte, NC [email protected] Aidan Dunne San Francisco, CA [email protected] JoAnne Gratiot Los Angeles, CA [email protected] Anthony Kitchener Los Angeles, CA [email protected] Bill Long Minneapolis, MN [email protected] Howard Margolin Partner Advisory New York, NY [email protected] James R. McConekey New York, NY [email protected] Dan McIsaac Director Regulatory Advisory New York, NY [email protected] Johnny Minassian Beverly Hills, CA [email protected] Mark H. Price Principal in Charge, National Tax Leader, Banking & Capital Markets Washington, DC [email protected] Karl Ruhry New York, NY [email protected] Carl Scheuten Roseland, NJ [email protected] Michael D. Smith New York, NY [email protected] Rebecca Sproul Miami, FL [email protected] Chris Trattou Partner, National Audit Industry Leader, Capital Markets New York, NY [email protected] kpmg.com The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The perspectives of survey respondents do not necessarily represent the views of KPMG LLP. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS