Insight Center: Publications

The SEC Audit Process: A Survival Guide

Author: Julia D. Corelli


This article was originally published in Private Equity International’s The Private Equity CFO & COO Digest 2012. It is reprinted here with permission.

For CFOs, COOs and CCOs of registered advisers, an SEC exam is not one of the most favoured activities, but it is a fact of life and it is likely to happen at some point in the future. The best practice is to embrace it and use the looming spectre of the exam to make sure the house is in order at all times. Whether it is the person in charge of compliance (the CCO), a person assisting in that compliance effort (CFO or COO) or someone who just needs to do their job effectively to ensure the exam runs smoothly (everyone else at the firm), – they should understand the exam process, the examiner’s likely goals and expectations, the resources needed and the costs involved.

This chapter describes the types of exams that the SEC conducts of registered private equity fund advisers, provides some guidelines to help firms prepare for an SEC exam, highlights the key stages of the exam process and discusses the specific role of the CFO, COO and CCO in that process.

Types of Examinations

SEC exams are designed to “improve compliance; prevent fraud; monitor risk; and inform regulatory policy.”1 The exams are administered by the SEC’s Office of Compliance, Inspections and Examinations (OCIE) and generally focus on the risks present at an adviser firm and how the firm protects against those risks. In some cases, the SEC’s belief that the risks are present leads to the examination. In many cases, however, the SEC is simply seeking to assess and obtain a general understanding of the firm’s compliance and internal control environment in order to determine the scope of the exam, the areas to be reviewed and to identify any specific risks that require attention. According to the SEC, there are three types of exams:2

  • Examinations of higher risk advisers
  • Sweep exams and risk assessment reviews
  • ‘Cause’ exams triggered by tips, complaints and referrals (TCRs).

There are also routine exams (or ‘get to know you’ exams).

Examinations of Higher Risk Advisers

The SEC aims to examine higher risk advisers every three years. These exams may be preceded with a routine exam to determine whether an adviser is higher risk or the examiner may rely on objective factors to categorise a firm as higher risk. These factors include whether the firm:

  • is of large enough size that non-compliance could adversely affect a significant number of investors (such as those with higher AUMs)
  • has compliance controls or supervision that appear to be weak, such as a poorly drafted ADV
  • has employees with disciplinary histories
  • is involved in activities with the potential for increased compliance risks
  • has an affiliated broker-dealer or has multiple affiliated businesses
  • was found to have severe or significant problems during its last examination.

To carry out a risk assessment of firms, the SEC uses a variety of sources including the ADV, prior examinations, Web sites, media reports and TCRs. The examiner typically focuses on areas known for non-compliance and which are therefore considered high risk. This can include conflicts of interest, valuation, portfolio management, performance (current and track record), advertising and asset verification. Not all will be applicable to every private equity fund but the SEC will use the preliminary process in the exam to determine which are most pertinent.

Sweep Exams

Sweep exams are used to review a compliance issue that the SEC considers a risk across multiple firms. For example, the SEC may have identified recurring areas of non-compliance or unaddressed deficiencies based on routine or risk-based exams or its own internal risk assessment process. The SEC has stated that it plans to issue a significantly greater number of risk alerts and sweep exam reports on a wide range of topics in order to assist senior management, risk management and compliance officers to better perform their functions in establishing, monitoring and updating critical risk management and compliance programs.3

Cause Exams

A cause exam may be triggered by an individual reporting a past, current or imminent securities law violation, by a media report or by the SEC’s own routine or risk-based exam which determines that there is cause for concern about compliance with the securities laws at an endemic level.

Whether the examination is triggered by a tip, complaint or referral (TCR), the review process may initially be targeted to understanding the veracity of the reported issue. The answers to the initial questions will usually result in further questions and potentially increasing the scope of the review (either by increasing the historical period examined or broadening the issues addressed, or both.

Cause exams can be especially worrisome to CCOs. In order to avoid them, the CCO may need to implement monitoring practices which might not ordinarily be considered compliance oversight. For example, since disgruntled investors and employees are always a potential source of complaints, the CCO should focus on how the firm's human resources (HR) department deals with firing employees and investor relations (IR) personnel deal with an investor that expresses dissatisfaction.

