How Much Testing Is Enough?

Most compliance officers struggle to determine whether they are conducting enough testing to satisfy their obligations under the Advisers Act. In its release adopting Advisers Act Rule 206(4)-7, the SEC stated that an investment adviser should use “compliance tests that analyze information over time” to determine the effectiveness of its compliance policies and procedures. But where should a compliance officer start?

The usual starting point for most regulatory requirements is the final release of the rule.  In this case, it’s the Final Rule for Compliance Programs of Investment Companies and Investment Advisers.  The SEC included a list of minimum requirements, stating that “[w]e expect that an adviser’s policies and procedures, at a minimum, should address the following issues to the extent that they are relevant to that adviser:

• Portfolio management processes, including allocation of investment opportunities among clients and consistency of portfolios with clients’ investment objectives, disclosures by the adviser, and applicable regulatory restrictions; 
• Trading practices, including procedures by which the adviser satisfies its best execution obligations, uses client brokerage to obtain research and other services (“soft dollar arrangements”), and allocates aggregated trades among clients; 
• Proprietary trading of the adviser and personal trading activities of supervised persons; 
• The accuracy of disclosures made to investors, clients, and regulators, including account statements and advertisements; 
• Safeguarding of client assets from conversion or inappropriate use by advisory personnel; 
• The accurate creation of required records and their maintenance in a manner that secures them from unauthorized alteration or use and protects them from untimely destruction;
• Marketing advisory services, including the use of solicitors; 
• Processes to value client holdings and assess fees based on those valuations; 
• Safeguards for the privacy protection of client records and information;and 
• Business continuity plans.”[footnotes omitted]

What Does the SEC Think?

In November 2007, the SEC prepared a document listing forensic tests for portfolio management and trade allocation, brokerage arrangements and execution, valuation, personal trading, safety of client assets and marketing and performance advertisements. Other forensic tests include advisory fees, business continuity planning, privacy and safeguarding client records and information, promoter arrangements, email and proxy voting.

The SEC’s Division of Examinations, EXAMS, issued six risk alerts with guidance on testing best practices for investment advisers: Division of Examinations Observations: Investment Advisers’ Fee Calculations, Safeguarding Customer Records and Information at Branch Offices, Investment Adviser MNPI Compliance Issues, Observations from Examinations of Investment Advisers Managing Client Accounts That Participate In Wrap Fee Programs, OCIE Observations: Investment Adviser Compliance Programs, and Observations from OCIE’s Examinations of Investment Advisers: Supervision, Compliance and Multiple Branch Offices.

Ultimately, the compliance program should provide the adviser with evidence that its policies and procedures are being followed, issues are being identified and addressed, and the program changes to address new areas of risk and regulation. This evidence is crucial to showing the SEC that the firm’s compliance program functions as intended, as required under Advisers Act Rule 206(4)-7.

Developing tests for an adviser’s compliance program is more art than science.  First, testing should be tailored to the firm’s risks identified in the risk assessment.  Second, the testing program should complement other types of controls to find weaknesses and gaps in the firm’s operations. Finally, the testing should help the compliance team identify trends, patterns, and anomalies inconsistent with regulations or firm policies.

There are limits on what can be tested. Compliance officers must consider whether they can access relevant data in a meaningful format and have the expertise to analyze it. The compliance team must also consider the review period. The period should be long enough to provide meaningful results without being too demanding. Given time and personnel restraints, the compliance team must also consider whether a representative or risk-based sample would be more efficient and effective for the test.

Recommended Tests

Here is a list of typical tests performed by compliance personnel to determine compliance with policies and procedures:

• Review trade errors to ensure errors are corrected in compliance with firm policy.
• Review client billing to ensure that the fees being charged are consistent with the client agreement.
• Review the Best Execution meeting minutes to ensure the firm follows procedures for evaluating best execution, approving requests to add new brokers to the approved list, allocating trades appropriately, and reviewing soft dollar arrangement requests.
• Review the proxy voting record (if applicable) to determine whether proxies are being voted following firm policy and whether all accounts where proxies are voted are included in the process.
• Review sub-adviser due diligence to ensure firm policy is followed and documentation is maintained.
• Review due diligence for third-party service providers to ensure firm policy is followed and documentation is maintained.
• Review process for new account setup, including providing clients with all appropriate disclosures, determining whether accounts have been invested per investment guidelines, and confirming that all required client information has been gathered and maintained.
• Review the process for selecting and recommending investments for client accounts.
• Review process for periodic review of client accounts to ensure accounts are being managed according to investment guidelines, excess cash is being invested within a reasonable amount of time, and rebalancing occurs as noted in the advisory agreement.
• Review document retention to ensure the firm maintains all required records for the appropriate period in compliance with Advisers Act Rule 204-2.
• Review trading blotter for various items, such as best execution, use of only approved brokers, commissions charged per agreement with the custodian, use of appropriate share classes, etc.
• Review a sample of advisory agreements to ensure they meet regulatory requirements, have been executed by all parties, and include all relevant attachments.
• Confirm audited financial statements sent to investors (for private fund managers) within the appropriate time frame.
• Confirm whether ERISA Section 408(b)-2 disclosures were provided to ERISA account holders at the account’s opening.
• Review valuation committee meeting minutes (if applicable) to determine whether valuations are being performed and approved per firm policy.

