Other

Examiner Oversight of "Annual" Reviews Conducted by Advisers and Funds

May 12, 2017

Gene A. Gohlke1
April 7, 2006

Introduction

A primary objective of the SEC's inspection program's oversight activities is to determine whether advisers and funds (together "Firms") are complying with regulatory requirements. Both Rule 206(4)-7 under the Advisers Act and Rule 38a-1 under the Company Act require that a review of a firm's compliance program be conducted no less frequently than annually. To determine if firms have complied with this regulatory requirement, during all routine inspections of advisers and funds, examiners will gather and scrutinize information regarding a firm's annual review work. This information will be obtained both from a review of documents and through discussions with compliance and operating personnel that were involved with its annual review. Based on our evaluation of the work undertaken by a firm we will comment on gaps and weaknesses we find in that work.

The Compliance rules do not provide detailed guidance to advisers or funds regarding the work that should be performed while conducting an annual review. Likewise, the Rules do not specifically state the time at which an "annual review" should be conducted or by whom the review work should be done. Instead of specifying these details, the Rules provide great flexibility to firms in conducting their annual reviews which reflects the fact that the business of advisers and funds covers a wide range of activities and the thought that each firm should establish a review process that makes sense in light of its circumstances.

While the specific facts, circumstances and timing of annual review work is left for each firm to establish, the goal of an annual review is the same for all firms – that goal is to determine if the firm's compliance program continues to reasonably and effectively prevent compliance issues from happening, detect those compliance issues that do happen and promote the prompt correction of the issues that occur.

Examiner Work

While the unique facts and circumstances of a firm will impact the work examiners do and the information they will request, examiners will typically ask questions in at least nine broad areas as they scrutinize a firm's annual review. These nine questions are:

  1. Who conducted review?
     
  2. What was reviewed?
     
  3. When was review conducted?
     
  4. How was review conducted?
     
  5. What were findings from review work?
     
  6. What recommendations were made?
     
  7. What is current status of implementing recommendations?
     
  8. What documentation was created/retained to reflect work done?
     
  9. What was involvement of senior management in review?

Possible Answers to the Questions

The activities and functions associated with a firm's annual review covered by these questions are likely to be the primary focus of examiners during routine inspections. Examiners are likely to find a wide range of answers to these questions as they collect and scrutinize relevant information. The bullet points listed under each question identify some possible answers examiners might obtain in response. At some firms we will find that a comprehensive and robust review took place and that recommendations for improvements have been implemented or work on implementation is underway.. At other firms, we will find that work done in conducting the annual review was flawed in various ways. The facts and circumstances at each firm will be important determinants in how examiners evaluate both the work done in conducting an annual review and the remedial activities taken to address gaps and weaknesses found. The touchstone for examiners in evaluating a firm's annual review will be - did the firm's annual review result in the firm continuing to have a set of compliance policies and procedures that effectively prevent compliance problems, find those problems that happen and promptly correct the issues that occur.

Who conducted the review?

The following is a non-exclusive list of possible responses:

  • Chief compliance officer and other compliance staff.
     
  • Operating/business management and staff throughout the firm.
     
  • Risk management staff.
     
  • Internal auditors.
     
  • External auditors.
     
  • Consultants.
     
  • Combination of the above.

What was reviewed?

The following is a non-exclusive list of possible responses:

  • Process for identifying and assessing compliance risks including those arising from both internal and external factors.
     
  • Risk inventory.
     
  • Process for creating compliance policies and procedures.
     
  • Compliance policies and procedures in effect during the period.
     
  • Whether such policies and procedures addressed all risks identified.
     
  • Process by which compliance policies and procedures were implemented.
     
  • Extent to which responsibility for implementing and managing compliance policies and procedures has been made a part of the duties of operational staff.
     
  • Transactional or quality control testing conducted.
     
  • Period or forensic testing conducted.
     
  • Exceptions/issues identified as a result of tests applied.
     
  • Material compliance issues identified.
     
  • Management reporting process and structure.
     
  • Follow-up/corrective or remedial actions taken to address exceptions and compliance issues.
     