For example, it is good practice to have a compliance policy that requires all potential non-compliance with the securities laws to be reported promptly (e.g., no more than three business days after first becoming aware of the non-compliance) and that requires every employee to certify on a regular basis that they are not aware of any non-compliance. This makes it difficult for the employee to report an infraction if and when their employment is terminated. In addition, it is also wise for the CCO (or their delegate) to conduct exit interviews with terminated employees, perhaps with the firm’s in-house or external counsel present. It is also beneficial to make severance payments conditional on the employee releasing any claims against or about the former employer and even certifying that they have no knowledge of non-compliance by the firm.

Routine Exams

Routine exams are less common than they once were, but they may still occur on a random basis and any firm may be subject to one. This exam does not mean that the SEC has any suspicion about the firm or that the firm has done anything to raise the SEC’s antennae about its compliance. Instead, these exams generally look at the structure of the firm and its managed funds, and the documentation it uses to offer fund interests to investors and to support the fund’s claimed track record.

The Exam Process

Initial Letter

Generally, the process begins when a firm receives an initial letter from the SEC. This is usually from the regional office of the SEC in which the adviser’s principal office is located. The letter does not state the reason for the exam and the fact that the firm is being subjected to an examination is not made public.

In the case of routine and higher risk exams, the letter often states that the SEC is “conducting a limited-scope examination … under Section 204 of the Investment Advisers Act of 1940” and is likely to request documentation from the firm, including, among others:

  • organizational diagram showing the adviser and all affiliates, ownership and control relationships and any recent changes of ownership
  • list of current employees, officers and directors, including their names, titles, areas of responsibility, employment start date, and whether they are considered an “access person” as defined by Rule 204A-1(e)(1) under the Advisers Act
  • copy of the most recent financial statements
  • list of the private funds advised, managed and/or sponsored by the adviser
  • copy of any offering documents for the private funds listed, including the performance statistics for the funds
  • a copy of the firm’s compliance manual and information about the firm’s assessment of its compliance risks
  • documents relating to the firm’s compliance testing and the results of any compliance reviews, quality control analyses, surveillance, and/or forensic or transactional tests performed by the firm
  • valuation of assets in which the firm’s advised funds have invested
  • correspondence involving investor or client complaints
  • the firm’s disaster recovery or business continuity plan.

The letter usually asks for these documents to be provided within two weeks and the documents generally should cover a two-year period, e.g. any compliance manual in effect at any time during the referenced two year period needs to be produced. The CCO is responsible to put together the response to the request letter. Many CCOs prepare this response package well in advance of the SEC’s letter or knock on the door, using prior letters (given to others or published by consultants or attorneys) to guide them as to the SEC’s likely request. The letter will indicate the method for submitting the documentation (usually either email or CD, or by review onsite at the adviser’s office).

CCOs should look closely at, and question, the scope of the questions presented in the letter. If questions are unclear, the CCO should ask the examiner what is intended and what would help enhance the SEC’s understanding of their firm.

Similarly, sweep exams almost always commence with an SEC letter and the firm usually has one to three weeks to respond. The letter will not identify the risk targeted for review, nor will it reveal the other firms being reviewed for the same risk.

Sweep exam questions are targeted to the particular risk under review. There is less room to negotiate the requests, though timing of the response (for example, due to the burdensome volume of documentation) may be adjusted through discussion with the examiner.

In the case of cause exams, the examiner may appear unannounced on the adviser’s doorstep without sending an initial letter, which may indicate that a TCR has been lodged.

Interview and Document Review

After the initial letter, the SEC conducts an entrance interview with a member of the firm’s top management responsible for compliance. The interview allows the SEC to get to know your firm and formulate an initial impression of the depth of adherence to the compliance policies and procedures. It is best practice for the CCO and one additional senior manager to be present. In the interview, the examiner provides the firm with two documents: a brochure prepared by the OCIE describing the examination process and a copy of SEC Form 1661, which contains information on the Freedom of Information Act, the Privacy Act and other applicable laws. When conducting a study or other review that involves the adviser’s voluntary participation, a copy of SEC Form 1662 is provided.

The interview is followed by an on-site document review, though the SEC may take many documents back to their office and review them there. The document request list for a cause exam is usually more extensive, even if the interview is convincing that the utmost “culture of compliance” exists at the firm. For example, it is not uncommon to have up to ten request letters each with 10 to 30 questions seeking greater detail about the obligations and operations of the adviser firm and its affiliates.

