Investment Advisers (“IAs”) registered with the Securities and Exchange are required under Rule 206(4)-7 of the Investment Advisers Act of 1940 (“Advisers Act”) to perform annual reviews of their compliance programs. While annual reviews are the cornerstone evaluation of an IA’s compliance policies and procedures and operational functionality, IAs need to implement periodic testing protocols to ensure that their policies and procedures continue to effectively prevent violations.
In their June 2017 Investment Management Compliance Testing Survey, the Investment Adviser Association (“IAA”) reported that IAs who responded to the survey are increasing testing in number of areas including cybersecurity, privacy, identity theft, advertising marketing, disaster recovery and business continuity planning, best execution and electronic communications.
In this month’s Risk Management Update, we outline the reasons monthly testing is important and offer tips and guidance on implementing a monthly compliance testing plan.
The Importance of Monthly Testing
Annual reviews are a not only a requirement under the Advisers Act, but also a crucial component of a strong compliance program. Performed correctly, an annual review should assess and verify the efficacy and functionality of an IA’s policies and procedures; provide a robust evaluation of critical business areas; and identify issues that may impact the firm.
If an advisory firm doesn’t have testing in place and is only focused on conducting an annual review one month out of each year, it can cause gaps to go undiscovered, which in turn can be costly to the firm. Risk assessments can be a great tool to supplement an annual review, but they may not happen with the frequency necessary to determine if a compliance program is functioning properly.
Monthly testing provides an opportunity to conduct ongoing reviews of an IA’s compliance policies and procedures and critical business functions. This frequency will be especially helpful in the timely identification of any compliance issues that may have occurred in significant, high risk areas like personal securities transactions, marketing and advertising, portfolio management, trading, cybersecurity, and custody. Furthermore, the findings that you glean from your monthly compliance testing will provide you with additional data that can be applied towards your risk assessment and annual review, providing a more up-to-date and detailed snapshot of your compliance program and better positioning you for looking at ways to make improvements.
Monthly Testing Plans
A monthly testing plan is a great way to organize and identify critical areas of your compliance program and business that need to be routinely checked. By creating a testing plan, your firm will be outlining different areas of your compliance policies and procedures and then testing if the policies and procedures are effective.
One suggestion is to begin by outlining each of the areas that are listed in the table of contents of your policies and procedures manual. Using this framework, identify different areas of your manual that you can review on a rolling basis, beginning with the higher risk areas first. Begin by identifying the procedures laid out in your manual in each of the areas outlined and create a matrix or other record for your tests where you can track your testing and results. For example:
- Create a section for Cybersecurity;
- Add the procedures for document encryption requirements;
- Create the testing protocols for the document encryption requirement (g., use your email retention and review system to determine if anyone is sending out confidential documents with non-public client information to third parties without encryption or password protection); and
- Document your results and report any critical or material findings to senior management, along with recommendations on how to address.
Your compliance consultant can help you fashion tests that are customized to the needs and practices of your business. Specificity with respect to your policies and procedures manual is important to ensure that you are creating tests that meet your business practices while at the same time, attending to the mandates of your compliance program.
Importantly, Rule 204-2 of the Advisers Act requires advisory firms to maintain books and records to substantiate the annual review performed. To that end, in addition to the testing matrix and backup documents, you should consider creating a report at the end of the 12-month testing period that summarizes the: (i) testing performed, (ii) findings, (iv) recommendations, and (v) corrective steps taken.
The Effectiveness of Monthly Compliance Testing
Monthly testing is a worthwhile and effective tool in ensuring regular review and maintenance of your compliance program. Among other things, monthly compliance testing can:
- Identify critical issues in a timely manner;
- Identify policies and procedures that have become outdated; and
- Provide an opportunity for a regular review of business practices and compliance policies.
Remember, any additional resources you can employ to test and ensure that your policies and procedures are up-to-date and properly functioning are important resources in maintaining a healthy compliance program. Technology can play an important role with respect to conducting monthly testing. For example, your firm could use a compliance technology suite to conduct Code of Ethics testing, including personal trading activity, receipt of attestations and disclosures, and retention of required reports. Importantly, technology provides automation to the testing process, which not only gives the CCO time to be proactive instead of reactive, but also eliminates potential human error.
Monthly testing is a core function of annual reviews. Testing your policies and procedures and the high-risk areas of your business throughout the year, gives you access to more current and dependable data. This increases your ability to identify and deal with any compliance issue in a timely manner, which can save the firm a lot of money and helps to eliminate regulatory exposure.
For more information or assistance with creating a monthly testing plan, risk assessments, or your annual review, please contact us at email@example.com, at (619) 278- 0020, or visit us at www.corecls.com for additional information.
Author: Adam Stutz, Compliance Consultant; Editor: Tina Mitchell, Lead Sr. Compliance Consultant Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
 Carreiro, Lynne M., and Sanja Lamba “July 2017 Investment Management Compliance Testing Survey,” Investment Management Compliance Testing Surveys, Investment Adviser Association, 8 June 2017, Summary Report: 2017 Investment Management Compliance Testing Survey Report
 See http://www.corecls.com/news-events/2018-compliance-professional-resource-guide for a list of software providers.