Five Warning Signs of an SEC Audit

Jun 13, 2013

Know the Red Flags and Save Your Firm Endless Grief

The following is a guest blog post by Rita Dew – founder and president of National Compliance Services, Inc., a compliance RitaDewconsulting firm formed to assist state and federally registered investment advisers, hedge funds, mutual funds, and broker dealers nationwide, and strategic alliance of SEI. To learn more about their services, please visit 


Why you should care about an SEC audit: All registered Investment advisers are subject to compliance audits by the SEC and/or state. If warranted, an audit can trigger an investigation that can include employees and clients. If the audit does not go well your firm may be fined, sued or shut down.

Merely mentioning the words “compliance exam” is enough to frighten the owners of registered investment advisory firms and their compliance officers. Discussing the exam process can trigger nightmares of compliance deficiencies, regulatory fines, disciplinary action, and worse. It is imperative that registered investment adviser (“RIA”) principals take steps now to avoid the prospect of facing a compliance exam and not being prepared. If you have made a reasonable effort to fulfill your compliance obligations, a routine SEC or state exam should be relatively painless. But how do you know that your firm is making a reasonable effort to avoid compliance problems? Appointing a knowledgeable compliance officer is just the first step. The key to avoiding regulatory nightmares is to recognize the compliance red flags and warning signs and to take corrective actions before you start your day with a knock on the door followed by these words:

Good morning. We are from the SEC/State and are here to conduct a compliance exam of your investment advisory firm.

Warning Sign 1: Errors and Omissions in Your Registration Documents

Two of the most common compliance deficiencies for state- and SEC-registered investment advisers are inconsistencies between the parts of the firm’s Form ADV and failures to amend its regulatory profile in a timely manner.

Start today and conduct a comprehensive review of your firm’s Form ADV. This review should cover all components of this complex document:

• Part 1A
• Part 1B (for state-regulated firms)
• Part 2A
• Part 2B
• Appendix 1 (for wrap program sponsors)

Make sure every statement is current at all times and that every word is consistent with reality—and that all documents agree with each other. Discrepancies will raise red flags as well as questions in any event.

Eliminate any outdated or fictitious academic and professional designations from all biographical forms and disclose everything you are required to disclose. Some of the most common deficiencies resulting in enforcement action involved failure to disclose material information, including conflicts of interest and misleading registration filings.

Assets Under Management

Never exaggerate your assets under management (“AUM”) for marketing purposes or round it down for regulatory convenience, and make sure you know what qualifies when calculating AUM.

As of 2011, RIAs must disclose regulatory assets under management on their Form ADV. This includes all securities portfolios for which continuous and regular supervisory or management services are provided, including family or proprietary assets, assets of foreign clients, and assets managed on a pro bono basis or on which normal compensation is otherwise waived.

Do not deduct any outstanding loans, securities purchased on margin, or other accrued liabilities. The SEC’s rationale is that it does not matter if a client has borrowed money to purchase a portion of the regulatory assets under management. All calculations are on a gross basis.

Number and Type of Clients

While large RIAs are allowed to report an approximate number here, those with under 100 clients still need to provide an exact count.

All RIAs must answer questions regarding the types of clients they serve (now including business development companies, other investment advisers, and insurance companies) and report the approximate percentage of regulatory assets under management that can be attributed to each broad class.

The regulators also require an approximation of how many of a firm’s clients are not U.S. citizens.

Remain Current

Should this review reveal that you need to update any or all your forms, submit the revised paperwork to all applicable regulatory authorities promptly.

From that point, whenever any aspect of your business practices change, make sure your disclosure statements change to reflect it.

Remember, while most RIAs are only required to update their Form ADV once a year as part of their annual updating amendment, this is only a minimum and not optimal practice.

Your real responsibility is to get and remain current on an ongoing basis. Doing so will help minimize the odds the SEC or state regulators will need to address this very common area of deficient compliance.

Warning Sign 2: You Have Not Addressed Prior Exam Findings

Unless this is your very first audit, the regulator will already have a file on your firm that incorporates previous findings and recommendations.