Completion of Exam

After completion of the onsite interview and document review, examiners will either complete the examination back in their offices within 120 days or will notify the firm at or around the 120th day that it is reviewing the status of the examination and the expected completion time. Overall, the exam may last a few days, weeks or months depending on the nature and complexity of the adviser’s business, and the effectiveness of and adherence to its compliance policies and procedures.

Enforcement Referrals

If a serious problem is found, the SEC examiner may refer the issue to the staff of the Office of Enforcement for further action. The following criteria are among those used to make an enforcement referral:4

  • Does it appear that fraud has occurred?
  • Were investors harmed?
  • If the conduct does not include fraud, is it serious (ongoing, repetitive, systemic or severe)?
  • Did the firm make the SEC aware of the conduct and take meaningful corrective action?
  • Is the conduct of a type/degree that is most appropriate for the SEC to handle, rather than another regulator?
  • Is the activity in a particular area that the SEC wants to emphasize (emerging types of wrongdoing)?
  • Did the actor profit from the conduct?
  • Did the actor appear to act intentionally?
  • Is the conduct recidivist in nature?
  • Were the firm’s supervisory procedures inadequate?

Preparing for the Exam

Preparation for an examination well in advance of it starting is essential to a successful outcome. There are three fundamental pillars to a culture of compliance that begins with the ‘tone at the top’. The pillars are:

  • knowledge and high degree of comfort with the rules and regulations applicable to the firm
  • a focused compliance programme tailored through internal risk assessment which matches how the firm actually operates, and
  • a system of periodic self-scrutiny to ensure accurate and timely enforcement of, and adjustment to, policies and procedures.

Knowledge of the Legal Landscape

Retaining knowledgeable advisers and consultants is the first step to building this pillar. Making use of them is the second step. It is essential that the firm’s top management all understand the regulatory environment that they work in. This should encompass the entire group of C-level executives (CEO, CFO, COO or equivalent managing partners and managing directors), not just the CCO. The CCO should also expend considerable effort to ensure that all employees of the firm are aware of the legal landscape within which the firm operates.

Focused and Tailored Compliance Programme

Compliance manuals should be detailed and tailored to the adviser’s actual operations. ‘Store-bought’ compliance manuals are available but should be avoided, although they may be used as a starting point on which to build the actual compliance policies and procedures for the firm. All of the normal components of a compliance manual should be addressed. Even if an area may not seem to be currently applicable to your firm (for example, many firms believe insider trading risk is not applicable to them because they invest only in non-public securities) it may become applicable in the future (e.g., if a portfolio company goes public) or it may be applicable in indirect ways (e.g., a portfolio company is the target of an acquisition by a public company). It is, therefore, best to have the policy in place. The SEC expects every senior manager in the firm to be more than just familiar with the content of the compliance manual, to have read it, to understand it and to be in an active and open dialogue with the CCO with respect to it.

Typical Contents of a Compliance Manual

  • code of ethics
  • insider trading
  • gifts and entertainment
  • political and charitable contributions
  • positions in public office
  • outside business activities and prior employment
  • complaints
  • duty to supervise
  • custody and safeguarding of client assets
  • management of ERISA accounts
  • maintenance and review of compliance programme
  • investment decisions and portfolio management
  • valuation
  • advertising and marketing
  • disclosure documents and filings
  • proxy voting and class actions
  • anti-money laundering privacy protection and prevention of identity theft
  • electronic communications
  • solicitation arrangements
  • interactions with third parties
  • business continuity and disaster recovery plan
  • maintenance of books and records
  • forms and templates.

Periodic Self-Scrutiny

The firm should operate every day as if the SEC exam were coming tomorrow and be in a constant state of preparedness. It is highly recommended that the firm undertake a mock audit annually, either by itself or with counsel or compliance consultants conducting it. Having an external representative conduct the mock audit – someone who is not the counsel or consultant that helped to draft the compliance manual – is also a good idea. If non-lawyers are used, it is important to be aware that the attorney-client privilege will not be available should anything be discovered that would benefit from the privilege.

Even without the mock audit, the CCO should be charged with, and the compliance manual should require that the CCO undertake, an annual update of the compliance manual. In addition to the obvious, such as updating the names of personnel, the CCO should also make sure the compliance manual can pass muster under the Advisers Act Rule 206(4)-7.5 The relentless self-scrutiny required for a strong compliance program is probably the most important habitual practice that is fundamental to the principles of protecting investor assets and facilitating the SEC’s task of preserving the integrity of the U.S. securities industry.

