SAS 70: The mother of all audits

Few private equity firms have undergone thorough and expensive SAS 70 audits. But as the asset class matures and firms, especially multi-platform players, become bigger and more diverse, this yearly check on controls might become the standard in the US.

As US private equity firms increase their funds under management and the complexity of their operations, they may soon want to consider adding another certification to their credentials: The American Institute of Certified Public Accountants’ Statement on Auditing Standards No. 70: Service Organisations, more commonly known as SAS 70.

A SAS 70 audit is essentially a third-party audit of an organisation’s internal controls, particularly regarding those parts of the organisation that have custody of client assets or information. SAS 70 has been around for decades, but until recently, most private equity firms were simply too small to have this type of review performed – a five person partnership likely doesn’t have enough segregation of duties to be able to demonstrate a process of checks and controls.

It is similar to FRAG 21, FRAG being the Financial Reporting and Auditing Group of the Institute of Chartered Accountants in England and Wales. Many European LPs ask investors for a FRAG 21 where US LPs would request a SAS 70.

At least two large private equity firms are currently undergoing this audit: Capital Dynamics (based in Zug, Switzerland but with US offices) and Boston-based HarbourVest. Both are certainly large and complex asset managers. Capital Dynamics manages more than $20 billion, and its business lines include fund of funds, co-investments, separate accounts and structured private equity products. HarbourVest manages more than $30 billion, and runs funds of funds, secondary and direct investment programmes.

HarbourVest’s decision to undertake a SAS 70 audit was driven by client requests, the firm's commitment to an institutional quality back office, and its assets under management. As more investors enter the asset class and the industry matures, LPs are beginning to expect that private equity firms have a SAS 70 audit, similar to its other large, institutional money managers.

“A significant number of our clients expressed a view that this was important to them, and that it would make their own audits run more smoothly.  Undergoing a SAS 70 audit enables us to continue to be viewed as best in class by our clients and to demonstrate our strong controls and operations, which differentiate our firm from others,” says Martha Vorlicek, the firm’s chief operating officer and chief financial officer.

Since 2006 Capital Dynamics has been certified for ISO 9001, a global quality standard administered out of Geneva. So for Capital Dynamics, going through a SAS 70 certification was a “logical extension”, says Katharina Lichtner, the firm’s head of research and a managing director. Lichtner says this was something the firm would have done even if investors hadn’t asked for it. Capital Dynamics is using a commercially available database that is substantially customised and builds the backbone for the SAS 70 certification. Due to the nature of the certification, the process will take several quarters to complete.
“[SAS 70] is more detailed, on the level of administration, and goes beyond the ISO requirements,” says Lichtner. “However, we very much believe in full transparency, quality controls and processes, in addition to third party validation, and that compliance with SAS 70 will only increase people’s trust in our firm and the private equity industry in general.”

HarbourVest did plenty of prep work prior to bringing in the auditors. “We started the process two years ago,” says Karin Lagerlund, the firm’s controller. “We formally documented our processes, identified key controls, and determined where adjustments were needed, so that the auditors came in, everything would be in order for their review. We also talked with the auditors about the process to determine the appropriate timing.”

Her team drafted a 35-page report describing the firm’s control objectives, and the key controls in place for each objective. During a six-month period HarbourVest’s auditors came in intermittently to test and verify the accuracy of the report, and last spring HarbourVest issued a Type I SAS 70 report.

A Type I report verifies that controls are in place as of a certain date. Some firms opt to go beyond the scope of a Type I report, and obtain a Type II report which tests not only the existence of key controls, but the functioning of those controls over a period of time as well. A Type II audit is usually carried out annually, and takes several weeks or more to conduct.

The cost depends on the size of the firm, however, as well as how much work the firm does ahead of time to prepare for the audit. Type I audits can cost upwards of $100,000, and performing an additional Type II audit could cost that much again.
The intended audience of these reports is a firm’s clients and their auditors. For example, if one of HarbourVest’s clients is conducting an audit of their own internal controls, their auditor would also need to evaluate the control environment at HarbourVest. A SAS 70 report can be relied upon by the client’s auditors as a confirmation of HarbourVest’s controls, making the audit process run more smoothly and quickly. It’s also a useful reassurance for investors, who are somewhat more worried in the post-Madoff world about who manages their assets and how.

The audit did necessitate some changes in HarbourVest’s controls, but they were mainly changes in the documentation of controls rather than the controls themselves. In the IT department, for example, HarbourVest had to formalise documentation of who is granted access to parts of the system. The firm also needed to ensure all key approval processes included written documentation.

“As the CFO of the company, I sign off on our internal analysis that determines when to call capital from our limited partners and in what quantum,” Vorlicek says. “Our team follows this process and ensures that I approve every capital call. However, we didn’t have a piece of paper with my signature and a date associated with it, and if something isn’t documented, the auditor can’t test it. That’s a simplistic example, but representative of the types of process changes we need to make to be ready for the audit.”