Professional Documents
Culture Documents
York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
THE IMPORTANCE OF RISK ASSESSMENT AND FORENSIC TESTING FOR INVESTMENT ADVISERS By: SEC Compliance Consultants, Inc. The National Examination Program (NEP) of the Office of Compliance Inspections and Examinations (OCIE) of the Securities Regulation Commission (SEC) currently stresses a risk-based approach to examinations. NEP is committed to focus its examinations on higher-risk registrants and/or selected higher risk areas of a registrants business. This will enable OCIE to better effectively manage its limited resources. In a February 2012 publication by the SEC titled Examinations by the Securities and Exchange Commissions Office of Compliance Inspections and Examinations1the SEC stated that the following factors would determine how the SEC will define the scope of an examination: 1. Examinations generally focus on risks presented by the registrant. In some examinations, the staff focuses on particular risk or risks that led to the examination. In other examinations, the staff seeks to identify risks requiring attention, and also seeks to obtain a more general understanding of the entitys compliance and internal control environment. 2. In most cases, the staff considers the quality of the registrants compliance systems and its internal control environment when determining the scope of the examination and the areas to be reviewed. Risk assessment performed by the adviser itself is key in establishing (and proving) a quality compliance system and a solid internal control environment that may potentially limit the scope and duration of an SEC examination. The SEC would expect an adviser to have analyzed the risks of its business and adopted procedures and controls to mitigate such risks. In fact, a current inventory of risks identified by the adviser that forms the basis for its policies and procedures, including any changes made to the inventory and the dates of those changes, is routinely requested by the SEC in its document requests, and so is any written guidance that the adviser has provided to its employees regarding its risk assessment process and the process for creating policies and procedures to mitigate and manage compliance risks. The more thorough the process is, the more likely the SEC will see that the registrant is striving to be compliant.
www.sec.gov/about/offices/ocie/ocieoverview.pdf
________________________________________________________________________________________________________ 1
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
Understanding
the
Risk
Assessment
Process
The
Relevance
of
Risk
Assessment
for
Investment
Advisors
Risk
assessment
is
a
phrase
used
to
describe
the
process
of
identifying
and
estimating
the
exposure
to
real
and
potential
risks.
Forensic
testing
is
colorful
shorthand
to
refer
to
periodic
tests
used
to
evaluate
the
effectiveness
of
controls.
Risk
assessment
and
forensic
testing
are
pillars
for
a
sound
compliance
program.
Risk
assessment
is
arguably
the
most
vital
activity
that
Chief
Compliance
Officers
(CCO)
should
oversee
in
the
development
of
an
adequate
compliance
program.
In
adopting
Investment
Adviser
Rule
206(4)-7
and
Investment
Company
Rule
38-1,
the
Compliance
Rules,
the
Securities
and
Exchange
Commission
(SEC)
stated
that
each
adviser,
in
designing
its
policies
and
procedures,
should
first
identify
conflicts
and
other
compliance
factors
creating
risk
exposure
for
the
firm
and
its
clients
in
light
of
the
firm's
particular
operations,
and
then
design
policies
and
procedures
that
address
those
risks.
2
The
intention
is
for
each
advisor
to
create
a
customized
compliance
program
based
on
a
risk
assessment
that
is
appropriate
given
the
nature
and
scope
of
the
advisors
business.
It
is
apparent
that
compliance
expectations
for
investment
advisors
continue
to
escalate
as
the
industry
swells
in
terms
of
assets.
Risk
Assessment
Options
When
determining
how
to
approach
risk
assessment,
an
advisor
should
consider
its
size
and
the
depth
of
its
business.
There
are
various
theories
and
approaches
with
regard
to
risk
assessment
and
management
including,
but
not
limited
to,
those
enumerated
in
The
Committee
of
Sponsoring
Organizations
of
the
Treadway
Commissions
Internal
Control
Integrated
Framework,3
Enterprise
Risk
Management,
4
Key
Risk
Indicators,5
and
Statement
on
Auditing
Standards
(SAS)
No.
