In the ever-expanding area of operational due diligence, a major focus is given to the operational integrity and risk controls of a hedge fund’s service providers. Of specific concern are those firms with direct access and control of a fund’s assets: administrators and custodians. Some level of risk-management comfort is given by a certification of the service provider’s processes by an SAS 70 audit by an independent audit firm. Coming in June 2011, the current SAS 70 examination guidelines will be superseded by Statement on Standards for Attestation Engagements 16, or simply SSAE 16.

Currently, successful completion of a SAS 70 audit represents that a service organization has been through an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In my fund-of-funds firm, we seek this certification from not only our fund’s service providers but also of those for the underlying funds that we invest in. One technical hitch that can arise in getting access to the SAS 70 reports for the external hedge funds’ service providers arises from the fact that the reports are not meant to be distributed beyond the service provider’s direct clients and their auditors. Not a huge hurdle if you can rely upon a representation of the SAS 70 audit, but there’s an increasing the need to see and verify, which may be solved by a disclosure option under the new SSAE 16.

SSAE 16 highly similar to its SAS 70 predecessor again seeks to have the service organization demonstrate the establishment of control objectives and effectively designed control activities. (As part of the migration from GAAP to IFRS, it has complies with the new international service organization reporting standard – ISAE 3402, for the accounting technicians). SSAE 16 will have three reporting levels, identified as SOCs (Service Organization Controls), two of which can enable external distribution of results. Between the migration to international standards and ability for greater dissemination of reports, one can forecast an increase in demand for these audits.

As the demand for attestation as to service provider controls increases, a greater burden increases on the smaller service providers to have audits of their processes and controls. Many operational due diligence personnel are somewhat wary of firms of small scale, as perceived enterprise risk for these firms are higher. For these small firms, an SSAE 16 examination may be a business imperative.

Matthew Jenal, Senior Advisor, CADOGAN MANAGEMENT, LLC

Executive Board Member, HFBOA