Read SEC Exam Tips in PDF Format

Before the SEC comes in:

1. Disclosure, Disclosure, Disclosure. Make sure it’s adequate and complete.  It’s not a cure-all, but it’s your first line of defense. For advisers, this starts with Form ADV. Know what it says and make sure it’s comprehensive.
2. Be aware that your firm’s performance and marketing could attract SEC attention. Know that there are new regulations related to marketing and solicitors.
3. The best way to prepare for an SEC exam is to be very proactive and thoughtful about identifying conflicts and remediating those conflicts with strong policies, procedures and other risk controls.
4. Be sure that the firm has a strong ethical culture from top to bottom…or find another firm! Explain to Senior Management the goal of Compliance and be sure there is support and understanding from everyone in the firm. “Inclusivity” is a key concept in the National Exam Priorities and speaks to obtaining participation and ensuring “buy-in” from senior management to front-line managers.
5. Ensure that your Compliance team has adequate resources to comply with securities laws in this changing regulatory environment.
6. Evaluate the risk assessment process within your compliance structure before the exam. The process should include the following:

• Business personnel, who have frontline responsibility for managing risk;

• Independent risk and control personnel (compliance, IT, ethics, risk and control) who must identify critical issues; and

• Internal audit personnel or third parties, who provide independent verification and assess whether the control environment is operating effectively.

The SEC has stressed that these three lines of defense, when effectively utilized, protect investors, ensure the integrity of the capital markets, and promote capital formation.

7. Consistency is key. Ensure that your disclosure documents, your compliance manual and your actual practices and procedures are all consistent and have been updated according to new regulations and best practices put out by the Commission

• With respect to the firm’s procedures, confirm that all the stated practices are actually being performed, and that you can prove it with backup documentation.

• Review the results of your annual review, your firm’s website and a recent response to a request for proposal (RFP) or due diligence questionnaire (DDQ).

8. Ensure you have command of required books and records. Maintaining an active inventory of documents and locations is recommended.
9. Review recent headlines and regulatory speeches. Keep up with regulatory developments and update your policies regularly.  Sign up for topical email updates from your regulators – all major regulators offer this as a free service. Attend compliance conferences.
10. Ensure prior examination findings and internal audit findings remain fixed.
11. Correct known problems or be in the process of correcting them.
12. Maintain an exam team that has a SEC response process in place and that can ensure an effective and efficient response the moment you receive a SEC document request letter. Once the exam begins, the team should meet daily, track document requests, update management on the progress of the exam and remind employees that SEC examiners are on-site.
13. Prepare key personnel that are likely to be interviewed by Staff in the process of the examination by discussing likely topics and ensuring they adequately understand compliance policies and procedures.
14. Do a test run. Mock audits go a long way in helping you prepare for an exam.
15. Review your “change management” processes and ensure compliance is involved in system conversions and process migrations. These changes can “break” existing controls. Ideally, Compliance will have a role in the planning and execution phase, but certainly should document a thorough review following the change.
16. Mitigate the risk of data breaches, and the impact of such breaches to firm financials and reputation, by performing independent testing of cybersecurity policies in place to protect client data and respond to breaches. Work with your internal IT team or outsourced provider to review recent SEC risk alerts regarding cybersecurity and ensure that you have a reasonable cybersecurity policy in place.
17. Protect your clients and business infrastructure with a robust Disaster Recovery and Business Continuity plan.
18. Train employees regarding what to expect during an examination; how to conduct themselves during an examination and in interviews with SEC staff and impart to them not to take offense if the CCO interrupts during an interview. Remind them to maintain a clean work space and mind common area discussions.
19. Management, the Board of Directors and the CCO are advised to understand, contain and insure against their liability.

• Reviewing enforcement cases is a great way to understand where and how the SEC has more success when bringing actions.

• Understand the insurance coverage currently in place and know if there are other options to enhance the protection.

Once you are notified of an Exam:

