I continue to spend the majority of my time preparing firms for SEC exams. The extent of preparation depends upon the scope of the firm’s advisory operations. In that regard, the firm needs to discern to what extent the questions on the current SEC exams are applicable to its operations and how prepared the firm is to respond to them. For example, a firm that does not use performance composites; sponsor, manage or recommend private investment funds; or sponsor wrap fee programs can merely respond to such questions by indicating those issues are not applicable to the firm’s operations. Of course, for certain issues that the firm seeks to label as not applicable (especially custody), the SEC may request confirmation of a review or test conducted by the advisor to determine same (e.g., standing letters, passwords).
Of course, certain items on the exam will apply to all registered firms, such as disaster recovery and business continuity plans, information and cybersecurity measures, the adequacy of the firm’s ADV disclosures and policies and procedures, and evidence that the firm’s chief compliance officer has conducted an annual review (and a corresponding risk assessment) of the firm’s polices and operations. These are items totally within the control of the firm.
From my perspective, a firm’s preparedness can be gleaned by the commission from the scope and adequacy of its annual review and corresponding risk assessment. If done correctly, the risk assessment can be used as a proffer for the exam (to demonstrate what items on the exam are applicable to the firm’s operations), which, together with the annual review, will identify the applicable issues. I continue to prepare these critical documents for my clients as part of an on-site compliance review, together with a “customized” compliance calendar and checklist of the corresponding compliance-related tests undertaken by the firm to demonstrate that it has adequately addressed the issues referenced in the risk assessment and annual review.
The only way to ensure that these three documents (assessment, review and calendar) and your policies and procedures are exam-based is to review the most current SEC exams on an ongoing basis. By so doing, the firm knows what is and is not applicable, and how to provide the corroborating documentation during the exam process.
However, this is where the SEC could do a much better job. The reason why I referenced “exams” plural is because there is no one SEC exam. I know this because I’ve seen many exams received by my clients during the course of a calendar year. Unfortunately, too often the questions on the exams differ based upon the SEC branch office and, sometimes, within the branch itself. I am not referring to an exam with a number of questions geared to private fund managers or wrap program sponsors (the examinations of these types of advisors should contain such specific questions).