Another essential element of the compliance testing program is documenting the results. The documentation should include who conducted the test when it was conducted, the period covered, and what was reviewed.  Any items of interest discovered should be identified along with actions taken to resolve them.  Firms should document any conclusions reached, such as whether the item of interest rose to the level of a compliance issue. If the testing indicated no material issues, this should also be documented. If an issue was identified, document all actions taken to address the issue.

Testing Example

Here is an example to better understand this process and the documentation to support a test.  Assume ABC Advisory Firm (“ABC”) is registered with the SEC as an investment adviser and provides separately managed accounts for high-net-worth clients.  The firm has about 2,000 client accounts with about $900 million of regulatory assets under management. Assume ABC charges a percentage of assets under management for its services.  On ABC’s Form ADV Part 2A, ABC discloses that it charges a maximum annual fee of 1.75% or less for accounts with up to $5000,000 in assets and 1.5% for clients with assets over $500,000.  Fees are paid quarterly in advance.  The Form ADV Part 2A also discloses that the firm uses the market value on the last day of the previous quarter when calculating the fee, and fees are deducted from the client’s account.

Even when the fee deduction process is automated, the firm should ensure that the correct fees are entered into the system and that any fees or rebates are applied.  In our hypothetical, the compliance team uses a standard operating procedure to test whether the fees are accurately disclosed to clients and are consistent with the advisory agreement. The procedure requires that the tester download a client list for the prior quarter and select a sample to test. If clients use multiple custodians, the tester may want to take samples from each custodian. The testing period will be for the prior quarter. The sample size can be determined in any number of ways. For example, the tester may want to use a random sample, a sample of accounts that exceed a certain amount of assets under management, or a sample from remote offices. Each firm must decide what it believes is appropriate based on its client population. 

The tester should review the following documents for each client in the sample: the advisory agreement, fee schedules, Form ADV Part 2A used during the relevant period, and custodian statements. The custodian statements confirm the assets under management used to calculate the fee and whether the appropriate fee was deducted.

For instance, when reviewing fee calculations for the first quarter of 2023, the tester will need to see the custodian statement from December 2022 to confirm that the assets under management as of December 31, 2022, were used to calculate the fee for the first quarter of 2023. The tester should also verify that the advisory fee withdrawn from the account was correct, so the tester should review the custodian statement from January 2023 showing the deduction.  The tester should also determine whether any assets should have been excluded from the calculation. For example, if Form ADV Part 2A states that amounts held in cash or cash equivalents are excluded from the advisory fee calculation, then the test should confirm this practice. The tester should also determine whether applicable discounts or rebates were applied. For example, the tester should review whether the client’s assets exceeded a specific threshold during the period and qualified for a lower fee. The tester should also review whether the advisory agreement required that fees be deducted from a certain account. For instance, if a client requested that all fees for its related accounts be deducted from a specific account, the tester should confirm that this occurred.

Documenting the Results

When the testing is done, the tester documents the results. In this case, let’s assume that out of 50 accounts tested, six had discrepancies. Two accounts were charged a fee inconsistent with the advisory agreement, two did not reflect a discount that should have been applied, and fees were pulled from the wrong account for the two remaining accounts. The tester then determines that the root causes of these mistakes were account setup errors. The tester recommends that these errors be corrected in the system and the clients be reimbursed for any overcharges.  After discussing the mistakes with the responsible employees, the tester also recommends revising the written procedures for account set-up and training the employees on the changes. These recommendations are recorded in the compliance program, and the compliance team follows up to ensure the changes are made. Failure to implement the recommendations requires the compliance team to escalate the issue to a higher management level.

The tester drafts a memo summarizing the testing methodology and the results. The memo would be supported by the tester’s work product, such as a spreadsheet documenting the accounts tested, the fee schedule from the investment management agreements and Form ADV Part 2A, the tester’s fee calculation using the AUM from the prior monthly statement, the fee amount deducted on the client’s monthly statement, and a comparison of the amount deducted and the tester’s fee calculation. 

Trend Analysis

Firms should review testing results to look for root causes, trends, patterns and anomalies. Understanding why errors and exceptions occur will help the firm develop better solutions and prevent future issues. Testing results can also help firms identify which policies and procedures work well, allowing for less frequent testing.  Most importantly, firms should design their testing programs to provide evidence that policies and procedures are being followed, issues are being identified and handled, and changes are being made to address new areas of risk and regulation.    

SEC³ can assist with creating or updating your compliance testing program. From identifying your firm’s specific risks, applicable regulations and recommended best practices, our team of experienced compliance professionals will support you with developing your compliance program.