For many in operations, when you’re notified of a pending SEC audit, your first instinct might be worry and panic. But, like any regulated industry, periodic examinations will take place, so why not put a system in place to ready your organization?
The following are the steps we recommend when an office is first notified of its pending audit. These steps are designed to help you prepare and take the stress out of the situation.
1. Notify all staff.
Because all staff will play a role in preparing for the audit and several will actually be involved in the audit, they all need to be aware. Some will gather information, some will be interviewed, and some will assist in continuing on with the daily activities to keep the business moving. Let the team know that everyone has a role to play, either directly or indirectly.
Getting audited doesn’t suggest that you did anything wrong. This is a regulated industry and that means you will be examined on a routine basis.
2. Make essential service providers aware.
Notify those service providers that are essential to your day-to-day activities. This includes custodians, technology vendors like trading and investment research platforms, other independent managers. Let them know that you will be undergoing regulatory audit and inform them that you may need to call on them to support information requests.
3. Notify your compliance resource.
If you use a third-party compliance resource (compliance consultant or regulatory counsel) make them aware that you’ve received confirmation of an audit. Provide them with the initial request letters from the regulatory organization.
It is also advisable to schedule a call with your compliance resource to review the request letter from the regulator to get clarity on the data the SEC is requesting and to get advice for the verbal interviews.
4. Gather the data requested.
Pull together the data that was requested on the initial request letter. Maintain control of the examination by providing only the data that was requested. Providing more or less data is not recommended.
Remember that the SEC prefers to work with electronic records, so the more data you can provide electronically, the more efficient the entire audit process will be.
5. Perform an internal review of the data prior to submission to the regulator.
Whenever an audit is requested, the organization will provide a date by which the data request is due. Typically, limited-scope exams tend to be due approximately one week from notification and full scope exams approximately two weeks from notification.
It’s good practice to have an internal review prior to submission. With the internal review, we recommend a tag team process where one individual generates the data and the other reviews it for accuracy against the request.
It’s also good practice to keep an electronic version of all data submitted to the regulator for future reference.
6. Conduct a staff preparation meeting.
First, again remind all staff that there is nothing to fear with this process. It’s part of being in a regulated industry.
A day or two before the examination, conduct a staff meeting to help everyone prepare, set expectations and review roles and rules for the team members.
The chief compliance officer should manage the examination. All requests for information, etc., go through that individual and all interviews must include the CCO.
Finally, remind the team to answer only the questions asked by the examiner. Do not include more information than was asked for verbally or in writing.
7. Finally, be polite and maintain control.
The examiners are simply doing their job. It’s best to answer the questions and be hospitable. If you keep your cool, you’ll remain in control.
If you follow these tried and true recommendations and a solid set of compliance best practices, policies and procedures, you have nothing to fear and audits will become much less stressful.