This User’s Guide is designed to help you prepare for an SEC examination using the resources found on CCO Companion.
Whether it is your firm’s first regulatory audit or its fifth, facing an SEC examination is a daunting experience. And unlike most experiences where the anxiety caused by the anticipation of the event is worse than the actual event itself (think root canal), the stress experienced during an SEC examination can often exceed your worst expectations (think root canal without Novocain). It is important to understand, however, that the actions you take prior to that dark day you receive notification of a regulatory exam go a long way toward ensuring a successful outcome.
There is both an internal and external component to preparing for an SEC exam. The internal component involves looking at your firm’s existing compliance program and determining whether you are in compliance with all its stated requirements. If your compliance manual states that your firm is required to undertake a certain compliance task, then you must confirm that you are actually undertaking that task (and, of course, documenting that you are doing so). This aspect of exam preparation is primarily a function of your firm’s risk assessment, compliance testing and annual review processes and should (already) be fully integrated into your existing compliance program.
The external component involves looking at what the SEC typically expects from an adviser before the examination process and assessing how your firm would fare when trying to satisfy those expectations. While you might think that being in compliance with your firm’s own policies and procedures would be enough to satisfy SEC examiners, that is rarely the case. This is because a significant portion of the SEC examination requests are based on best practices. Unfortunately, best practices have long been the nemesis of investment advisers – not from a lack of desire to implement best-in-class procedures, but rather, from a lack of understanding as to what constitutes best practices at any given moment. There are ways, however (and this User’s Guide will show them to you) to stay in sync with SEC expectations and, in so doing, better position your firm for examination success.
CCO Companion Resources
CCO Companion contains a variety of resources designed to help you prepare for an SEC examination.
The SEC Examinations section of compliance Reference Library contains an abundance of helpful exam prep material.
These resources include:
- National, Regional, Sweep and Limited Scope SEC Document Request Letters.
- The SEC Enforcement Manual and other governmental information regarding how an examination is conducted and explaining your rights during the examination process.
- Information from the SEC’s Office of Compliance Inspections and Examinations regarding compliance areas typically reviewed and compliance deficiencies commonly found.
- The yearly examination priorities of the SEC’s Office of Compliance Inspections and Examinations.
- Speeches made by various SEC officials regarding compliance in general and the examination process in particular.
In addition, the SEC Document Request resource in the Reference Library contains sample SEC examination document requests, only here they are broken down by Compliance Topic (i.e., Advertising, Books and Records, etc.) and then, for greater specificity, by Compliance Sub-Topic (i.e., Performance Advertising, Social Media, Electronic Records, etc.).
This allows you to zero in on a particular area of concern and see what the SEC will specifically request for that particular area of compliance.
The Checklists folder in Tools contains a wide variety of compliance checklists that you can use to measure the status of your advisory firm’s compliance program.
Preparing for the SEC Examination
As stated above, proper exam preparation consists of both internal and external elements.
While the primary focus of this User’s Guide is on the “external” aspects of exam preparation, CCO Companion does contain all the resources required to complete the “internal” portion of your exam preparation. CCO Companion provides detailed User’s Guides for the necessary compliance activities, including:
- Risk Assessment
- Compliance Testing
- Building an Effective Compliance Program
- Annual Compliance Review
The processes detailed in these User’s Guides will allow your firm to answer the basic question of this part of exam preparation – is your advisory firm satisfying all the requirements of its own compliance program?
We also suggest that you prepare a “requirements chart” of your compliance responsibilities. You do this by going through your compliance manual, code of ethics and other relevant compliance documentation line-by-line and create a list of each requirement that your firm is responsible for satisfying. You should then go through each requirement on the list and determine whether you are indeed undertaking the required activity and, if so, how it is being documented. Remember that with the SEC, if it has not been documented it has not been done. If you need extra motivation to take this time-consuming activity, know that the SEC does exactly the same thing and will take a dim view of any adviser that is not able to prove that they are in compliance with the requirements of their own compliance program.
Finally, you should make certain that your firm’s disclosure documents:
- Address all required areas;
- Accurately reflect the conduct of your advisory business; and
- Adequately disclose all relevant conflicts of interest.
You can use the Form ADV Part 2A and Form ADV Part 2B checklists found in the Checklists folder of Tools to help you make these determinations.
You must also ensure that your disclosure documents do not contradict each other and are consistent with both your advisory agreements and marketing material, including your web site and any social media platform where your firm maintains a presence. For example, you do not want the fee schedule in your Form ADV Part 2A to differ from what is in your client agreement nor do you want the professional certifications listed on your web site to differ from the disclosures made in your brochure supplement.
The key thing to keep in mind about all these “internal” matters is that they all are entirely within your control. That is why SEC examiners can get rather ornery when a firm does not have its own compliance house in order.