The CCO, CFO and COO Role in the Exam

Best practice in any exam is to have a centralised person in charge of all interaction with the SEC. This should be the CCO. However, if the SEC determines that the CCO is not someone who can tell those in charge at the firm to change their ways then the CCO is likely be viewed as ineffective, the firm viewed as lacking a culture of compliance and a positive experience and outcome from the SEC’s exam will be more difficult. If the firm does not have a CCO, then the most senior level person in charge of compliance should interact with the SEC.

Where the CCO is in charge, however, he should not be expected to carry the burden himself. It is equally important for the CFO and/or COO to understand the regulatory landscape applicable to the firm and to coordinate responses to the SEC. Not only is this good business continuity planning (to deal with a sudden event that might take the CCO out of commission), but it is also good representation to the SEC. The attention of senior level people to the SEC’s concerns is critical to conveying that the firm adheres to a culture of compliance. The CFO, for example, often spends hours walking the examiner through the fund structures and explaining how fees and performance are calculated. The commitment and dedication of the CFO helps to lend a very positive tone to the exam process.

Deficiency Letters

The vast majority of examinations result in a deficiency letter. Even if the SEC issues a closing letter noting no deficiencies, that should not be viewed as a clean bill of health. It simply means exactly what it states, that there were no deficiencies noted in the examination. The deficiency letter will set forth the dates by which the SEC expects the adviser to correct the items noted.

Deficiency letters should be addressed immediately and with a high priority by the firm setting out how and when the firm plans to address each item.

If additional time is needed to complete the response, this should be requested in the firm’s response with an explanation for why extra time is required. The deficiency items noted in the final SEC letter will often ask for corrections to be resubmitted. After deficiency matters are corrected, the SEC may follow up with an additional visit to the firm, but is more likely to put the remediated matter in the adviser’s file.

Periodically, the SEC identifies key issues that have arisen regularly in examinations and publishes them in Risk Alerts.6 In its February 2012 report, the OCIE announced that the focus of its examinations would include the following as priorities for investment companies and investment advisers, almost all of which apply to private equity firms:7

Complex entities: risks and practices associated with the SEC’s rapidly growing complex registrant population, including newly registered private fund advisers that may be unfamiliar with federal securities laws, firms with complex relationships in the private equity space.

Sales practice of new or risky products: the sale or recommendation of inappropriate investments by advisers. Particular areas of concern include the retailization of complex investments and smaller, niche-type products (structured products, reverse convertibles bonds, alternative mutual funds, leveraged ETFs); portfolio management activities that may increase the risk of investor loss or harm and valuation practices and any conflicts that exist in the pricing process.

Fund governance: practices or oversight weaknesses that may increase the risk of shareholder loss or harm, such as: directors failing to satisfy fiduciary duties and systemic compliance breaches and processing issues that may have a significant impact on fund investors.

Compliance, supervision, and risk management: the appropriateness of compliance programs and risk management processes relative to business operations to identify potential weaknesses that raise investor protection concerns, such as lack of oversight of outside business activities and weak compliance of remote locations, branch offices, and independent contractor representatives, and ineffective compliance and risk management with respect to complex investments and/or investment strategies.

Fraudulent activities/safety of assets: the identification of fraudulent, abusive and manipulative activities surrounding the safety of client assets.

Performance and advertising: performance characteristics and marketing practices that have been associated with an increased risk of misrepresentations and investor harm. For example, the use of solicitors to attract new clients, particularly when non-cash compensation is used by advisers.

The SEC will be looking for the adviser to be able to demonstrate, with documentary evidence written by the firm itself, that the firm has a high level of awareness of the potential for risk, that risks are identified and managed, that appropriate steps are taken to mitigate risks, and that infractions are addressed promptly and consistently. Inability to demonstrate any one of these items will undermine the firm’s credibility with the SEC and subject the firm to greater scrutiny. Not only should the firm have a detailed compliance manual that is not purchased ‘off-the- shelf’, (they should have one tailored to their particular business and internal structure) but they should revisit the accuracy of the policies and procedures set forth in the manual on a regular basis and amend and update it as necessary.


