With the SEC’s greater emphasis on risk-based exams, SEC examiners’ primary focus is on an adviser’s controls and procedures. As such, they will perform an evaluation of the effectiveness of those controls. Where those controls are found to be weak and ineffective, or worse yet, non-existent, the adviser will be considered high-risk, and will have more frequent and in-depth exams. This, of course, is something advisers want to avoid at all costs. As the saying goes, you get once chance to make a first impression and with the SEC it best that the first impression be a good one.
Based on the results of SEC enforcement actions, common deficiencies with respect to internal controls include:
- Failure to adopt effective or relevant compliance policies and procedures;
- Failure of the advisory firm to follow tits own polices or procedures;
- Failure to test the effectiveness of the firm’s policies and procedures; and
- Failure to use the results of testing as a basis for strengthening any weaknesses or gaps found.
To avoid these problems an advisor should:
- Before drafting policies and procedures, identify the statutory and regulatory requirements that must be met and also identify where business operations pose the greatest risk to clients.
- Monitor and test whether the procedures are working and the policies are being carried out.
A great exercise for an adviser to conduct is to go through their compliance manual line by line, list all stated requirements and confirm that such requirement is being satisfied. If not, determine why. Remove it if not applicable. This is no idle suggestion as the SEC will pretty much do the same thing when they conduct an examination of your firm.