Few registered investment advisers will conduct their affairs so flagrantly that they immediately incur enforcement actions.

In most cases, the firm will receive a deficiency letter outlining violations and a certain time frame to correct the violations and make a good faith effort to implement policies and procedures to address the issues raised.

However, enforcement actions become far more likely if an RIA fails to correct problems uncovered during previous exams.

Work to address all observed deficiencies before you start thinking about your next audit. While your hard work may only result in another deficiency letter, the goal here is to ensure that all of the regulator’s concerns are new ones.

It should be a priority for RIAs to be able to demonstrate that they are taking all previously noted deficiencies seriously—without backsliding or delay—to sincerely promote a culture of compliance.

Compliance officers should also draw parallels from previous regulator concerns to deduce new potential problem areas as their firms’ operational footprint changes. If, for example, your firm has a history of lax client data security on desktop computers, make sure to put a comprehensive solution in place before adding mobile or tablet devices to the mix.

Update your compliance manual with observed deficiencies and the concrete steps taken to address new rules as well as old grievances. Examiners will not be impressed by a manual that fails to reflect an RIA’s business and any outstanding issues or appears to have been compiled from out-of-date boilerplate.

Since the regulators keep their own careful records, never yield to the temptation to falsify documents. Backdating documents in order to present the illusion of retroactive compliance has created problems for firm after firm.

If the compliance officer uncovers evidence that files have been altered, all documents need to be examined immediately to gauge the extent of the problem and the limits of the corrupted historical record.

The examiners do not expect to see that you have had perfect procedures in place since Day One. They know that your firm’s business is evolving and so your compliance manual will have to evolve with it.

They also know exactly what they have previously communicated to regulated firms and when those communications took place. Trying to impress the examiners by backdating the process only raises questions about how serious personnel are about their regulatory responsibilities and what they may be trying to hide.

Warning Sign 3: You Are Not Properly Registered Where You Do Business

It is crucial that every RIA satisfy all registration requirements for all applicable federal and state regulators.

The Dodd-Frank reforms create a new category of advisory firms referred to as “mid-sized advisers” and shift primary responsibility for their regulatory oversight to the states. Mid-sized advisers are defined as those firms with assets under management that range from $25 million to $100 million.

By this point, all mid-sized advisers should have switched to state oversight and withdrawn their SEC registration unless:

• The state in which they maintain their primary officedoes not conduct adviser examinations (Wyoming, New York).

• They operate in a large number of states simultaneously.

• They can rely on a separate exemption for SEC registration.

The SEC has also set up a bufferzone—currently between $90 million and $110 million—to alleviate the need to switch frequently between SEC and state registration as the value of a given firm’s assets under management fluctuate.

However, newly formed RIAs that are required to register in 15 or more states or that expect to have at least $100 million in assets under management within 120 days of their registration approval should register with the SEC at the outset.

Multi-State Advisers

Under the new rules, all firms who are required to register as an investment adviser with 15 or more states must register with the SEC instead, while those who stop doing business in as many states must revert to state-by-state registration.

Advisers are only required to assess their eligibility for SEC registration once a year. This will mitigate the frequency with which an RIA will have to switch between federal and state registration to reflect shifting operations and client mix during the year.

Exemptions Abound

Pension consultants that provide investment advice to plans with assets exceeding $200 million may remain SEC-registered.

Family offices with fewer than fifteen clients now need to register unless they are wholly owned by “family” clients—related within ten generations—and neither provide investment advice nor advertise themselves to anyone else.

Investment advisers may generally also maintain up to five out-of-state clients per jurisdiction. However, Texas and Louisiana still require advisers to register in-state before providing or offeringto provide advisory services to any clients.

Institutional clients are a complicated topic, with some states allowing a certain number and type of exemptions here and others drawing a hard line at zero.

Because state requirements vary and are complicated, advisers should not solicit clients in any state unless they have reviewed these exemptions.

This may mean letting clients go when they change primary residences or passing them on to properly registered colleagues who can legally serve them.