  • Escalation process for addressing certain compliance issues.
     
  • Compliance and ethics-related training conducted.
     
  • Compliance culture of the firm.
     
  • No review conducted.
     
  • Combination of the above.

When was the review conducted?

The following is a non-exclusive list of possible responses:

  • As compliance issues arose during the period.
     
  • As material compliance issues arose during the period.
     
  • As changes in business activities or organizational arrangements occurred.
     
  • As external events occurred and were determined to have a possible impact on the firm.
     
  • Rolling routine review by functional area.
     
  • Rolling routine review by functional area coupled with use of the "forensic test of the month" approach.
     
  • Rolling routine review by functional area with end of period mop-up of areas not touched during the period.
     
  • Work concentrated toward end of annual period.
     
  • Work undertaken after the end of an annual period.
     
  • Combination of the above.

How was the review conducted?

The following is a non-exclusive list of possible responses:

  • Self assessments by operating staff with assistance of compliance staff or outside consultants.
     
  • Interviews of operational staff conducted by compliance staff or outside consultants.
     
  • Through use of questionnaires circulated to staff of firm by compliance staff or outside consultants.
     
  • By compliance staff or consultants through review of documentation.
     
  • Review and analysis of exceptions/compliance issues and especially material compliance issues including how these issues were identified and resolved.
     
  • Regular follow-up work done to address compliance issues identified in the normal course of work.
     
  • Follow-up on findings flowing from application of forensic tests.
     
  • Through a comprehensive risk assessment and mapping of risks identified to policies and procedures for mitigation and management.
     
  • Redoing work done when compliance program was initially established.
     
  • Review of work done by internal audit staff during the course of the period covered by the review.
     
  • Purchased an updated off-the shelf compliance program.
     
  • Combination of the above.

What findings were made?

The following is a non-exclusive list of possible responses:

  • Risk identification/assessment process was effective and risk inventory was comprehensive; no changes to the process were required.
     
  • Risk identification/assessment process did not adequately cover all activities of firm.
     
  • Risk identification/assessment process did not adequately address new developments or material compliance issues that arose.
     
  • Previously unidentified compliance risks found.
     
  • Compliance policies and procedures were effective and required no changes.
     
  • Compliance policies and procedures did not effectively address all risks listed on the inventory.
     
  • Compliance policies and procedures were uniformly implemented effectively.
     
  • Compliance policies and procedures were not uniformly implemented on an effective basis.
     
  • Compliance issues that occurred at one or more of a fund's service providers were detected on a timely basis and/or were corrected promptly in ways that were designed to minimize the likelihood or recurrence.
     
  • Compliance issues that occurred at one or more of a fund's service providers were not detected on a timely basis and/or were not corrected promptly in ways that were designed to minimize the likelihood or recurrence.
     
  • Material compliance issues that occurred at a fund service provider were communicated timely to the fund's CCO.
     
  • Material compliance issues that occurred at a fund service provider were not communicated timely to the fund's CCO.
     
  • Compliance policies and procedures used by one or more of a fund's service providers continue to address effectively all of the fund's risks associated with that service providers menu of services provided to the fund.
     
  • Compliance policies and procedures used by one or more of a fund's service providers do not address effectively all of the fund's risks associated with that service providers menu of services provided to the fund.
     
  • The occurrence of business/organizational events at one or more of a fund's service providers that resulted in material changes to the set of risks to the fund associated with that service provider's functions and any related changes to its compliance policies and procedures were communicated timely to the fund's CCO.
     
  • The occurrence of business/organizational events at one or more of a fund's service providers that resulted in material changes to the set of risks to the fund associated with that service provider's functions and any related changes to its compliance policies and procedures were not communicated timely to the fund's CCO.
     
  • CCO and compliance staff is assuming too large a role in doing compliance work.
     
  • Responsibility for compliance work has been effectively made an important aspect of the responsibilities of operating management.
     
  • Responsibility for compliance work has not been effectively made an important aspect of the responsibilities of operating management.
     
  • Oversight of service provider compliance policies and procedures was effective.
     
  • Oversight of service provider compliance policies and procedures is weak or not effective.
     
