If you are wondering what is involved in an RIA audit, then you probably received notice that the SEC or state regulators will be visiting your office soon. If so, count yourself lucky! They could have chosen to conduct a surprise examination.
There are several potential reasons your firm is being audited. Whether it’s a routine inspection, for-cause inspection or sweep inspection, the regulatory team will know why they’re there and what they’re looking for.
As your firm’s Chief Compliance Officer (CCO), preparation for this inevitable review starts with you, so it’s important to know what is involved in an RIA audit.
How to prepare for an RIA audit
Proper preparation for an investment adviser regulatory examination begins long before the auditor arrives in your RIA firm's office. If your firm performs and documents risk assessments and compliance tests—in addition to conducting an annual firm-wide review—you shouldn’t expect too many surprises.
Here are a few best practices to consider before and during your firm's RIA compliance examination:
RIA Audit Checklist
1. Designate a point person
We strongly recommend designating a point person and making sure everyone in the office knows who this person is—typically the CCO. If you have various staff members assigned to RIA compliance procedures, select one person to serve as the main contact with the auditors.
2. Give the auditors a comfortable place to work
It’s always a good idea to have a conference room or office available that is away from the everyday activities. Show the RIA examiner(s) where the coffee and restrooms are located, but don't be offended if they refuse even a cup of coffee.
3. Prepare a brief presentation on your firm
Perhaps prepare a brief 5 minute introduction of your firm for the auditors; introducing your firm persons and identifying the services offered. This should match the information found in your RIA firm's Form ADV 2A and 2B regulatory filings. It’s a nice introduction by you to the auditors to show your firm's preparation and respect for the regulatory audit process. This is also the time to emphasize your firm’s commitment to a “Culture of Compliance” which sets the proper tone for the balance of the audit. Keep in mind that the auditors will likely already know a lot of this information but will want to hear how you describe your firm.
4. Know where all important documents are located
In an optional entrance interview, the auditors will typically discuss why they are there and begin to ask preliminary questions about your RIA firm. This may also be the time when the examiners present their checklist used to conduct the exam if you haven’t received a document request when the audit was announced. Be ready, able and willing to assist the auditors with their requests for additional information or documents.
5. Have a system in place to retrieve requested items
The auditor will request numerous documents throughout the audit and will likely ask for copies to take back to their office. If you store all your documents electronically, consider creating a separate online electronic folder that the auditors can access, etc. These requests should go through your “point person”. Remember to make copies of, or keep a listing of, all documents the auditors ask to take. If you’re using paper files, it is good practice to remove the entire file from the file cabinet, and take it back to where the auditors are working.
6. Explain any potential deficiencies
Once the regulators are finished with the in-office portion of the audit, they will normally speak with you before they leave. This is called an exit interview and may consist of the auditors’ findings and should give you an idea of what you can expect on a follow-up deficiency letter. Sometimes, you can clear up any potential deficiencies with brief explanations during this interview.
7. Gather the necessary recordsSEC Rule 204-2 requires SEC-registered RIA firms to maintain and keep current the records listed below. State regulators will generally use the same list with some slight additions depending on your jurisdiction. The auditors typically review these items in detail and compare them with your updated disclosure documents and current practice.
Records Required During an RIA Audit
The following records are generally required during an RIA audit:
- Receipts and Disbursements Journals
- General and Auxiliary Ledgers
- Order Memoranda
- Bank Records
- Bills and Statements
- Financial Statements
- Written Communications and Agreements (including electronic transmissions)
- List of Discretionary Accounts
- Personal Transactions of Representatives and Principals
- Client Records:
- Powers Granted by Clients
- Disclosure Statements
- Solicitors’ Disclosure Statements
- Performance Claims
- Customer Information Forms and Suitability Information
- Written Supervisory Procedures
The following records are generally required of investment advisory firms who have custody of clients' assets:
- Journals of Securities Transactions and Movements
- Separate Client Ledgers
- Copies of Confirmations
- Record by Security Showing Each Client’s Interest and Location Thereof
The following records are generally required of RIA firms that manage clients' assets:
(Note: these records must be maintained in an easily accessible place for a period of five years from the end of the fiscal year during which the last entry was made, and, for the first two years, the records must be maintained in the investment adviser’s principal office.)
- Client Purchases and Sales History
- Current Client Securities Positions
One of the best ways to know what is involved in an RIA audit is to look at the most common issues uncovered by regulators nationwide.
The North American Securities Administrators Association (NASAA) puts out a biannual survey of state regulators compiling their findings. In the 2019 NASAA Exam sweeps report, the top five RIA compliance deficiencies noted were:
- Books and Records Deficiencies (missing contracts and suitability documentation)
- Registration Issues (mismatched ADV Part 1 and Part 2 filings, fee structure problems)
- Contract Deficiencies (not signed, improper fees, hedge clauses)
- Cybersecurity (inadequate insurance, no testing of vulnerability, security procedures)
- Fees (fee charged doesn’t match contract or ADV, charging miscalculated fees)
It’s simply not feasible to become RIA audit ready overnight and it takes more than just establishing a compliance program at your RIA firm to be compliant. When you know what is involved in an RIA audit and have put in the work to prepare, you will find it goes much more smoothly.
Would you like help to implement an annual compliance review into your current processes? Click here to learn more about our Annual Review Tool.