You’ve just received the dreaded letter from the regulator notifying you of an upcoming audit. Furthermore, the timing couldn’t be worse: it’s your busiest time of year and two of your key staff are away!
There’s never a good time to be audited, but there are things you can do to make it go more smoothly. In this article we explain what to expect at each stage along with pro tips on how to prepare.
NOTICE OF AUDIT
The first notice you will have of the audit is a letter from the regulator describing the process, timing, review period and scope of the audit. Audits are generally conducted for one of three reasons:
routine audits based on the firm’s risk ranking and timing of previous audit;
examination for cause when the regulator has a specific cause for concern such as a client complaint; or,
targeted sweeps related to a single issue or the type of firm.
Tip #1 - Be cooperative and responsive
You will generally know what triggered the audit based on the nature of the request. Regulators have broad powers to audit and investigate registered firms and employees. While firms can ask questions or clarify the reasons or scope of the audit, challenging the auditor’s authority or refusing to cooperate will not prevent the audit and is more likely to raise doubts about your firm’s compliance.
INITIAL DOCUMENT REQUEST
Accompanying the audit notice will be an initial request for documents. The request may be a standardized request or may be tailored to the nature of the issue(s) under review, particularly if there were significant deficiencies in the past. Initial document requests may include the firm’s policy and procedure manual, a history of security transactions during review period, specific client trades or trading history, details of referrals, client details for transactions, disclosure documents, commissions and fees, leverage, marketing materials and approvals.
To prepare for the audit, you should:
Review all requested documents as you provide them
Review prior audit correspondence: What were the results? What deficiencies were found and have they been fixed? What things did the firm say it would do and has it done these things?
Review any new firm initiatives for compliance and ensure they are reflected in the firm’s policies and procedures manual
Obtain and review NRD registration information for all firm employees requiring registration
Review firm website and marketing information. Auditors will question false or misleading statements they find about your firm or your products. Google the firm, registrants and referral agents to identify any potential issues and address them promptly
Review the firm’s PPM – Is it up to date? For example: are recent regulatory updates incorporated in the PPM? Is the org chart up to date? Does the manual accurately reflect firm policies and procedures? If you have changed your Investment Review Committee process or membership, is that reflected in the manual?
Tip #2 - Respond promptly and provide a reasonable explanation if more time is needed
Auditors generally provide one to two weeks to respond. Responding in a timely manner is a measure of the adequacy of the firm’s compliance. Firms may with a reasonable explanation request additional time to prepare. Auditors will prefer that you provide information piecemeal if necessary and will be more inclined to grant extensions if they can see that the firm is working diligently to fulfill the request.
Tip #3 - Address issues proactively
Ensure issues from the last audit have been addressed. Repeat deficiencies are generally considered significant and may lead to enforcement action. If you identify errors or omissions, rectify them as best you can. Conduct staff training sessions if overdue, for example, AML, Anti-spam, or privacy training sessions. Update your manual with revised dates or versions and disseminate the changes. Provide the auditor with documentation of corrective action taken. Acknowledging and addressing issues proactively demonstrates your firm’s commitment to compliance.
Once the initial documents have been reviewed and additional follow-up questions addressed, auditors will arrange an on-site review. To prepare:
Determine the auditors’ expectations and prepare to meet them
Prepare to address specific questions that are likely to come up based on the initial request
Arrange a secure office space for the auditors to use
Ensure desks and offices are tidy and that confidential documents are safely stored out of site
Notify firm staff of the audit and have them prepare as needed based on the nature of the audit and issues you may have identified (e.g., discuss any deficiencies with the related staff and have them provide a detailed explanation of the cause of the issue)
Remind firm staff about the importance of confidentiality including logging off or locking computers whenever they leave their desks
Prepare to explain your firm’s business concisely and accurately
Tip #4 - Provide a welcoming environment
When the auditors arrive, welcome them, show them around the office and introduce them to relevant staff. The review will go more smoothly if you establish a positive and cordial tone. If you are nervous or defensive, auditors may anticipate that you have something to hide. Demonstrate that you understand the importance of compliance and respect their role.