  • Quality control and forensic testing processes were effectively identifying exceptions and compliance issues.
     
  • Quality control testing was not uniformly effective in identifying exceptions/issues.
     
  • Forensic testing was not conducted.
     
  • Forensic testing was not uniformly effective in identifying exceptions/issues.
     
  • Follow-up/remedial actions to address exceptions and compliance issues was uniformly prompt and effective.
     
  • Follow-up/remedial actions to address exceptions and compliance issues was not uniformly prompt and effective.
     
  • Clients were harmed by compliance issues that arose and such harm was promptly and adequately addressed.
     
  • Clients were harmed by compliance issues that arose and such harm was not adequately addressed.
     
  • Training conducted in regard to compliance and ethics was effective.
     
  • Training conducted regarding compliance and ethics was ineffective.
     
  • Compliance culture of the firm is effective.
     
  • Compliance culture of the firm needs to be improved.
     
  • Compliance activities are viewed by operating management as a burden and not as an essential activity of the firm.
     
  • Combination of the above.

What recommendations were made?

The following is a non-exclusive list of possible responses:

  • No recommendations for changes or improvements to the compliance program were needed.
     
  • Firm needs to improve its process for identifying/assessing risks in various ways.
     
  • Firm needs to be more proactive in identifying new or changes to risks on a real-time basis.
     
  • Firm needs to improve its process for creating compliance policies and procedures that address the compliance risks present.
     
  • Firm needs to improve its process for implementing compliance policies and procedures.
     
  • Operational staff throughout the firm must assume a greater responsibility for ensuring that compliance policies and procedures are implemented effectively including the identification and resolution of exceptions and other compliance issues.
     
  • Include management of compliance matters as a factor in the evaluation criteria for managers throughout the firm.
     
  • An expanded and enhanced slate of quality control/forensic tests must be developed and implemented.
     
  • Firm's process for escalating decision-making regarding compliance issues needs improvement.
     
  • Improve oversight of service providers' compliance programs.
     
  • Improve the quantity and quality of training focused on compliance matters and ethics.
     
  • Combination of the above.

Status of recommendations?

The following is a non-exclusive list of possible responses:

  • Resources committed to implement all recommendations.
     
  • Resources committed to implement a subset of recommendations.
     
  • Resources are not available to address important recommendations.
     
  • Work is underway to address all or a subset of recommendations.
     
  • Consultant hired to study and provide advice as to how certain recommendations should be addressed.
     
  • All recommendations have been addressed and needed changes implemented.
     
  • Management is still studying recommendations and no decisions have been made.
     
  • All or some of the recommendations have been ignored or marginalized.
     
  • Combination of the above.

What documentation is available?

The following is a non-exclusive list of possible responses:

  • Planning documents for conducting annual review.
     
  • Notes of persons conducting review activities.
     
  • Completed questionnaires.
     
  • Results of self assessments.
     
  • Consultant's reports and recommendations.
     
  • Workpapers and schedules of interviews conducted and documents reviewed.
     
  • Internal audit reports.
     
  • Reports of external auditors.
     
  • Results of forensic tests conducted and follow-up work.
     
  • List of material compliance issues that arose during review period and explanation of how each issue was addressed.
     
  • Summary or reports of findings from rolling review work completed.
     
  • Report of work conducted, findings and recommendations from the annual review.
     
  • Combination of the above.

Involvement of senior management

The following is a non-exclusive list of possible responses:

  • Management has been briefed on work done, findings and recommendations.
     
  • Summary report prepared and provided to management/fund board.
     
  • Management very involved in planning and conducting annual review.
     
  • Management informed and involved in resolving material compliance issues on a real-time basis.
     
  • Management is not interested in compliance issues.

SPEECHES, EXAMINER OVERSIGHT OF ANNUAL REVIEW ACTIVITIES, MARCH 2006

1 The Securities and Exchange Commission disclaims responsibility for any private publication or statement of any SEC employee or Commissioner. This presentation expresses the author's views and does not necessarily reflect those of the Commission, the Commissioners, or other members of the staff.

Modified: Sept. 15, 2006
Return to Top