Paradigm Shift in SEC Exams, Benefits of a Mock Exam

For investment advisers currently going through an SEC exam, the process likely bears little resemblance to exams of old. Call it the new normal, a paradigm shift, or simply the effects of the SEC having to do more with less, but anecdotal evidence among those now experiencing the exam process suggests some interesting new trends.

What has changed about SEC exams? First, the concept of routine exams seems to have fallen by the wayside, replaced with targeted, risk-based exams. The risks may be specific to a given firm, or may be part of risk-based sweep exams to help the regulator assess the prevalence of certain practices and the extent of controls around certain focus areas.

The targeted exams are evident in the significantly reduced size of the initial request list being received by investment advisers. Firms are reporting initial requests of as a few as a dozen items. Other advisers are sharing that the SEC requests an initial “get-to-know-you” phone call but never comes on-site at all, choosing instead to conduct the entire exam remotely. Still others are reporting that the SEC did come on-site, but only for the purpose of attending the initial presentation they request about the firm, its business model, its risks and controls.

What else seems to have changed with SEC exams? They are actually being completed quickly—in some cases in as little as three months—according to several hedge fund advisers who have recently gone through the process.

Last week, I had the opportunity to hear tales from the front lines from the legal and compliance teams representing firms that had recently gone through an SEC exam, and several shared that they felt prepared for their exams because they engage compliance consultants to conduct mock exams several times per year on a variety of focused topics, such as expense allocation or trading practices. One adviser shared that the benefit of having a third-party mock SEC exam is that the consultant has a breadth of experience among numerous firms going through exams and can leverage actual SEC request lists and questions to help prepare their team by testing the ability to gather and produce requested information in a timely manner, and by testing the preparedness of their personnel to handle a regulatory interview.  Another adviser added that it is important for the chief compliance officer to be in the hot seat for a mock exam interview as well. Mock SEC exams offer the opportunity for an independent look at how staff responds to questions, and can reveal valuable insights such as who may be able to handle the pressure in front of a real regulator and who should perhaps be encouraged to take a vacation that week because the interviewee over-volunteered information or was wholly inaccurate.

I also had the opportunity to join an FBI Agent from the Financial Cyber Crimes Task Force to speak to hedge fund advisers on the topic of big data as it relates to cybersecurity. Hedge fund advisers in particular are generally very protective of their “secret sauce,” and it was interesting to hear how many firms were storing data in the cloud versus on premises. The scales have clearly tilted towards the use of the cloud, and especially a private cloud solution, although many in the audience agreed that they migrated to the cloud in stages one system at a time.

Whether using the cloud or not, my co-panelist and I stressed the importance of data classification, of understanding what your organization’s crown jewels are and protecting those assets accordingly. Once hackers have gained access, log files tend to show that the hackers try to move laterally within the firm to try to access other systems, files, and information. It may not be readily apparent to an adviser what information may be valuable to the hacker, because it may differ from what the adviser considers to be its crown jewels. And since many cyber intrusions are not detected for 6-9 months after the fact, it is important for firms to maintain log files they can review to determine what a hacker accessed.

Finally, the FBI was in agreement that social engineering continues to be the biggest risk facing the financial sector. As merger-and-acquisition activity picks up in the financial space, it can be very easy for a firm with strong controls on all of its systems to suddenly have a number of new and potentially unsecure systems added to the mix. Cyber crime tends to be a crime of opportunity. A hacker only needs one way in, whether it’s through an unpatched system or a phishing attempt to be let right in the front door.


Want to make sure your firm is exam-ready? Ascendant can help. Our mock exams consist of interviews; document review; data inspection; compliance testing; and evaluation of policies and procedures; and are designed not only to highlight weaknesses but also to assist with enhancing compliance programs to ensure consistency with the SEC’s expectations. For more information, contact us today via email or at 860-435-2255.

Related Content

Latest Content

Advertising Issues: SEC and GIPS Performance in the Private Fund Space

Over a year ago, OCIE released the Risk Alert, “The Most Frequent Advertising Rule Compliance Issues Identified in OCIE Examinations of Investment Advisers.” While the alert highlighted several areas where performance advertising is involved, our recent CSS/Ascendant conference panelists in a session entitled “Best Practices for SEC and GIPS Performance in the Private Fund Space” … Continued

Placing Ethics and Compliance in the Foreground of Business Decision-Making

Thinking about how to make ethics and compliance part of a business’s decision-making can prove to be challenging. By nature, compliance professionals are often results-oriented, focusing on a binary end-result; either you are in compliance, or you are not. That focus is important, but emphasizing process is also vital, John Walsh, Partner at Eversheds Sutherland … Continued

What Am I Looking At? Making Sense of Your Cyber Testing Reports

It’s no surprise that Compliance and IT do not speak the same language. Compliance staff often speak in terms of regulations and policies, whereas bits and bytes are the language of IT staff. This distinction is clear when it comes to cybersecurity risk management, as the compliance and IT audiences are looking for different takeaways … Continued

It Takes a Village – Preparing for a Regulatory Exam

Advanced planning for a regulatory exam remains a vital step in ensuring the compliance team is prepared when the exam teams comes knocking. At the recent Ascendant/CSS fall conference in San Diego, Allison Fraser moderated the conference’s capstone session on the topic, joined by Bryan Bennett, the Associate Regional Director in the examination program in … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.