Tip #5 - Prepare for interviews
Auditors will likely want to interview certain firm employees. Your CCO should help to arrange the interviews and should attend and take notes where possible. During the interview, answers questions succinctly and directly. If you or the interviewee doesn’t understand a question, ask for clarification. Be forthright. If you don’t know something, say so.
Coach employees being interviewed ahead of time so that they know what to expect. Have them prepare for questions they might be asked, especially about issues already identified. Questions may include: how compliance issues may have occurred and steps taken to address them, the portfolio management or sales process, how you ensure compliance (e.g., sales compliance, product due diligence, compliance with the Know your Client and Investment Policy statement guidelines), rebalancing guidelines, client qualification for exempt pools, and registrant information.
FOLLOW-UP AND ANALYSIS
During the on-site review, be sure to educate the auditors about your business and processes politely and without defensiveness or emotion. The auditors are learning about your business from scratch and what seems intuitive to you may not be clear to an outsider.
Tip #5 - Clarify or correct misunderstandings
If you believe the auditor is getting something wrong, take the time to politely clarify. Provide business reasons to explain what you are doing and why and show additional safeguards and unwritten controls or practices you may have in place.
CLOSING LETTER AND DEFICIENCY LETTER
The book is closed when the commission staff gets what they feel is an adequate response. The firm will receive a letter saying there are no further comments.
The close of an audit does not mean the securities commission has “approved” everything the firm may be doing. The securities commission will send you their report with deficiencies and significant deficiencies and give a timeline for your response. You still have an opportunity to correct factual inaccuracies or supply additional information and documents to address any concerns.
Deficiencies are areas where the auditor finds the firm is not operating as required under regulation or as per the firm’s own policies. You do not have to formally answer deficiencies, and don’t. Don’t give answers or documents that weren’t asked for. But you must ensure to rectify the deficiencies.
Significant deficiencies are pervasive, a repeat deficiency or liable to cause significant harm. You will need to formally address significant deficiencies in writing. Describe how you will rectify them and give a timeframe. These are considered promises to the commission and form the basis by which they close the audit. Sometimes the auditor will ask to see a corrected policy or document, but generally they simply want your undertaking that you will fix it.
Tip #6 - Reply promptly with a commitment to rectify issues
You should reply promptly to the deficiency letter, to either defend the legality of a questioned practice(s) or to emphasize that any violations are unintentional and will be corrected. However, this is not the time for argument or interpretation. Don’t fight over minor details. You can state your case if you do not agree that something is a deficiency.
Tip #7 - Understand the deficiencies and undertake to address in a timely manner
Understand the deficiencies and be aggressive in the corrective action taken, but don’t over promise. Be realistic about how you can reasonably rectify deficiencies
You may need to correspond further with auditors until issues are resolved. The book is closed when the commission staff gets what they feel is an adequate response. The firm will get a letter saying there are no further comments, which means the auditors are satisfied with the firm’s response, that the firm has either addressed the deficiencies or that the firm understands the deficiencies and is taking appropriate corrective action.
SGD COMPLIANCE CONSULTING CAN HELP
Audits can be time-consuming, stressful and resource intensive. SGD Compliance brings years of regulatory compliance experience to the table and can help at any stage of the audit process including:
· Preparing for the audit
· Identifying and addressing deficiencies proactively
· Providing required staff training
· Responding to the closing letter
· Planning and completing post-audit corrections
For more information or to discuss the specifics of your firm’s needs, please contact us at: firstname.lastname@example.org or by telephone at 647-967-5980
© 2023 SGD Compliance Consulting Inc.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording, or any information storage and retrieval system, without permission of the copyright holder.
This article was prepared for informational purposes only and is not intended to provide, and should not be relied on for specific advice. You should not act upon the information in this article without an independent assessment of the law or regulations applied to the facts of your situation.
SGD Compliance Consulting Inc. is not responsible for the content of websites and information resources that may be referenced in the article. Reference to these sites or resources does not constitute an endorsement by SGD Compliance Consulting Inc. of the information contained therein. Although we have endeavored to ensure that the information contained in this article has been obtained from reliable and up-to-date sources, the changing nature of statistics, laws, rules, and regulations may result in delays, omissions, or inaccuracies in information contained in this report