109,6
to
name
a
few.
Many
financial
firms
rely
on
a
variety
of
methodologies.
However
there
is
not
a
one-size
fits
all
solution;
a
publicly
traded
large
institution
may
require
a
much
more
technical
process
than
a
typical
investment
advisor.
In
the
context
of
an
advisors
compliance
program,
the
rationale
is
to
prevent,
detect,
and
when
necessary
correct
any
areas
where
there
may
be
violations.
A
violation
is
often
the
result
of
a
risk
event.
When
formulating
a
risk
assessment
process,
there
are
several
types
of
risks
that
an
advisor
should
keep
in
mind;
these
risks
can
be
classified
by
the
potential
consequence,
such
as:
financial
risk,
informational
risk,
reputational
risk,
and
regulatory
risk.
Some
of
these
risks
have
more
obvious
implications
than
others;
however,
the
less
obvious
ones
can
be
just
as
severe.
2
3 4
5
6
Compliance Programs of Investment Companies and Investment Advisers. Release No. IC-26299 and IA-2204 (December 17, 2003). http://www.coso.org/publications/executive_summary_integrated_framework.htm http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf http://www.continuitycentral.com/BusinessSpecificKeyRiskIndicatorspartone.pdf http://www.continuitycentral.com/BusinessSpecificKeyRiskIndicatorsPart2.pdf https://www.aicpa.org/download/members/div/auditstd/SAS109.PDF
________________________________________________________________________________________________________ 2
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
The
risk
assessment
process
should
be
comprehensive,
factoring
in
all
relevant
and
potential
risks.
Aside
from
the
benefits
to
an
advisors
compliance
program,
conducting
a
risk
assessment
of
your
firm
can
add
value
by
forcing
an
advisor
to
take
new
perspectives
on
operations,
affiliations,
relationships,
and
even
outside
industry
practices.
The
desired
outcome
of
every
business
decision
should
be
to
add
value.
When
considering
the
risk
of
certain
decisions
versus
the
potential
reward,
advisors
are
not
only
considering
the
benefits
presented
to
clients,
but
also
shareholders
of
the
entity
itself.
A
Team
Effort
While
the
CCO
should
oversee
or
manage
the
process,
an
effective
risk
assessment
cannot
be
carried
out
by
one
person
alone
-
regardless
of
size
of
the
firm.
Risk
assessment
requires
insight
into
the
essential
functions
within
the
firm
and
this
is
often
only
available
through
input
from
operational
personnel.
Operational
expertise
and
various
perspectives
add
value
to
the
process.
It
is
very
important
that
supervisors
buy
into
the
risk
assessment
process,
not
only
for
the
financial
and
reputational
benefits
but
as
part
of
the
firms
culture
of
compliance.
Documentation
Tools
Documenting
the
risk
assessment
process
has
two
primary
benefits.
First,
documentation
is
one
of
the
hallmarks
of
an
adequate
compliance
program.
Evidencing
the
risk
assessment
process
adds
credibility
and
confidence
to
the
compliance
program.
Secondly,
documentation
can
serve
as
a
tool
to
navigate
the
risk
assessment
process.
Risk
Assessments
can
be
documented
in
various
ways.
A
grid
or
matrix
can
be
used
to
show
the
various
areas
of
compliance,
where
each
risk
corresponds
to
controls.
Lists
or
inventories
are
another
alternative,
but
can
presumably
be
less
detailed
and
could
tend
to
be
too
simplistic
for
many
firms.
Charts,
graphs,
and
heat
maps
can
be
used
and
are
often
preferred
as
visual
summaries.
These
tools
can
also
communicate
the
results
of
the
risk
assessment
to
those
parties
that
were
not
involved
with
the
process,
which
makes
them
ideal
for
high
level
reporting,
such
as
to
a
firms
or
funds
Boards
of
Directors.