Warning Sign 4: Client Complaints and Lack of Supervision

The SEC and state examiners will ask to see all “client complaints” you have received. How do you know what qualifies? And how do you prove you handled them properly?

A complaint is generally defined as“any statement (whether delivered in writing, orally, or electronically) of a client or any person acting on behalf of a client alleging a grievance involving the activities of those persons under the control of the RIA in connection with the management of the client’s account.”

Establishing a system for dealing with client accounts from inception and maintaining robust documentation throughout the client relationship goes a long way in responding to a client complaint.

At a minimum, RIAs should take the following steps:

• Establish a procedure to track complaints

• Implement a policy requiring prompt reporting of complaints by advisers and associated persons to the chief compliance officer

• Investigate all written and oral complaints

• Consult with counsel and the firm’s errors and omissions carrier before discussinga resolution to the complaint

• With approval of counsel or the chief compliance officer, keep the person making the complaint apprised of the progress of the investigation

• Notify the person making the complaint regarding the adviser’s decision and proposed course of action

• Maintain originals of communications sent or received relating to the complaint


Identifying a “Complaint”

When clients are anxious about the market or the volatility of their portfolios, it is often difficult to determine whether these negative remarks should be construed as a complaint.

To determine if a letter or unpleasant conversation represents a complaint, the chief compliance officer should be notified immediately. Once he or she receives it, the first priority is determining whether the client blames the firm or any individual affiliated with it for bad advice or incorrect investment decisions.

If so, prompt action must be taken. Ignoring customer complaints is never an option for an RIA. Putting complaints on the back burner can also exacerbate a bad situation.

An RIA is required to maintain a separate file for all client complaints at its principal place of business. The file should include the following information:

• Who filed the complaint

• The date it was received

• The name of each adviser representative who worked on the client’s account

• A description of the situation that led to the complaint

• Copies of all correspondence relating to the complaint

• A written report summarizing the action taken in response to the complaint

The examiner will want to see this file as well as documentation of supervisory review and, ultimately, how each issue was resolved.

Beyond case-by-case conflict resolution, policies and procedures should spell out an RIA’s record-keeping obligations regarding any interaction that can be construed as a “complaint” from an existing or former client.


Warning Sign 5: Your Compliance Officer Is Not Knowledgeable About the Securities Laws

The SEC and state regulators have been anything but secretive about their compliance priorities. Alerts and revised guidelines are regularly published and it is the compliance officer’s responsibility to monitor official publications for updates.

At a minimum, the compliance officer needs to be sure your firm can pass five key tests:

• Registration

• Books and records

• Supervision

• Advertising

• Unethical business practices

Registration revolves around the Form ADV and all other regulatory filings. Deficiencies here often relate to inconsistencies between filings as well as simple failures to submit or amend data on time. To pass this test, your compliance officer should conduct a comprehensive review of your client base, at least annually, to determine if registration for the firm or individuals is required in any jurisdiction where you maintain clients. As discussed above, you should also submit all required paperwork in all relevant jurisdictions on time, and submit amendments as necessary.

Books and records that RIAs must maintain are quite specific. Deficiencies tend to revolve around incomplete documentation of client suitability as well as infrastructure-related issues like secure archiving, off-site backup, advertising, and account privacy. RIAs also owe it to their clients to have a disaster recovery plan on file.

Examiners have also uncovered missing or incomplete client contracts, so make sure that every client’s file is complete and presents no obvious gaps.

Supervision red flags include weak or nonexistent procedures, incomplete monitoring of employee trades, and failures to keep a close eye on branch offices and other remote locations.

The compliance manual must be up to date and tailored to a firm’s specific activities rather than being an off-the-shelf boilerplate document. And its contents must be enforced.

Regulators are increasingly holding chief compliance officers personally responsible for lapses that occur under their oversight, so your chief compliance officer must have the power to discipline repeat offenders and not simply note problems as they occur.

Advertising includes all aspects of the way a firm represents itself to the investing public, including websites, correspondence, Facebook posts, Twitter messages, brochures, and business cards. Examples of all such documents and communications must be retained and filed for examiners to review.