1 Securities Exchange Commission Adviser Study. (January 2011). Study on Enhancing Investor Adviser Examinations – As Required by Section 914 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, see page 2, The Private Equity CFO & COO Digest 2012.

2 ibid, see page 5, The Private Equity CFO & COO Digest 2012.

3 “Examinations by the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations”, February 2012, (OCIE Report) www.sec.gov/about/offices/ocie/ocieoverview, see page 14, The Private Equity CFO & COO Digest 2012.

4 "Frequently Asked Questions About SEC Examinations,” Speech by Lori Richards, Director, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission, before the SIFMA Compliance and Legal Division January General Luncheon Meetings, January 17, 2008 (Richards FAQ Speech) (www.sec.gov/news/speech/2008/spch001708lar.htm).

5 Rule 206(4)-7 provides:

If you are an investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 (15 U.S.C. 80b–3), it shall be unlawful within the meaning of section 206 of the Act (15 U.S.C. 80b–6) for you to provide investment advice to clients unless you:(a) Policies and procedures. Adopt and implement written policies and procedures reasonably designed to prevent violation, by you and your supervised persons, of the Act and the rules that the Commission has adopted under the Act;(b) Annual review. Review, no less frequently than annually, the adequacy of the policies and procedures established pursuant to this section and the effectiveness of their implementation; and(c) Chief compliance officer. Designate an individual (who is a supervised person) responsible for administering the policies and procedures that you adopt under paragraph (a) of this section.

6 Compliance officers (any person, actually) may subscribe to receive Risk Alerts and other SEC communications by email by clicking the subscription box on the home page of the SEC’s Web site at www.sec.gov.

7 OCIE Report, pages 31-33, The Private Equity CFO & COO Digest 2012.

Surviving the SEC Exam: Practical Guidelines

  • observe a professional tone and take the exam process seriously in all written and oral interactions with the SEC
  • gain an understanding of who is in charge on the examiner team and direct interactions to that person.
  • respond immediately to the SEC to acknowledge receipt of the letter. Indicate that the CCO (or equivalent) will be the SEC’s point of contact with the firm. Ask whether the exam is routine, risk based or cause. If it is a cause exam, ensure your counsel is involved right away.
  • seek clarification of any requests that you do not understand well
  • make sure all senior level people are alerted to the audit and understand the importance of their availability for the exam process. Meet all other employees to explain the process and importance of the examination. If it is a routine or risk-based audit, explain that it is not for ‘cause’ and that these examinations occur frequently. Coach employees on how to respond to the SEC while in the firm’s offices; infuse the employees with the spirit of cooperation with the SEC.
  • remind employees of the protocols applicable within the firm for investor or press inquiries about the SEC examination. Therefore, if it becomes public knowledge that the firm is being examined, they will refer, for example, any press inquiry to the CCO to handle rather than attempt to handle it themselves.
  • script what the firm will say to investors that may learn about the examination and consider proactively whether an investor communication would be appropriate. This is not likely in a routine exam but is more relevant in cause exams.
  • give a presentation at the initial meeting with the SEC to introduce your firm to examiners. This should include an overview of the firm and its organisational structure (who reports to who), its compliance review process and key internal controls designed to ensure compliance with applicable securities laws.
  • respond to requests promptly. If a partial response is given, explain which part the firm is responding to and when the final submission is expected to be made to answer the rest of the question.
  • take control of scheduling all meetings between the SEC and the firm’s personnel
  • sit in on (but don’t interfere with) interviews between the SEC and the firm’s personnel
  • make sure submissions are thorough, well organised and responsive to the request
  • promptly correct any miscommunications
  • keep a copy of the documents submitted together with the date and time of submission and retain an electronic copy in a dedicated locked file. Many CCOs like to date stamp the submissions to make recordkeeping and the ability to refer back to submitted documents easier.
  • determine the public nature of any documents submitted and assess whether requests for confidentiality should be made and if so whether they will be effective. Confer with legal counsel regarding protecting any sensitive information.
  • request an exit interview if the examiner does not offer it
  • begin correcting any deficiencies promptly, even during the course of the examination
  • confer with legal counsel regarding any deficiencies with which there is disagreement (before conveying the disagreement to the examiner).

Julia D. Corelli

The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.

Data protection laws have changed, so we have revised our Privacy Policy.