Paradigm Shift in SEC Exams, Benefits of a Mock Exam

For investment advisers currently going through an SEC exam, the process likely bears little resemblance to exams of old. Call it the new normal, a paradigm shift, or simply the effects of the SEC having to do more with less, but anecdotal evidence among those now experiencing the exam process suggests some interesting new trends.

What has changed about SEC exams? First, the concept of routine exams seems to have fallen by the wayside, replaced with targeted, risk-based exams. The risks may be specific to a given firm, or may be part of risk-based sweep exams to help the regulator assess the prevalence of certain practices and the extent of controls around certain focus areas.

The targeted exams are evident in the significantly reduced size of the initial request list being received by investment advisers. Firms are reporting initial requests of as a few as a dozen items. Other advisers are sharing that the SEC requests an initial “get-to-know-you” phone call but never comes on-site at all, choosing instead to conduct the entire exam remotely. Still others are reporting that the SEC did come on-site, but only for the purpose of attending the initial presentation they request about the firm, its business model, its risks and controls.

What else seems to have changed with SEC exams? They are actually being completed quickly—in some cases in as little as three months—according to several hedge fund advisers who have recently gone through the process.

Last week, I had the opportunity to hear tales from the front lines from the legal and compliance teams representing firms that had recently gone through an SEC exam, and several shared that they felt prepared for their exams because they engage compliance consultants to conduct mock exams several times per year on a variety of focused topics, such as expense allocation or trading practices. One adviser shared that the benefit of having a third-party mock SEC exam is that the consultant has a breadth of experience among numerous firms going through exams and can leverage actual SEC request lists and questions to help prepare their team by testing the ability to gather and produce requested information in a timely manner, and by testing the preparedness of their personnel to handle a regulatory interview.  Another adviser added that it is important for the chief compliance officer to be in the hot seat for a mock exam interview as well. Mock SEC exams offer the opportunity for an independent look at how staff responds to questions, and can reveal valuable insights such as who may be able to handle the pressure in front of a real regulator and who should perhaps be encouraged to take a vacation that week because the interviewee over-volunteered information or was wholly inaccurate.

I also had the opportunity to join an FBI Agent from the Financial Cyber Crimes Task Force to speak to hedge fund advisers on the topic of big data as it relates to cybersecurity. Hedge fund advisers in particular are generally very protective of their “secret sauce,” and it was interesting to hear how many firms were storing data in the cloud versus on premises. The scales have clearly tilted towards the use of the cloud, and especially a private cloud solution, although many in the audience agreed that they migrated to the cloud in stages one system at a time.

Whether using the cloud or not, my co-panelist and I stressed the importance of data classification, of understanding what your organization’s crown jewels are and protecting those assets accordingly. Once hackers have gained access, log files tend to show that the hackers try to move laterally within the firm to try to access other systems, files, and information. It may not be readily apparent to an adviser what information may be valuable to the hacker, because it may differ from what the adviser considers to be its crown jewels. And since many cyber intrusions are not detected for 6-9 months after the fact, it is important for firms to maintain log files they can review to determine what a hacker accessed.

Finally, the FBI was in agreement that social engineering continues to be the biggest risk facing the financial sector. As merger-and-acquisition activity picks up in the financial space, it can be very easy for a firm with strong controls on all of its systems to suddenly have a number of new and potentially unsecure systems added to the mix. Cyber crime tends to be a crime of opportunity. A hacker only needs one way in, whether it’s through an unpatched system or a phishing attempt to be let right in the front door.


Want to make sure your firm is exam-ready? Ascendant can help. Our mock exams consist of interviews; document review; data inspection; compliance testing; and evaluation of policies and procedures; and are designed not only to highlight weaknesses but also to assist with enhancing compliance programs to ensure consistency with the SEC’s expectations. For more information, contact us today via email or at 860-435-2255.

Related Content

Latest Content

Custody Concerns Continue

You timely filed your Form ADV within 90 days of fiscal year end, but did you properly answer all the questions related to custody? Not surprisingly, the Form remains confusing for many advisers, as does application of the Custody Rule itself. The SEC has issued guidance, letters to the industry, alerts and FAQs, but things … Continued

Blockchain Isn’t Hot Sauce

Guest post by Samson Williams, Partner – Axes & Eggs and Keynote Speaker – Ascendant CSS Spring 2019 Conference  I started telling people that blockchain isn’t hot sauce in mid-2017 to help explain why initial coin offerings (ICOs) were just the latest form of unregulated, online gambling. In November 2017, with Bitcoin nearing a high … Continued

The Importance of Effective ADV Disclosure: Staying Ahead of the Regulators

This ComplianceCast will discuss how firms can mitigate risk by having effective disclosure in their Form ADV Brochure. Our panelists will be CSS Ascendant Senior Consultant Ariana Monchick and Jessica Matelis, Partner at Foley & Lardner and former Senior Counsel at the SEC Division of Enforcement. They will discuss: Required disclosures The types of conflicts … Continued

Regulation Best Interest, Cybersecurity Top Concerns at IAA 2019 Compliance Conference

The Investment Adviser Association (IAA) represents the interests of investment advisers in Washington D.C., and the IAA Investment Adviser Compliance Conference 2019 was a forum for the discussion of future potential rulemaking. Cybersecurity and Fiduciary Rule considerations were headline topics, with custody and marketing right behind. The following is a summary of key issues discussed … Continued

The Challenges of Building a Global Compliance Program

Compliance programs face challenges in balancing global requirements with local exceptions while incorporating the fast pace of regulatory change, addressing critical business needs and obtaining the necessary resources necessary to manage the program. Trends and thinking on the subject were center stage at the recent CSS London event “Looking at the Year Ahead – Global … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.