Internal Controls Over Compliance

December 10, 2019

By Brian Hardenberg

Some broker-dealers not only have to contend with compliance with Internal Controls Over Financial Reporting (ICFR) for Sarbanes-Oxley, but also with Internal Control Over Compliance (ICOC). ICOC is intended to focus on a broker-dealers’ oversight of custody arrangements and protection of customer assets. It provides reasonable assurance that the information stated on reports and filings like 15c3-1 and 15c3-3 is complete and accurate, and non-compliance with Security Exchange Act of 1934 Rules 15c3-1, 15c3-3 or 17a-13 or any rule of the designated examining authority of the broker-dealer that requires account statements to be sent to the customers of the broker-dealers will be prevented or detected on a timely basis.  Annually, broker-dealers must prepare financial reports as well as a compliance report or an exemption report. The broker-dealer will prepare and file a compliance report if it did not claim exemption from Exchange Act Rule 15c3-3 (Custody Rule); otherwise, an exemption report will be filed. The compliance report includes statements to whether the organization has internal controls over compliance for Rules 15c3-1, 15c3-3, Exchange Act Rule 17a-13 and applicable designated examining authority rules, and includes discussion of material weaknesses, if identified. Broker-dealers are required to engage an independent public accountant to audit the annual financial, compliance and/or exemption report.

How can internal audit assist? Like ICFR, internal audit can have a vital role in the development and ongoing monitoring of an ICOC framework.  Projects may include but are not limited to the following;

  1. Consulting (Readiness and Implementation)
  2. Internal Control Design Assessment
  3. ICOC Policy Development or Review
  4. Internal Control Effectiveness Assessment
  5. ICOC Continuous Monitoring

Internal audit can give management an independent and objective assessment on the ICOC framework prior to the independent annual audit. The information internal audit will share can improve operations and give insight to management as to the effectiveness and compliance of the ICOC framework. If issues or process improvements are identified, management can take the necessary steps to address any underlying issues prior to the annual audit. An effective internal audit department or third-party service provider can be an asset to management in mitigating risk and complying with ICOC.

About Brian Hardenberg

Brian Hardenberg is a Manager in Process, Risk, and Technology Solutions (PRTS) assisting clients with internal audit and SOX compliance, identifying risks, evaluating the effectiveness of controls and improving operational performance.

* Required