Annual Compliance Reviews

Can you believe it?  It’s the last quarter of the year.  That means it’s time to look back and conduct an annual compliance review.

What is an annual compliance review?

Each investment adviser registered with the SEC is required to adopt and implement written policies and procedures reasonably designed to prevent violations of the Investment Advisers Act of 1940 (the “Advisers Act”), to review those policies and procedures at least annually for their adequacy and effectiveness of their implementation, and to designate a Chief Compliance Officer who is responsible for administering the policies and procedures.

To determine if firms have complied with this regulatory requirement, during all routine inspections of advisers, examiners will gather and scrutinize information regarding a firm’s annual review work. This information comes from the review of documents and discussions with compliance and operating personnel that were involved with the annual review.

What do examiners ask when they review a firm’s annual review?

Examiners will typically ask questions in at least 9 broad areas as they scrutinize a firm’s annual review.

Who conducted the review?

Answer:

CCO and other compliance staff, operating or business management, risk management staff, internal auditors, external auditors, consultants or any combination of these.

What was reviewed?

Answer:

• Process for identifying and assessing compliance risks including those arising from both internal and external factors.
• Risk inventory.
• Process for creating compliance policies and procedures.
• Compliance policies and procedures in effect during the period.
• Whether such policies and procedures addressed all risks identified.
• Process by which compliance policies and procedures were implemented.
• Extent to which responsibility for implementing and managing compliance policies and procedures has been made a part of the duties of operational staff.
• Transactional or quality control testing conducted.
• Period or forensic testing conducted.
• Exceptions/issues identified as a result of tests applied.
• Material compliance issues identified.
• Management reporting process and structure.
• Follow-up/corrective or remedial actions taken to address exceptions and compliance issues.
• Escalation process for addressing certain compliance issues.
• Compliance and ethics-related training conducted.
• Compliance culture of the firm.
• No review conducted.
• Combination of the above.

When was the review conducted?

Answer:

• As compliance issues arose during the period.
• As material compliance issues arose during the period.
• As changes in business activities or organizational arrangements occurred.
• As external events occurred and were determined to have a possible impact on the firm.
• Rolling routine review by functional area.
• Rolling routine review by functional area coupled with use of the “forensic test of the month” approach.
• Rolling routine review by functional area with end of period mop-up of areas not touched during the period.
• Work concentrated toward end of annual period.
• Work undertaken after the end of an annual period.
• Combination of the above.

How was the review conducted?

Answer:

• Self assessments by operating staff with assistance of compliance staff or outside consultants.
• Interviews of operational staff conducted by compliance staff or outside consultants.
• Through use of questionnaires circulated to staff of firm by compliance staff or outside consultants.
• By compliance staff or consultants through review of documentation.
• Review and analysis of exceptions/compliance issues and especially material compliance issues including how these issues were identified and resolved.
• Regular follow-up work done to address compliance issues identified in the normal course of work.
• Follow-up on findings flowing from application of forensic tests.
• Through a comprehensive risk assessment and mapping of risks identified to policies and procedures for mitigation and management.
• Redoing work done when compliance program was initially established.
• Review of work done by internal audit staff during the course of the period covered by the review.
• Purchased an updated off-the shelf compliance program.
• Combination of the above.

What were the findings from the review work?

Answer:

