SOC 1 Isn’t a Free Pass: Why Fund Managers Still Need Strong Internal Controls

Many fund managers take comfort in knowing their fund administrator has a SOC 1 Type II report. That confidence makes sense. A SOC 1 Type II provides independent assurance that an administrator designs and operates strong internal controls over financial reporting effectively over time.

However, many managers still believe that an administrator’s SOC 1 removes the need for fund-level controls.

It does not. Every SOC 1 report relies on Complementary User Entity Controls (CUECs)—controls fund managers must implement to allow the administrator’s controls to operate as designed.

What Are Complementary User Entity Controls?

CUECs form a required component of every SOC 1 report. They define the controls that sit outside the administrator’s scope but remain critical to the overall control environment.

In practice, an administrator’s controls assume the fund manager performs certain activities correctly. When fund managers fail to meet those assumptions, the SOC 1 loses effectiveness.

Fund managers typically must:

• Provide complete and accurate data to the administrator
• Review and approve NAVs and investor reporting
• Authorize capital calls, distributions, and expenses
• Oversee valuation inputs and non-standard transactions
• Maintain clear governance and escalation procedures

These controls do not need to be complex. They do need clear ownership, documentation, and consistent application.

Why CUECs Matter for Audits and Oversight

During audits, external auditors do not rely on an administrator’s SOC 1 in isolation. They evaluate whether the fund manager has implemented the relevant CUECs referenced in the report.

When fund managers operate without documented or consistent controls, auditors often expand testing, issue control observations, or reduce reliance on the administrator’s control framework.

Investor expectations reinforce this approach. Institutional LPs increasingly expect fund managers to demonstrate strong internal oversight, even when they outsource operational execution.

Outsourcing operations does not outsource accountability.

What Small Teams Can Do in Practice

Managers with lean teams often argue that building a control environment feels unrealistic. In practice, small teams do not need layered processes or additional headcount. They need clarity, discipline, and documentation.

Effective approaches for small teams include:

• Assigning formal review responsibility to a partner or senior executive, even if execution is outsourced
• Using simple approval evidence, such as documented email sign-offs or portal-based approvals
• Performing focused reviews on high-risk areas like NAVs, capital activity, and valuation changes
• Maintaining short, written procedures that explain how and when reviews occur
• Leveraging administrator reporting and exception logs rather than duplicating work

Auditors do not expect small managers to operate like large institutions. They expect controls that are appropriate to the size and complexity of the fund.

Common Gaps We See in Practice

Fund managers most often encounter CUEC gaps where teams rely on habit rather than defined processes. Common gaps include:

• Informal or undocumented NAV and report reviews
• Inconsistent approval of investor transactions
• Limited oversight of valuation assumptions
• Weak controls over changes to investor banking details
• Unclear escalation and issue-resolution processes

To address these areas, fund managers benefit from structured self-assessments. We have published a one-page Complementary User Entity Controls checklist that outlines the most common strong internal controls auditors expect to see in place. Teams use this checklist to support audit preparation and ongoing oversight.

Conclusion

A SOC 1 Type II report provides a strong foundation for a sound control environment, but it does not replace fund-level controls.

Effective operating models recognize shared responsibility. Administrators execute controls at scale. Fund managers provide governance, oversight, and informed review.

When fund managers clearly define and consistently apply strong internal controls—and periodically validate them using a structured checklist—they reduce risk, streamline audits, and strengthen investor confidence.

The question is no longer whether fund managers need controls when their administrator has a SOC 1. They do. The real question is whether those controls can withstand scrutiny.

Please contact Keith Donald at [email protected] or 1-604-559-8920 to enhance your control environment.