20. At the outset, try to maintain one point of contact – assign an examiner liaison (typically the CCO) and have all requests go through that person.
21. Review recent National Exam Priorities and Risk Alerts for likely areas of focus and be prepared to speak to these topics specifically.
22. Get management participation and backing prior to the onset of the exam; include them in the initial meeting with the SEC staff and solidify their ultimate accountability and responsibility with respect to firm compliance and the firm’s conduct during the examination, including responses to SEC staff.
23. Notify key service providers. You may require additional support from certain providers for the exam and it is good to give them advance notice. In certain cases, it may be worthwhile to have them available for meetings with Staff – particularly for support for specialized areas (e.g., cybersecurity) and compliance-specific functions.
24. During the opening phase, including initial interviews and tour of the firm’s offices, impress the staff by treating them with courtesy and respect, set the tone, paint a positive picture of the firm, and focus on your risk management and compliance culture.
25. Discuss with the staff what the protocols will be during the onsite examination. For example, confirm with the SEC that you will have one point-person through whom all requests should filter. Confirm the staff agrees to one or two meetings per day, etc.
26. At the initial meeting with examiners, it is recommended that the CCO and senior staff provide a presentation that goes over the firm’s last risk assessment and which describes the firm, its governance structure and its compliance culture, such as listing firm training and recent compliance conferences you have attended. This is part of the effort to demonstrate that your firm is committed to compliance. This will give a clear understanding of your firm’s practices to the Staff before they begin their examination onsite. This can also help create a “road map” that can steer the Staff towards the parts of your compliance program you believe are stronger and away from those that are, perhaps, not as robust. Consider having this initial meeting by telephone prior to the onsite to prevent unnecessary questions and document production.
27. Firm employees should answer questions, but not appear standoffish (don’t interject if there is silence after a verbal response, don’t provide more information than necessary, don’t speculate or mislead).
28. Ensure employees comply with a “clean desk” policy wherein they do not leave any documents exposed on their desk and make sure that all computers are locked and inaccessible without passwords when employees leave their desks.
29. Facilities provided to the examiners should be conducive to carry out their functions effectively and in reasonable comfort. Ensure there is reliable and secure access to internet, phone, etc. Ensure that examiners do not have access to any internal documents or servers.
30. Throughout the examination, remain polite, convey mutual respect and establish a productive relationship.
31. Establish and maintain control of the examination by 1- checking in periodically, 2- asking if anything is outstanding and whether there is anything that requires clarification; and 3- by responding promptly and accurately to requests.
32. Ensure two people are at all interviews and take notes.
33. Put yourself in the examiners’ shoes. Ask yourself, “what can I provide to expedite the closing of the examination and to effectively respond to requests so they can do their job?”
34. If you utilize any third-party service providers (such as email archiving systems or trade management systems), ensure that there is appropriate login information for examiners to access these systems to perform testing.
35. Consult with counsel and consultants as needed and use your resources. It is important to consider disclosing problems you have internally uncovered.  According to the SEC, nothing could be worse than for the SEC to find a problem through an examination or through a tip, complaint or referral that personnel in your organization knew about but tried to conceal.
36. Keep track of all requests and respond promptly to additional requests for information and documents. Ask that subsequent requests be put in writing for the purposes of tracking and clarity. Number and date them.
37. Organize information in a manner that corresponds to the information requests and in the format requested. Prepare folders that are labeled and/or provide items in electronic media.  Convey the appearance of preparedness.
38. Consider bate stamping materials or otherwise indicating or tracking when documents were provided to the SEC staff. Consider placing Freedom of Information Act (FOIA) stickers on sensitive materials.
39. Never back date or create documents unless the SEC staff has made a request that entails creation of a new document or report. Be candid about corrections that have been made and whether new documents need to be created as well as the time it will take to respond to such a request.
40. Don’t be afraid to discuss examiner document requests. Ask examiners to notify the CCO if they feel they are not getting the information they need.
41. Follow up on requests that appear burdensome and make sure you are providing what is being requested. Don’t be afraid to attempt negotiations to provide a document that is both responsive to their request and not unduly burdensome to the firm.  Seek clarity if there is confusion and offer alternate records if they may be responsive to the examiners’ request. Privilege, particularly lawyer-client privilege, is subject to specific considerations and is best asserted with guidance from counsel.
42. Demonstrate the engagement by senior management in remediating any issues identified by examiners. Again, this speaks to inclusivity by showing compliance buy-in across the firm. It can also help avoid enforcement where potential issues are addressed promptly.
43. There are occasions where it may be appropriate to push back on conclusions drawn by examiners, particularly where there may be confusion about either the firm’s activities or the exam team’s objections. The goal of these efforts should be to obtain clarity, whether it results in examiners lifting objections or a greater understanding of the path forward for the firm. Do not expect the SEC to “agree to disagree.”
44. Request an exit interview. If you can make progress in addressing SEC concerns immediately, you may influence the way an exam letter is written as it may address your progress and cooperation. In addition, in some cases you may be able to prevent an enforcement referral.
45. Do what you say. Tying back to #10, ensure that remediation and improvements promised in exam responses are reflected in policies and procedures as well as in ongoing testing.
46. Sweep or focused exams are still exams. Targeted exams, such as those focused on Reg BI, Form CRS, or advisers to ESG strategies, can open the door to a broader examination if regulators senses that a firm is not well prepared and aware of regulatory expectations.

SECCC