In the case of social media, this will probably entail having a robust technology solution in place to capture messages. Remember, even a seemingly innocent “like” or “+1” can be considered a prohibited testimonial, so stay up to date with developments in this space and err on the side of caution.

Check all performance claims especially stringently and preserve all necessary documentation.

And make sure all advertising materials agree with each other and with your Form ADV and other filings. Even if the examiner fails to notice a discrepancy, an aggrieved client’s attorney will definitely comb your materials for misstatements and will highlight their findings if a dispute goes to litigation.

Unethical business practices covers a wide range of regulatory hot spots, but the major ones boil down to disclosure, conflicts of interest, avoiding liability, and serving as a borrower or lender for clients. Ultimately, compliance here means being able to document that you respect your fiduciary responsibility and at a minimum do not overstep the bounds of discretionary authority or suitability.

All risks, services, fees, and conflicts of interest should be disclosed in plain English. Keep a detailed record of due diligence activities to prevent claims that your firm favored certain products simply to boost potential performance or its income. Conduct a firm-wide risk assessment and file the results.

Checklist of Best Practices

Securities regulators believe that robust policies and procedures can help RIAs avoid deficiencies. This is the basis of what most advisers consider “compliance,” but rather than being simply handed down from on high, these policies and procedures require constant review and, when necessary, revision.

All advisers are required to review and revise their Form ADV at least once a year to ensure that it reflects current and accurate information about their firm and its associated persons.

In addition, the North American Securities Administrators Association (NASAA) recommends the following best practices as instrumental in developing and maintaining effective policies and procedures:

• Review and update all client contracts

• Create and maintain all required books and records, including financial documentation

• Back up electronic data and take steps to protect records

• Document any instances where checks were forwarded

• Create and maintain client profiles

• Draft a customized written compliance and supervisory procedures manual, including a business continuity plan

• Formulate and distribute a privacy policy initially and annually

• Maintain accurate financial statements and purchase a surety bond if required

• Calculate fees accurately and in accordance with clients’ advisory contracts and the firm’s Form ADV

• Review all advertisements, including website and performance advertising, for accuracy and to ensure that no content is false or misleading

• Implement appropriate custody safeguards if they apply

• If applicable, review all solicitor agreements, disclosure documents, and your delivery process



If any of the common audit red flags discussed in this document raise concern, now is the time to seek help before it is too late.

RIAs are often afraid to correct mistakes in their compliance programs because they perceive this process as an admission of guilt that will reflect poorly on them the next time the examiners come calling.

In reality, acknowledging lapses and taking corrective action without outside prompting demonstrates to regulators that the firm understands its compliance obligations and is committed to implementing a culture of compliance.

If you are not sure where you need to make changes or how to make them, we can help you identify and correct compliance weaknesses and get a clean bill of health before the examiners arrive.


National Compliance Services – Disclaimer

This publication provides general information about securities regulation and is designed to help readers address their specific compliance requirements. It should not be construed as, and does not constitute, legal advice on any specific matter. Your chief compliance officer should review your firm’s internal compliance system in conjunction with this article as a self-analysis of your firm’s operations and policies and take needed proactive measures to address your compliance requirements.

National Compliance Services’ consultants advise clients on the full spectrum of regulatory and compliance issues confronting registered investment advisers. For more information about the issues contained in this publication or to discuss how any of these concerns might impact your firm, please call Jack O’Hara at (215) 280 – 0019 or visit us online at

© 2012 National Compliance Services, Inc. All Rights Reserved. Any reproduction all or in part is strictly prohibited without prior written consent.


The information contained herein has been obtained from a third party. While such sources are believed to be reliable, SEI nor its affiliates assumes any responsibility for the accuracy or completeness of such information.

Share Button
John Anderson

John Anderson

John Anderson is the creator and lead author of Practically Speaking blog and Managing Director of Practice Management Solutions for the SEI Advisor Network.

Learn More About John Anderson



Digital Advice Toolkit

Recent Tweets