• Risk identification/assessment process was effective and risk inventory was comprehensive; no changes to the process were required.
• Risk identification/assessment process did not adequately cover all activities of firm.
• Risk identification/assessment process did not adequately address new developments or material compliance issues that arose.
• Previously unidentified compliance risks found.
• Compliance policies and procedures were effective and required no changes.
• Compliance policies and procedures did not effectively address all risks listed on the inventory.
• Compliance policies and procedures were uniformly implemented effectively.
• Compliance policies and procedures were not uniformly implemented on an effective basis.
• Compliance issues that occurred at one or more of a fund’s service providers were detected on a timely basis and/or were corrected promptly in ways that were designed to minimize the likelihood or recurrence.
• Compliance issues that occurred at one or more of a fund’s service providers were not detected on a timely basis and/or were not corrected promptly in ways that were designed to minimize the likelihood or recurrence.
• Material compliance issues that occurred at a fund service provider were communicated timely to the fund’s CCO.
• Material compliance issues that occurred at a fund service provider were not communicated timely to the fund’s CCO.
• Compliance policies and procedures used by one or more of a fund’s service providers continue to address effectively all of the fund’s risks associated with that service providers menu of services provided to the fund.
• Compliance policies and procedures used by one or more of a fund’s service providers do not address effectively all of the fund’s risks associated with that service providers menu of services provided to the fund.
• The occurrence of business/organizational events at one or more of a fund’s service providers that resulted in material changes to the set of risks to the fund associated with that service provider’s functions and any related changes to its compliance policies and procedures were communicated timely to the fund’s CCO.
• The occurrence of business/organizational events at one or more of a fund’s service providers that resulted in material changes to the set of risks to the fund associated with that service provider’s functions and any related changes to its compliance policies and procedures were not communicated timely to the fund’s CCO.
• CCO and compliance staff is assuming too large a role in doing compliance work.
• Responsibility for compliance work has been effectively made an important aspect of the responsibilities of operating management.
• Responsibility for compliance work has not been effectively made an important aspect of the responsibilities of operating management.
• Oversight of service provider compliance policies and procedures was effective.
• Oversight of service provider compliance policies and procedures is weak or not effective.
• Quality control and forensic testing processes were effectively identifying exceptions and compliance issues.
• Quality control testing was not uniformly effective in identifying exceptions/issues.
• Forensic testing was not conducted.
• Forensic testing was not uniformly effective in identifying exceptions/issues.
• Follow-up/remedial actions to address exceptions and compliance issues was uniformly prompt and effective.
• Follow-up/remedial actions to address exceptions and compliance issues was not uniformly prompt and effective.
• Clients were harmed by compliance issues that arose and such harm was promptly and adequately addressed.
• Clients were harmed by compliance issues that arose and such harm was not adequately addressed.
• Training conducted in regard to compliance and ethics was effective.
• Training conducted regarding compliance and ethics was ineffective.
• Compliance culture of the firm is effective.
• Compliance culture of the firm needs to be improved.
• Compliance activities are viewed by operating management as a burden and not as an essential activity of the firm.
• Combination of the above.

What recommendations were made?

Answer:

• No recommendations for changes or improvements to the compliance program were needed.
• Firm needs to improve its process for identifying/assessing risks in various ways.
• Firm needs to be more proactive in identifying new or changes to risks on a real-time basis.
• Firm needs to improve its process for creating compliance policies and procedures that address the compliance risks present.
• Firm needs to improve its process for implementing compliance policies and procedures.
• Operational staff throughout the firm must assume a greater responsibility for ensuring that compliance policies and procedures are implemented effectively including the identification and resolution of exceptions and other compliance issues.
• Include management of compliance matters as a factor in the evaluation criteria for managers throughout the firm.
• An expanded and enhanced slate of quality control/forensic tests must be developed and implemented.
• Firm’s process for escalating decision-making regarding compliance issues needs improvement.
• Improve oversight of service providers’ compliance programs.
• Improve the quantity and quality of training focused on compliance matters and ethics.
• Combination of the above.

What is the current status of implementing recommendations?

Answer:

• Resources committed to implement all recommendations.
• Resources committed to implement a subset of recommendations.
• Resources are not available to address important recommendations.
• Work is underway to address all or a subset of recommendations.
• Consultant hired to study and provide advice as to how certain recommendations should be addressed.
• All recommendations have been addressed and needed changes implemented.
• Management is still studying recommendations and no decisions have been made.
• All or some of the recommendations have been ignored or marginalized.
• Combination of the above.

What documentation was created/retained to reflect work done?

Answer:

• Planning documents for conducting annual review.
• Notes of persons conducting review activities.
• Completed questionnaires.
• Results of self assessments.
• Consultant’s reports and recommendations.
• Workpapers and schedules of interviews conducted and documents reviewed.
• Internal audit reports.
• Reports of external auditors.
• Results of forensic tests conducted and follow-up work.
• List of material compliance issues that arose during review period and explanation of how each issue was addressed.
• Summary or reports of findings from rolling review work completed.
• Report of work conducted, findings and recommendations from the annual review.
• Combination of the above.

What was the involvement of senior management in the review?

Answer:

• Management has been briefed on work done, findings and recommendations.
• Management very involved in planning and conducting annual review.
• Summary report prepared and provided to management/fund board.
• Management informed and involved in resolving material compliance issues on a real-time basis.
• Management is not interested in compliance issues.

Conclusion

There is a lot that goes into conducting an annual review!

It’s important that the reviews you conduct are documented and that the personnel that conducted the review can speak intelligently and specifically about the review they conducted, as well as the outcome and further actions they took.  If your firm has gone through personnel changes or has experienced a great deal of growth, we would expect to see that changes were made to your compliance systems year to year.  We would expect the same if the services you provided changed or if the types of clients you have changed.  If you are involved in retirement planning and are subject to ERISA, we would expect to see thorough testing of your compliance program to ensure it is responsive to obligations and requirements under ERISA, especially if you are a fiduciary as defined under ERISA.

It’s possible you haven’t conducted an annual review in the last few years.  You can conduct them retroactively.  If you need help, visit our Templates Shop to purchase risk assessments you will need to conduct your annual review.  Would you rather have the professionals do it?  Schedule your consultation or give us a call at (770) 462-2118