An Inside Look at the Mock Audit Process
Should you hire a trained professional to come into your shop and kick your tires?
Many CCOs think they should. Over half of the advisory firms that responded to a 2005 compliance survey jointly conducted by Amy Yuter, Adviser Compliance Associates, and IM Insight indicated that they had relied on some form of third-party testing to evaluate their compliance programs.
Clearly, arranging an independent evaluation of your compliance policies and procedures is one of the best ways to identify and address compliance problems before the SEC arrives. However, it also can be one of the most expensive: A mock SEC audit ranks up there with new hires and software purchases as one of the most significant expenditures that a CCO can make.
For an inside look at the outside audit process, and to identify issues CCOs might consider when setting up a mock audit, IM Insight spoke with Rob Stype, managing partner of Adviser Compliance Associates. ACA is the corporate owner of IM Insight.
Stype knows a thing or two about SEC audits. As a former branch chief in the SECís Office of Compliance Inspections and Examinations, he led many SEC examinations throughout his eight year tenure with the SEC. He then co-founded ACA in 2002, and has been conducting mock SEC audits ever since.
Why should a CCO consider setting up a mock SEC audit?
In Stypeís view, a mock audit is "invaluable" in helping firms identify and address potential issues.
He recalled the story of one firm that had hired ACA to conduct a mock audit. A month later, the SEC showed up. Having recently gone through a mock audit, the firmís CCO was well-prepared for the real thing. "The firm had, in effect, a dry run of an SEC audit in advance of the actual audit." The SECís interviews were substantially similar to those that had been conducted during the mock audit. And most of the records that the SEC requested already had been pulled together during the mock audit.
More generally, Stype added, mock audits carry weight with SEC examiners. If examiners determine that a firmís compliance program has been evaluated by an outside expert, "thatís going to add some credibility." In the case of the firm mentioned above, Stype said that the SEC examiners looked favorably on the fact that the firm had quickly addressed the issues that had surfaced during the mock audit.
Itís also worth noting that in the SECís February 2003 compliance program proposing release, the Commission actually considered requiring funds and advisers to undergo periodic third-party compliance reviews. While the SEC did not follow through on that item, the fact that they even considered it signals that third-party reviews are viewed favorably.
Stype pointed to another, less-obvious reason for a third-party mock audit: When an outside person comes in to discuss compliance issues with employees, that discussion carries a different tone than a strictly internal one. In Stypeís experience, there are "variations" in employee responses when responding to an independent third party, as opposed to responding to their own CCO. Not in the sense of any dishonesty, he emphasized, but rather in the sense of a different perspective and tone. "On a regular basis," he said, "weíll sit down and have an interview" with an employee, with the CCO listening in. Afterwards, the CCO will say that the response was "a little different" than what the person told the CCO when asked a similar question. When a firm employee is dealing with someone from the outside, explained Stype, the individual may present information "in a slightly different manner" because they are typically told to treat the mock exam as if it was an SEC audit. The interviewee "may be a little guarded or nervous." Stype added that in most cases the varied responses would not result in material changes to the compliance program, but that he has seen numerous examples where policies and procedures required amendments based on new knowledge obtained from mock interviews.
But weíre such a small firm. What use is a mock audit when our compliance program is so basic?
Mock audits can help small firms leverage limited resources and staff. Stype noted that it can be "extremely difficult" for small firm CCOs to understand the SECís expectations and get their arms around the relevant regulations. Unlike the NASD, which puts out a great deal of information to its members, "there is not an enormous amount of resources for investment advisers," Stype said. For small firms, therefore, the mock audit process is both consultative and educational, in the sense that the consultants work hand-in-hand with firm employees to set up or improve their procedures as they go through the review.
Stype also noted that small firm CCOs typically perform other functions within their firms. Even if someone else within the firm supports the CCO, he added, that person also may have two or three other roles. As a result, it can be difficult for small firm CCOs to monitor compliance in the same manner as large firm CCOs, who are able to focus all of their attention on compliance. Because of the additional non-compliance responsibilities facing small firm CCOs, he said, there may not be enough time to concentrate on the compliance program on an ongoing basis and assess it "A through Z" to identify potential gaps.
But weíre such a large firm. We know what weíre doing. Why would we ever need a mock audit?
Stype acknowledged that larger firms typically have experienced compliance staffs and a strong grasp of applicable regulatory requirements. Moreover, they already may be sensitive to their high-risk areas.
However, he noted, large firms face a unique challenge: The bigger the firm, the more difficult it may be for compliance to identify and address all of the firmís potential risks. "Things can slip through the cracks," said Stype. "When you are in the trenches on a day-to-day basis, itís more difficult to identify all possible gaps in your program. It is tough to see the forest through the trees."
For that reason, mock audits can provide significant benefits to larger firms by testing their existing compliance programs to confirm that appropriate procedures are in place and that employees understand their responsibilities. Most large firms "have the necessary policies and procedures in place," noted Stype. Their "gaps" typically lie either in the lack of an adequate testing program or failing to identify certain material risks inherent in the firmís operational structure, he said.
To what extent should the mock audit resemble an actual SEC exam?
Stype said that ACA strives to make its mock audits "as similar as possible as what the firm would expect from a regular SEC audit," by addressing all of the areas that the SEC would focus on. "The critical starting point" in designing a mock audit is understanding what a regular SEC audit is like, he said.
