Gohlke Provides Guidance on the Annual Review Process
If youíve been wondering how SEC examiners will evaluate your annual review process, wonder no more.
At last weekís Investment Adviser Association workshop, SEC associate director Gene Gohlke described ten questions that he said examiners "would want to ask" when reviewing an adviserís annual review. And, he said, the questions could be used by advisers, as well: "Perhaps, if you really take those questions to heart ó and do all the work ó you could do a very effective annual review and we would come in and say, ĎHey, no commentsí."
"Maybe," he added.
Gohlke acknowledged that while the compliance program rule requires an annual review, the rule and accompanying releases provide scant guidance on how to go about it. Basically, he said, the extent of the guidance on the annual review is "do what you think you have to do in order to get there."
Of course, thatís not all bad. The flexibility provided by the lack of specific guidance can be beneficial, given that advisers "come in all shapes and sizes," as Gohlke put it. The freedom allows firms to "be creative" and develop annual review processes "that meet their facts and circumstances," he said.
On the other hand, Gohlke acknowledged that the lack of specific guidance can be "disconcerting" to some advisers. In fact, he seemed to sympathize a bit with CCOs who say, "Weíve got to do this ó but thereís no guidance out there." He noted that "thereís also no guidance out there for the exam staff" on how to assess advisersí annual reviews: "We can read the release and rule and say, ĎWell, advisers get to do their own thing,í" he said. Does that mean the exam staff has to assess, "Well, did this adviser do enough of its own thing?" Examiners, he said, are "somewhat in a learning stage as well in this area."
With that, Gohlke announced that he had developed ten questions that the SEC examination staff "would want to ask advisers about their annual review process." Turning that around, he said, advisers ought to ask themselves the same ten questions.
Gohlke emphasized that the questions represented his own personal thoughts, and that they had not been approved by the Commission. (Of course, as we all know, Gohlkeís personal thoughts carry more than a little weight in this area. Try running Gohlkeís name through the Microsoftô spell-checker and youíll see what we mean.)
In some respects, Gohlkeís ten-step program merely repeats the required elements of the compliance program rule. As the regulator himself put it, "thereís nothing that much esoteric here, it seems sort of common sense." However, the questions may be helpful in that they provide a procedural road-map for conducting the annual review. On that score, donít discount Gohlkeís own assessment of the value of the questions: "I would submit that if you can answer positively all these questions and do the work necessary to make sure you know the answers to these questions, youíve probably done a pretty good annual review."
The ten questions, which Gohlke said that a firmís senior management and CCO should ask as part of the annual review ó
1. Does the firm do risk identification on a real-time basis? Is there a process for identifying conflicts of interest and other activities and arrangements that could cause the firm to breach the Advisers Act? Is the process likely to identify all of the emerging risks in the firmís business and in its environment, as those risks arise? Risk assessment, said Gohlke, is the "starting point for developing a good compliance program." A firm needs to assess what can go wrong, and what it needs to do to address what could go wrong, he said.
2. Has the firm done a risk assessment of its current risks? Has the firm "identified and compiled an inventory of all material risks that it currently has that could cause breaches of the Advisers Act?" asked Gohlke. "Given the circumstances of the firm right now, have all of the major risks been identified?"
3. Are new risks addressed as they occur? Is the firmís process for creating compliance policies and procedures (including supervisory procedures to implement those policies) likely to fully address each material risk as it emerges? In other words, Gohlke explained, as risks arise, are they "mapped" to procedures? Once a new risk is identified, "is there then sort of a complementary follow-on process" that addresses what policies and procedures may need to be developed? "Is there a process that naturally leads from the identification of the risk to development of appropriate policies and procedures?"
Gohlke provided various examples of new risks: a firm begins investing in new types of instruments (CMOs, CDOs), begins to implement new strategies (shorting), or decides to offer a hedge fund with a performance fee. Has the firm gone through and asked "What are the new conflicts of interest we have here and other issues that might cause violations of the Adviser Act?" and then "What policies and procedures should we have in place to make sure that whatever we do is consistent with disclosures we make" in Form ADV and elsewhere? In other words, Gohlke explained, has the firm "given some forethought to whatís involved?"
