Annual Compliance Reviews

Can you believe it?  It’s time for yet another annual review.  That means it’s time to look back and see where we can improve.

What is an annual compliance review?

Each investment adviser registered with the SEC is required to adopt and implement written policies and procedures reasonably designed to prevent violations of the Investment Advisers Act of 1940 (the “Advisers Act”), to review those policies and procedures at least annually for their adequacy and effectiveness of their implementation, and to designate a Chief Compliance Officer who is responsible for administering the policies and procedures.

To determine if firms have complied with this regulatory requirement, during all routine inspections of advisers, examiners will gather and scrutinize information regarding a firm’s annual review work. This information comes from the review of documents and discussions with compliance and operating personnel who were involved with the annual review.

What do examiners ask when they review a firm’s annual review?

Examiners will typically ask questions in at least 9 broad areas to scrutinize a firm’s annual review.

Who conducted the review?

Answer:

CCO and other compliance staff, operating or business management, risk management staff, internal auditors, external auditors, consultants or any combination of these.

What was reviewed?

Answer:

• Process for identifying and assessing compliance risks including those arising from both internal and external factors.
• Risk inventory.
• Process for creating compliance policies and procedures.
• Compliance policies and procedures in effect during the period.
• Whether such policies and procedures addressed all risks identified.
• The process by which compliance policies and procedures were implemented.
• The extent to which responsibility for implementing and managing compliance policies and procedures has been made a part of the duties of operational staff.
• Transactional or quality control testing is conducted.
• Period or forensic testing conducted.
• Exceptions/issues identified as a result of tests applied.
• Material compliance issues identified.
• Management reporting process and structure.
• Follow-up/corrective or remedial actions taken to address exceptions and compliance issues.
• Escalation process for addressing certain compliance issues.
• Compliance and ethics-related training conducted.
• Compliance culture of the firm.
• No review was conducted.
• Combination of the above.

When was the review conducted?

Answer:

• As compliance issues arose during the period.
• As material compliance issues arose during the period.
• As changes in business activities or organizational arrangements occurred.
• As external events occurred and were determined to have a possible impact on the firm.
• Rolling routine review by functional area.
• Rolling routine review by functional area coupled with using the “forensic test of the month” approach.
• Rolling routine review by functional area with end-of-period mop-up of areas not touched during the period.
• Work concentrated toward the end of the annual period.
• Work is undertaken after the end of an annual period.
• Combination of the above.

How was the review conducted?

Answer:

• Self-assessments by operating staff with the assistance of compliance staff or outside consultants.
• Interviews of operational staff conducted by compliance staff or outside consultants.
• Questionnaires circulated to the firm’s staff by compliance staff or outside consultants.
• By compliance staff or consultants through a review of documentation.
• Review and analyze exceptions/compliance issues, especially material compliance issues, including how these issues were identified and resolved.
• Regular follow-up work addresses compliance issues identified in the normal course of work.
• Follow-up on findings flowing from the application of forensic tests.
• Through a comprehensive risk assessment and mapping of risks identified to policies and procedures for mitigation and management.
• Redoing work was done when the compliance program was initially established.
• Review of work done by internal audit staff during the course of the period covered by the review.
• Purchased an updated off-the-shelf compliance program.
• Combination of the above.

What were the findings from the review work?

Answer:

