An Introduction to the RIA Compliance Audit Process

As the owner, officer, Chief Compliance Officer, or manager of a Registered Investment Advisor (RIA), you should be aware that your firm will at some point be audited by your federal or state securities regulator. To help your RIA prepare for the inevitable compliance audit, the Mock Audit and Exam Team at Advisor Guidance has prepared the following overview of the RIA compliance audit process.

As a guide, this overview provides answers to common questions associated with the audit process and includes some helpful tips on how to prepare your RIA for a regulatory exam.

A Brief Background on RIA Audits and Examinations

RIA audits, or examinations, are conducted by either the U.S. Securities and Exchange Commission (SEC) or by state securities regulators. The SEC is granted examination authority by Section 204 of the Investment Advisers Act of 1940 as amended, which states “All records (as so defined) of such investment advisors are subject at any time, or from time to time, to such reasonable periodic, special, or other examinations by representatives of the Commission as the Commission deems necessary or appropriate in the public interest or for the protection of investors.”  The various state regulators are also granted the same or similar authority through their respective securities or regulatory statutes, which apply similar language to Section 204.

The SEC’s Division of Examinations, formerly known as The Office of Compliance Inspections and Examinations (“OCIE”), is the branch of the SEC that administers the SEC’s nationwide examination and inspection program. 

A state-registered RIA is examined by its home state’s securities industry regulator, which like the SEC has an examinations division to administer an inspection program.  New York is one exception to the rule – although the state has a securities regulatory division in the Office of the Attorney General, New York does not conduct RIA audits.  State-registered RIAs are also subject to examination by the securities regulator in each state where the firm is registered, even if the firm does not have a separate branch office there.  However, it is rare that a non-home state securities regulator will conduct an RIA audit, which is generally only conducted if fraud or other criminal activity is suspected.

What is the Goal of an RIA Audit?

SEC and state regulatory audits are designed to identify fraud and other violations of the securities laws, foster compliance with those laws, and help ensure that the regulators are continually made aware of developments in areas of potential risk related to investment advisory firms.  These examination programs play a critical role in ensuring compliance with the rules and regulations of the RIA industry.  Ultimately, RIA regulators seek to help protect the citizens in their respective jurisdictions.  As such, in the “post-Madoff” RIA regulatory environment, investment advisors should expect more targeted examinations.

The Three Types of RIA Compliance Examinations

• Routine Inspection
• For Cause Inspection
• Sweep Examination

Most RIAs will undergo a Routine Inspection within the first 12-18 months following initial registration, and every three to five years thereafter.  The length of time between audits varies, and will depend heavily on the level of risk and investment advisory services offered.  Initial Routine Inspections for newly registered RIAs tend to be limited in scope, with the goal of ensuring RIA compliance with the books and records requirements, for the regulators to get an understanding of the RIA’s intended business model, and to “assign” a level of risk to the firm for future examination priorities.  Routine Inspections for RIAs that have been operating longer than one or two years tend to be broader in scope, with the goal of ensuring RIA compliance in all areas of the applicable securities laws and rules.

A For Cause Inspection will be conducted when the SEC or state inspections division suspects RIA activity that violates a specific area of rule or law.  These types of inspections are typically triggered by a customer complaint filed directly with the SEC or state securities commission.  Although a For Cause Inspection may be narrow in scope, it is no less serious and important than a Routine Inspection.

Sweep Examinations are targeted inspections conducted by both the SEC and states, with the goal of gathering data and information for rulemaking purposes.

What to Expect During an RIA Compliance Audit

The first thing to understand is that the SEC and states have broad jurisdictional authority to conduct examinations and may request access to practically all documents and information related to the business of the RIA. An RIA’s employees should in no way impede the conduct of an examination, absent a sound legal argument.  

Most examinations are scheduled in advance and may be conducted in-person or virtually.  From time to time, however, SEC and state examiners will conduct a surprise on-site examination and arrive unannounced at the RIA’s principal office or a branch office.  In all cases, the RIA’s Chief Compliance Officer should be the individual responsible for interfacing directly with the examinations team.  On-site examiners should immediately be allowed into the RIA’s office and their credentials (i.e., SEC or state issued identification cards) should be requested and photocopied.  If the examination is to be conducted virtually, the Chief Compliance Officer should first call the SEC or state securities regulatory division to confirm the audit is authorized.

RIA staff should be prepared to provide access to any requested firm books and records.  Audits scheduled in advance will generally include a list of books, records, and other information that must be provided by a certain date.  In some cases, the RIA will only have a few days to produce the requested documents and information.

The length of an examination varies and will depend upon a variety of different factors, including but not limited to, the breadth of books and records requested, interviews of key personnel, the level of the RIA’s risk, number and type of clients, type of investment advisory services offered, the RIA’s other business activities (if any), and the RIA’s responsiveness to the examiners’ questions and records requests.  Compliance and regulatory issues uncovered during the examination tend to lead to other issues, which will further extend the length and scope of the examination.

Following the interviews and document gathering, the examiners will spend weeks and sometimes months reviewing the information – and may request additional information or conduct follow-up interviews – before issuing an examination report.  The report will identify deficiencies (if any), cite the relevant statute or rule, and require the RIA to take steps to address the deficiency to achieve compliance.  Generally the RIA will have 30 days to send a written response to the examinations team explaining how the deficiency was addressed and the compliance policies and procedures that were developed to prevent a future deficiency.

When the SEC or state examinations team is satisfied with the RIA’s response to its report or has identified no deficiencies, a closing letter will be issued.

How to Prepare Your RIA for an Audit

Proper preparation for an investment advisor regulatory examination begins long before the auditor schedules an examination and arrives in your RIA’s office.  As long as your firm performs and documents risk assessments and compliance tests, adheres to its internal compliance policies and procedures, and conducts an annual firm-wide review you shouldn’t expect too many surprises. 

Here are a few best practices to consider before and during your firm’s RIA compliance examination:

• Before

  • Ensure your RIA keeps and maintains all books and records required by SEC Rule 204-2 and has established and implemented a compliance program as required under Rule 206(4)-7.  State registered RIAs should adhere to the relevant state regulatory requirements regarding books and records and compliance policies and procedures.
  • The Chief Compliance Officer should conduct no less than annual reviews of the firm and its associated persons, and document the review and any actions taken to address compliance issues.
  • Know where all required books and records are kept and have a system in place for retrieving and providing records upon request or within a short period of time.
  • When in doubt, engage with an independent compliance consultant like Advisor Guidance to conduct a mock audit of the firm.  The mock audit should be structured based on a Routine Inspection conducted by the SEC or state regulators, as applicable.

• During

  • Be professional and courteous to the examination or inspection team members.  They understand that the examination is intrusive, time consuming, and stressful for you.
  • RIA staff should provide the SEC or state inspections or examinations team with an office or desk where they can set up, conduct interviews, and review documents.
  • In the case of an SEC RIA examination, the RIA may elect to submit a written request that all information collected during the examination is blocked from disclosure in a Freedom of Information Act (FOIA) request.
  • The RIA should grant interviews and provide copies of any books and records requested by the SEC or state examiners.  
  • Objections to any requests for information or documents should be in writing and should be rooted in a sound legal argument or have a reasonable explanation.  However, the SEC and state securities regulators have broad legal authority to request information directly and indirectly related to the RIA.
  • When the examination report is delivered to the RIA, work quickly to resolve any deficiencies and provide a written response outlining the steps taken by the RIA to address the deficiencies.
  • Keep a copy of the examination report and closing letter in the RIA’s books and records.  Review the examination report annually to ensure the firm has achieved compliance with the reported deficiencies.