For many in compliance and operations, when you’re notified of a pending SEC audit, your first instinct might be worry and panic. But, like any regulated industry, periodic examinations will take place, so why not put a system in place to ready your organization?
As a result of COVID-19, audits will not be conducted on-site (unless absolutely necessary) for the time being.
In any case, the following are the steps we recommend when a firm is first notified of its pending audit. These steps are designed to help you prepare and take the stress out of the situation.
Because all staff will play a role in preparing for the audit and several will actually be involved in the audit, they all need to be aware. Some will gather information, some will be interviewed, and some will assist in continuing on with the daily activities to keep the business moving. Let the team know that everyone has a role to play, either directly or indirectly.
Getting audited doesn’t suggest that you did anything wrong. This is a regulated industry and that means you will be examined on a routine basis.
Notify those service providers that are essential to your day-to-day activities. This includes custodians, technology vendors like trading and investment research platforms, other independent managers. Let them know that you will be undergoing regulatory audit and inform them that you may need to call on them to support information requests.
Unless you are entirely responsible for compliance or if you use a third-party compliance resource (compliance consultant or regulatory counsel), make them aware that you’ve received confirmation of an audit. Provide them with the initial request letters from the regulatory organization.
It is also advisable to schedule a call with your compliance resource to review the request letter from the regulator to get clarity on the data the SEC is requesting and to get advice for the verbal interviews.
Pull together the data that was requested on the initial request letter. Maintain control of the examination by providing only the data that was requested. Providing more or less data is not recommended.
Remember that the SEC prefers to work with electronic records, especially now during COVID-19, so the more data you can provide electronically, the more efficient the entire audit process will be.
Ideally, you want to have all relevant information in one place. Whether or not you know when your next audit is, it makes a difference having everything organized and ready to go at a moment's notice. It's far worse scrambling last minute to find everything.
When it comes to clients' investment reports, other data points and documents, our cloud-based platform, TAMP1, makes it easy for investment firms to access this information.. TAMP1 at its foundation is a data warehouse, meaning the platform brings in data from all sources into one, easy-to-manage and customizable view.
From a compliance standpoint, TAMP1 can help you get some of those necessary data points you need in submitting your report to the SEC.
Whenever an audit is requested, the organization will provide a date by which the data request is due. Typically, limited-scope exams tend to be due approximately one week from notification and full scope exams approximately two weeks from notification.
It’s good practice to have an internal review prior to submission. With the internal review, we recommend a tag team process where one individual generates the data and the other reviews it for accuracy against the request.
If your firm is to be audited during this time, prepare to go electronic. Keep an electronic version of all data submitted to the regulator for future reference.
First, again remind all staff that there is nothing to fear with this process. It’s part of being in a regulated industry.
A day or two before the examination, conduct a staff meeting to help everyone prepare, set expectations and review roles and rules for the team members.
The chief compliance officer should manage the examination. All requests for information, etc., go through that individual and all interviews must include the CCO.
Finally, remind the team to answer only the questions asked by the examiner. Do not include more information than was asked for verbally or in writing.
The examiners are simply doing their job. It’s best to answer the questions and be hospitable. If you keep your cool, you’ll remain in control.
Audits happen, even to those who do everything right. Audits are just standard protocol.
Give yourself plenty of time to prepare. Even if you haven't yet been audited, it never hurts to be ready when the time comes.
If you follow these tried and true recommendations and a solid set of compliance best practices, policies and procedures, you have nothing to fear and audits will become much less stressful.
Our monthly newsletter features helpful resources, articles, and best practices to implement within technology providers and investment firms