• The risk identification/assessment process was effective, and the risk inventory was comprehensive; no changes to the process were required.
• The risk identification/assessment process did not adequately cover all the firm’s activities.
• The risk identification/assessment process did not adequately address new developments or material compliance issues that arose.
• Previously, unidentified compliance risks were found.
• Compliance policies and procedures were effective and required no changes.
• Compliance policies and procedures did not effectively address all risks listed on the inventory.
• Compliance policies and procedures were uniformly implemented effectively.
• Compliance policies and procedures were not uniformly implemented on an effective basis.
• Compliance issues at one or more of a fund’s service providers were detected on a timely basis and/or corrected promptly in ways designed to minimize the likelihood or recurrence.
• Compliance issues at one or more of a fund’s service providers were not detected on a timely basis and/or corrected promptly in ways designed to minimize the likelihood or recurrence.
• Material compliance issues at a fund service provider were communicated promptly to the fund’s CCO.
• Material compliance issues at a fund service provider were not communicated promptly to the fund’s CCO.
• Compliance policies and procedures used by one or more of a fund’s service providers continue to address effectively all of the fund’s risks associated with that service provider’s menu of services provided to the fund.
• Compliance policies and procedures used by one or more of a fund’s service providers do not address effectively all of the fund’s risks associated with that service provider’s menu of services provided to the fund.
• The occurrence of business/organizational events at one or more of a fund’s service providers that resulted in material changes to the set of risks to the fund associated with that service provider’s functions and any related changes to its compliance policies and procedures were communicated timely to the fund’s CCO.
• The occurrence of business/organizational events at one or more of a fund’s service providers that resulted in material changes to the set of risks to the fund associated with that service provider’s functions and any related changes to its compliance policies and procedures were not communicated timely to the fund’s CCO.
• CCO and compliance staff is assuming too large a role in doing compliance work.
• Responsibility for compliance work has been effectively made an important aspect of the responsibilities of operating management.
• Responsibility for compliance work has not been effectively made an important aspect of the responsibilities of operating management.
• Oversight of service provider compliance policies and procedures was effective.
• The oversight of service provider compliance policies and procedures is weak or ineffective.
• Quality control and forensic testing processes effectively identify exceptions and compliance issues.
• Quality control testing was not uniformly effective in identifying exceptions/issues.
• Forensic testing was not conducted.
• Forensic testing was not uniformly effective in identifying exceptions/issues.
• Follow-up/remedial actions to address exceptions and compliance issues were uniformly prompt and effective.
• Follow-up/remedial actions to address exceptions and compliance issues were not uniformly prompt and effective.
• Clients were harmed by compliance issues that arose and such harm was promptly and adequately addressed.
• Clients were harmed by compliance issues that arose and such harm was not adequately addressed.
• Training conducted regarding compliance and ethics was effective.
• Training conducted regarding compliance and ethics was ineffective.
• The compliance culture of the firm is effective.
• The compliance culture of the firm needs to be improved.
• Compliance activities are viewed by operating management as a burden and not as an essential activity of the firm.
• Combination of the above.

What recommendations were made?

Answer:

• No recommendations for changes or improvements to the compliance program were needed.
• The firm needs to improve its process for identifying/assessing risks in various ways.
• The firm needs to be more proactive in identifying new or changes to risks in real time.
• The firm needs to improve its process for creating compliance policies and procedures that address the compliance risks present.
• The firm needs to improve its process for implementing compliance policies and procedures.
• Operational staff throughout the firm must assume greater responsibility for ensuring that compliance policies and procedures are implemented effectively, including identifying and resolving exceptions and other compliance issues.
• Include management of compliance matters as a factor in the evaluation criteria for managers throughout the firm.
• An expanded and enhanced quality control/forensic test slate must be developed and implemented.
• The firm’s process for escalating decision-making regarding compliance issues needs improvement.
• Improve oversight of service providers’ compliance programs.
• Improve the quantity and quality of training focused on compliance matters and ethics.
• Combination of the above.

What is the current status of implementing recommendations?

Answer:

• Resources committed to implementing all recommendations.
• Resources committed to implementing a subset of recommendations.
• Resources are not available to address important recommendations.
• Work is underway to address all or a subset of recommendations.
• A consultant is hired to study and provide advice as to how certain recommendations should be addressed.
• All recommendations have been addressed, and changes need to be implemented.
• Management is still studying recommendations, and no decisions have been made.
• All or some of the recommendations have been ignored or marginalized.
• Combination of the above.

What documentation was created/retained to reflect work done?

Answer:

• Planning documents for conducting an annual review.
• Notes of persons conducting review activities.
• Completed questionnaires.
• Results of self-assessments.
• Consultant’s reports and recommendations.
• Work papers and interview schedules were conducted, and documents were reviewed.
• Internal audit reports.
• Reports of external auditors.
• Results of forensic tests conducted and follow-up work.
• List of material compliance issues that arose during the review period and explanation of how each issue was addressed.
• Summary or reports of findings from rolling review work completed.
• Report of work conducted, findings and recommendations from the annual review.
• Combination of the above.

What was the involvement of senior management in the review?

Answer:

• Management has been briefed on the work done, as well as its findings and recommendations.
• Management is very involved in planning and conducting annual reviews.
• A summary report was prepared and provided to the management/fund board.
• Management is informed and involved in resolving material compliance issues in real-time.
• Management is not interested in compliance issues.

Conclusion

There is a lot that goes into conducting an annual review!

It’s important that the reviews you conduct are documented and that the personnel who conducted the review can speak intelligently and specifically about the review they conducted and the outcome and further actions they took.  If your firm has gone through personnel changes or has experienced a great deal of growth, we would expect to see that changes were made to your compliance systems year to year.  We would expect the same if the services you provided or the types of clients you have changed.  If you are involved in retirement planning and are subject to ERISA, we would expect to see thorough testing of your compliance program to ensure it is responsive to obligations and requirements under ERISA, especially if you are a fiduciary as defined under ERISA.

It’s possible you haven’t conducted an annual review in the last few years.  You can conduct them retroactively.  If you need help, visit our Templates Shop to purchase the risk assessments you will need to conduct your annual review.  Would you rather have the professionals do it? Contact us today to discuss your options.