A
Practical
Approach
to
Risk
Assessment
Regardless
of
the
theories
an
advisor
wishes
to
incorporate
and
the
personnel
involved,
the
purpose
of
the
risk
assessment
is
five-fold
and
includes
the
following
components:
(1)
identifying
the
potential
regulatory
and
operational
risks
associated
with
the
activities
conducted
within
each
area
of
the
compliance
program;
(2)
measuring
those
risks
with
a
standard
set
of
terms
or
metrics;
(3)
prioritizing
any
gaps
associated
with
those
risks;
(4)
formulating
a
timely
action
plan
to
manage
the
risk;
and
(5)
monitoring
those
risks
on
an
ongoing
basis.
________________________________________________________________________________________________________
3
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
Identifying
the
Risks
Identifying
risks
is
the
initial
phase
in
the
risk
assessment
process.
There
are
two
major
categories
of
risk
that
advisors
should
consider:
risks
inherent
to
the
industry
(such
as
soft
dollars,
performance
marketing,
direct
debiting
fees,
and
code
of
ethics)
and
business
specific
risks
(such
as
affiliations,
business
lines
or
products,
and
client
profile).
Risks
can
be
efficiently
identified
through
a
four
step
process
as
follows:
Step
One
Start
with
the
Compliance
Rule.
The
adopting
release
for
the
Compliance
Rule
identifies
certain
areas
that
each
advisor
should
address
in
its
policies
and
procedures
to
the
extent
they
are
relevant.
To
initiate
the
risk
identification
process,
the
advisor
can
brainstorm
some
of
the
risks
in
these
same
areas
by
asking
basic
questions.
Portfolio
management
processes
How
are
investment
opportunities
identified
and
allocated?
How
are
client
restrictions
or
mandates
monitored?
Trading
practices
Are
trades
bunched
or
blocked
for
multiple
clients?
How
are
trades
allocated?
Are
disclosures
about
trading
practices
accurate
and
understandable?
Proprietary
trading
Does
the
advisor
allow
personal
trading
in
the
same
securities
that
are
traded
for
client
accounts?
How
are
conflicts
managed
to
ensure
that
clients
interests
always
come
first?
Accuracy
of
disclosures
Has
the
advisor
adequately
disclosed
its
business,
affiliations
and
activities
to
clients?
How
often
are
disclosures
reviewed
and
updated?
Safeguarding
of
client
assets
How
are
client
assets
protected
from
unauthorized
access
or
transfer?
If
clients
ever
send
checks
directly
to
the
advisor
rather
than
the
custodian,
how
is
this
handled?
Books
and
Records
How
are
e-mails
retained?
How
are
books
and
records
secured
from
unauthorized
alteration
or
use
and
protected
from
untimely
destruction?
Marketing
Are
marketing
materials
reviewed
for
misleading
statement
and
applicable
disclosures?
How
are
solicitor
arrangements
documented,
disclosed,
and
supervised?
Valuation
of
client
holdings
and
Advisory
Fees
Does
the
advisor
use
the
custodians
to
value
client
portfolios?
Does
the
advisor
fair
value
positions
or
over-ride
third-party
valuations?
What
valuations
are
used
for
the
basis
of
advisory
fees?
Privacy
How
is
access
to
confidential
client
records
controlled?
How
does
the
firm
dispose
of
confidential
information?
Business
continuity
plans
How
effective
is
the
disaster
recovery
or
business
continuity
plan?
Does
the
firm
have
loss
of
key
man/woman
provisions?