4. Is the firmís current set of compliance policies and procedures reasonably designed to prevent breaches of the Advisers Act and detect and correct promptly breaches that do occur? A firm should determine "what are the policies and procedures we have, what are the risks we have right now, and do they map one to another?" Gohlke said.
5. Is the firm looking at recognized internal control principles? Does the firmís process for implementing compliance policies and procedures incorporate recognized principles of management and internal controls? Gohlke mentioned the COSO Principles, developed by the Treadway Commission, as a specific example of fundamental management principles (separation of functions, clear assignment of responsibilities, etc.) The question to ask: "Once we develop these policies and procedures, do we have a way of putting them into play, making sure they are controlling the activities of the firmís staff on a day-to-day basis?" (On that score, mid-sized and smaller advisers might want to take a look at COSOís Guidance for Smaller Public Companies Reporting on Internal Control Over Financial Reporting, issued last week).
6. Do the results make sense? Do the outcomes from the implementation of the firmís compliance policies and procedures substantiate that they have been implemented effectively and will likely continue to be implemented effectively? During a period where compliance breaches are identified in exception reports and/or through checklists, "what corrective actions were taken for those issues?" asked Gohlke. He urged firms to take a look at the "precise issues" that arose during the year. Were the issues consistent with what the CCO would have expected to come out at the firm? What did the firmís management and business side do to correct those issues when they arose? What sort of disciplinary actions were taken against persons who ignored established procedures? For example, said Gohlke, what if "a number of people in the firm blow off the code of ethics and never get their quarterly reports in on time, even though they were told they had to do it?" At some point, "youíve got to hit those people over the head," perhaps by fining them or withholding all or a part of their bonus. "Does that get done, or are there some people in the firm who are above the law?" he asked. At the end of the day, "that matters." If certain people are not covered by a procedure, and should be, then the procedure is not effective. If the rules are bent, because employees take the view that "nobodyís going to notice," he said, "thatís not good either."
7. Is forensic testing working? Is the firmís program of forensic testing appropriately targeted to activities with the highest risk of harboring concealed schemes and arrangements? This, Gohlke acknowledged, is "maybe my pet thing." He suggested that firms consider whether tests conducted during the review period provided "corroborating evidence" that either such schemes and arrangements "do not exist, which is great," or, if detected, "that appropriate remedial actions have been taken." In addition to the "typical transaction testing that is built in on a day-to-day basis," he explained, somebody should "step back and, in critical areas of the firmís activities, take a look at results of information over a period of time." Firms should evaluate whether those results are consistent with what it would expect, given the firmís policies and procedures.
8. Is the CCO empowered? Does the work stature and influence of the firmís CCO indicate that he or she is sufficiently empowered with full responsibility and authority to ensure proper compliance policies and procedure, and to compel compliance with those policies and procedures? Is the CCO "really effective in making sure that people within the firm comply with policies and procedures?" Gohlke asked.
9. Is there a written report? Have the findings from the annual review, together with an assessment of the compliance programís effectiveness and any recommendations for changes or improvements, been compiled into a report and presented to senior management for their consideration and further action? Gohlke acknowledged that advisers are not required to do a report of their annual review, but added that "it seems like it might be a good idea to do it, as sort of a historical document to summarize what was done, what the findings were, and perhaps what the next steps might be to improve things."
10. Is the right information being retained? Has the firm adequately documented the information collected and the work done in conducting the annual review? Has such documentation been preserved as required?
At the end of his remarks, Gohlke reminded firms that "the bottom line" is whether the compliance program continues to be effective. He also said that in his personal view, for "most" advisers, doing an annual review once a year "is nowhere near enough." The annual review, he said, "is somewhat of a misnomer ó itís more like a continuous review." If a firm doesnít think about whether its compliance program continues to be effective until a year has passed, "what about all the compliance issues that arose during that interim time that may not have been addressed?"
The annual review, added Gohlke, should be viewed as a "summing up, a pulling together of what was found [and] what was done during the year to keep the firmís compliance program effective," into "some sort of summary document, almost like a history book."