Some firms, he said, decide at the outset that they are going to treat the mock exam just like a real SEC exam. Firm employees tell the consultants, "Weíre going to treat you like you were the SEC," and ask the consultants to return the favor. One firm, recalled Stype, didnít even tell its staff that they were getting a mock inspection. The compliance department wanted to observe people "scrambling" to see if they could get their records together. "Thatís not common," said Stype. "Obviously," he explained, firms "are spending money on this" and for that reason most "want it to go as smooth as possible."
In contrast, a small firm that is just getting its compliance program off the ground may be less interested in recreating the experience of an actual SEC exam and may prefer that consultants periodically remove their "SEC examiner" hats in order to provide more guidance and education. There, he said, the process can be "much more open." While fundamentally the exam will cover the same subject matter, at "every step along the way" the firm will confer with the consultants by talking through request list items and discussing interviews. "Weíll conduct interviews in a similar manner to what we would expect from the SEC," but afterwards, we will "step to the side" and discuss "why we asked a particular question" or how a given response might be interpreted by a regulator.
Again, Stype emphasized that firms can take either approach. "It really is a function of the operational and compliance infrastructure of firm," he said.
Should the mock audit cover everything? Or only specific areas?
Again, this is up to the individual firm. While ACA conducts plenty of full-scope audits, Stype also reported that consultants often are brought in to focus on a specific area, such as proxy voting, trading, or marketing. This type of targeted engagement, said Stype, is more often requested by larger advisers and mutual fund complexes. Larger firms, he noted, tend to look at risk from a global perspective and tend to have a "better grasp" of their high-risk areas.
Of course, he added, if ACA is conducting the firmís official annual review of its compliance program, "weíve got to hit on everything."
What sort of end product is produced?
If the firm decides that it wants a written report summarizing the review process and findings, it is told upfront that the report will contain the good, the bad, and the ugly. "Thereís no grey area," said Stype. If ACA consultants identify a problem, and their engagement is to write a report, the problem is going in the written report, he said. "We have to include it," he explained. Leaving it out "would defeat the integrity of the entire process." Most firms, he added, understand why this is necessary. "The firms that are hiring us are very serious about compliance."
Of course, firms are free to ask for an oral report instead. Stype suggested, however, that firms plan to prepare something in writing ó either by their outside consultant or service provider, or internally by someone in their firm ó in anticipation of the SECís review of the firmís annual review process. Even though not required for advisers, "if you donít have something to hand to the SEC, they will probably push a little bit," he said. "I think the general thought process is that you need to have some type of written report."
Stype said that once ACA issues a written report to a firm that has undergone a mock audit, it is then up to the firm whether or not to hand that report over to the SEC, a client, or other third party. While the SEC has long asked for such reports, Stype reported that increasingly, institutional clients and other third parties also are making this request. For example, a primary adviser might ask a sub-adviser for its report. "Weíre seeing that more often," said Stype.
Should a firm hand it over?
While Stype said that ACA is happy to chat about the "pros and cons" of handing over reports to third parties, "it is a function of the individual report" and "who is asking for it and why they are asking for it." For example, "if there is nothing serious" in the report, he said, a firm may be "very comfortable" turning over the document. In many cases, the report will represent an objective, positive evaluation of the firmís compliance program. In those cases, he said, "itís obviously in the adviserís interest to promote the report."
Before a report is handed over to a client or prospect, the firm should consider "what type of client" it is dealing with and the clientís sophistication in terms of understanding the comments in the report. Stype explained that the report could "scare away" certain prospective clients because of its length, which might be primarily a function of the report discussing the firmís detailed and comprehensive compliance program, as opposed to listing multiple compliance issues.
In some cases, a mock audit report may be protected by attorney-client privilege. Stype noted that some firms engage ACA through their law firm, in order to subject the resulting work product to the attorney-client privilege. "The law firm literally hires us," he said.
And, of course, thereís the much-debated self-examination privilege. But Stypeís not going there.
"We encourage our clients to discuss with their outside counsel whether it would be appropriate to seek any particular privilege," he said.
Of course, he added, if ACA is engaged to conduct a firmís official annual review, it is a given that the report, as well as records underlying the report, will be provided to SEC examiners if requested and cannot be subject to the attorney-client privilege. In the SECís compliance program adopting release, the SEC stated that "[a]ll reports required by our rules are meant to be made available to the Commission and the Commission staff and, thus, they are not subject to the attorney-client privilege, the work-product doctrine, or other similar protections."
Does ACA serve as outside CCO? No. "Weíve been asked by a number of firms, investment advisers as well as small and mid-sized mutual funds," Stype said. "Our concern is that we would not be close enough to the firm to really perform the CCO function as the rule requires," he said. "It would be very difficult for somebody on the outside to really have that authority."
Practically speaking, he added, an outside CCO would have to spend a great deal of time at the advisory firm in order to be fully effective. "I think some of the advisers that have looked into this are not aware of how much time the outside CCO would have to spend on-site and off-site" to adequately perform their required responsibilities under the rule, he said. "Iím not suggesting that this is not possible or it canít be successfully done," he added. "I think you have to look at it and really assess where your firm is from a compliance infrastructure perspective." Firms that are considering outsourcing the CCO role should make their own determination of whether an outside CCO can effectively monitor and enforce the firmís policies and procedures, he added.