External preparation begins with understanding what the SEC’s Office of Compliance Inspections and Examinations (OCIE) is focusing on in any given year. It is just common sense to stay abreast of what OCIE considers to be the “hot topics” in the world of investment adviser compliance. Fortunately, at the start of the year, the SEC lets advisers know exactly what compliance subject areas are going to be of particular interest to them for the coming year. If you are unfamiliar with this type of SEC guidance, we suggest you start your exam preparation by reading the following National Examination Program releases (found in the SEC Guidance sub-folder of SEC Examinations):
- Examination Priorities for 2013
- Examination Priorities for 2014
- Examination Priorities for 2015
- Examination Priorities for 2016
The reason we feel you should not confine yourself to reading just the most recent release is that past areas of SEC interest do not necessarily fade away. In fact, if you look at the 2013 and 2014 priorities, you will quickly see they are still of great concern to the SEC today:
- Safety of Assets and Custody
- Conflicts of Interest Related to Compensation Arrangements
- Conflicts of Interest Related to Allocation of Investment Opportunities
Since the SEC is telling you what their main areas of concern are during an examination, it would be prudent to focus at least your initial exam preparation on these specific areas.
In the SEC Guidance sub-folder of SEC Examinations, there are also two very topical National Exam Program Risk Alerts discussing OCIE’s cybersecurity examination initiatives. Given that cybersecurity is such a red hot topic that it warrants its own exam focus, we strongly urge you to take advantage of the information provided by OCIE in these Risk Alerts. Both the 2014 and 2015 OCIE Cybersecurity Examination Initiatives contain a sample list of information that the SEC may review in conducting examinations of registered entities regarding cybersecurity matters. We have recast the information contained in these cybersecurity releases into two comprehensive checklists:
- Cybersecurity Information Requests; and
- Cybersecurity Preparedness.
Both of these can be found in the Checklists folder of Tools. You should use these checklists to gauge your level of compliance with SEC cybersecurity expectations.
OCIE’s strong interest in safeguarding client information warrants incorporating the following additional checklists into this phase of your exam preparation:
- Red Flags Identity Theft; and
- Information Security Program.
If you think this is a bit of overkill on the subject matter, you are right. But remember that in 2015, the SEC levied a $75,000 fine against a small (by SEC-registration standards) advisory firm for failing to adopt proper cybersecurity policies and procedures.
Now that you have tackled the prime areas of recent concern, it is time to turn your attention to nuts and bolts of the SEC document requests. To ensure that your firm is fully prepared for an SEC exam, you need to run through one or two document request letters and determine if your firm can produce the requested information (and can do so in a timely manner).
As stated above, you can find a myriad of sample SEC Document Request Letters in the SEC Examinations section of the Reference Library. The question then becomes, which request letter or letters best fits your firm? The answer is that it depends on the particular characteristics of your advisory firm. Since we are not privy to such information, we can only make some general recommendations that will help with your preparation.
Advisers registered with the SEC for less than two years should start with the SEC Sweep Letter for New Advisers (2012). If available, all firms should make use of a SEC Document Request Letter from their particular regional office. If your particular region is not available, you should select the request letter for another region. Currently, the Reference Library contains letters from the following regions:
- Atlanta (2011)
- Boston (2015)
- Chicago (2012)
- Denver (2011)
- Los Angeles (2011)
- Miami (2011)
- New York (2015)
- Philadelphia (2009)
- San Francisco (2010)
We also think that advisers should test their capability to respond to the following SEC Sweep Letters:
- Custody (2009)
- Pay-to-Play (2009)
- Social Media (2010)
Finally, it would be prudent to look at the most recent SEC Document Request Letter in the Reference Library to see if there have been any significant changes as of late.
While some of SEC Document Request Letters may seem dated, there really has not been any significant changes in the Advisers Act Rules since 2009 that would affect the basic document requests. So working with any of the Regional and Sweep request letters even from as far back as 2009 should still benefit your firm. We do urge you to look at two or three different request letters to ensure that your firm is exposed to a variety of examination material.
Some compliance tasks are nuanced and take a bit of finesse. Preparing for an exam is about brute force – the willingness to take on a burden that, at least for its external component, is not part of your firm’s normal compliance routine. But preparing for an SEC examination is one of those things in life where you will eventually enjoy the results of your efforts. In this case, enjoyment translates into less deficiencies, a shorter exam and perhaps most importantly, a reduced level of stress.
The information provided in CCO Companion is not intended to represent every possible action an adviser should take to prepare for a regulatory audit. The intent is to provide a general sense of what an adviser can do to prepare their firm for an SEC examination. Because each investment adviser runs their firm differently, certain of the suggested actions may not be applicable to the particulars of every advisory business.
CCO Companion has been developed to be just that – a companion and not a substitute for an individual assessment of any one particular investment adviser’s advisory business or compliance obligations. Accordingly, the information contained herein is not intended to constitute legal or compliance consulting advice. While CCO Companion was developed to afford users with a wide-range of information, the information provided is not intended to represent the entire universe of legal and regulatory resources. Like most tools, CCO Companion has inherent limitations – unforeseen regulatory changes, the level of expertise of the end-user, the difficulty with factoring in all existing types of advisory business models and the impossibility of anticipating all types of compliance issues that may be applicable to any one particular investment adviser.