________________________________________________________________________________________________________
4
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
Step Two Review Form ADV Part 1 and Part 2A. Read through Form ADV Part 1 (IARD) as if you were evaluating the firm from an outsiders perspective a potential client or a regulator. Where are the potential risks? For example, if your advisor has affiliated companies, potential related risks should be included in your risk assessment. Does the advisor recommend that clients purchase insurance through a related entity? Is the advisor receiving compensation? Disclosures regarding discretion, brokerage, solicitors, and affiliations are easy places to begin. While the disclosures in Part 2A of Form ADV may be narrative and specific, they generally involve inherent risks. Not only are Form ADV responses used to provide relevant, material information about a firms operations, but also the responses are used by the SEC in order to create a risk profile for each firm. Step Three Walk through the major operational and regulatory areas of the firm. Which areas present more risk and what has not been identified yet? Is there a proper delineation of responsibility and oversight within the organization to prevent and deter unethical behavior? Brainstorm with operational level personnel, leveraging the expertise and knowledge base of all staff. Be creative about the less obvious risks and create scenarios on how certain risks might manifest themselves. Step Four Industry Information. The advisor needs to stay current on the rules and regulations. Best practices and industry buzz can assist the advisor in knowing where to focus. The advisor can find guidance by looking to industry publications, SEC releases and speeches, and service provider knowledge bases. The adviser should also always monitor SEC pronouncements on perceived high-risk and focus areas and adjust its risk assessment process accordingly. Also, advisors should not overlook the value of using peers or competitors as a benchmark. Assess how they are approaching compliance risks and how their operations and business lines evolving. This identification process should yield a comprehensive inventory of relevant risks. Depending on the documentation tool used, an advisor may take this opportunity to drill down to link these risks to a procedure. It is also useful to link policies and procedures to applicable staff members who are responsible for executing the policies and supervising their effectiveness. It is beneficial to conduct interviews to ensure individuals take responsibility and memorialize that responsibility in writing.
________________________________________________________________________________________________________ 5
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
Measuring
the
Risks
Identified
At
this
stage,
the
advisor
should
measure
the
risks
identified
by
considering
their
impact
and
probability
(or
likelihood)
of
a
risk
event
in
the
absence
of
controls
(these
risk
are
often
referred
to
as
inherent
risks).
Likelihood
represents
the
possibility
that
a
given
event
will
occur,
while
impact
represents
its
effect
should
it
occur.
When
evaluating
impact,
the
advisor
should
look
at
the
impact
to
clients
or
potential
clients,
the
impact
to
disclosure,
financial
impact,
impact
to
reputation,
and
regulatory
impact.
The
advisor
should
also
consider
materiality
when
assessing
impact.
Probability
is
the
anticipated
frequency
of
a
risk
event
given
the
regularity
of
the
activity
or
process
that
is
associated
with
the
risk.
For
example,
the
risk
of
incorrectly
assessing
quarterly
advisory
fees
could
occur
on
a
quarterly
basis.
Adequate
controls
will
decrease
the
probability.
The
measurement
should
provide
a
baseline
for
an
advisor
to
assess
how
well
its
policies
and
procedures
control
or
manage
the
inherent
risk
i.e.:
decrease
the
probability
or
impact.
Projecting
and
estimating
these
measurements
should
be
based
on
the
nature
of
the
risk.
Estimates
of
risk
likelihood
and
impact
often
are
determined
using
data
from
past
observable
events
and
forensic
testing.
This
helps
to
provide
a
more
objective
basis
rather
than
entirely
subjective
estimates.
Caution
should
be
used
when
using
past
events
to
make
predictions
about
the
future,
as
factors
influencing
events
may
change
over
time.
In
addition,
internally
generated
data
based
on
an
advisors
own
experience
may
reflect
subjective
bias.
Advisors
may
want
to
consider
having
an
independent
third
party
assist
with
the
risk
assessment
or
some
other
piece
of
the
compliance
program.
There
are
various
methodologies
that
can
be
used
to
measure
the
impact
and
probability
of
risks,
such
as:
Quantitative
(1,2,3,4,5
etc),
Qualitative
(low,
medium,
high),
and
Relative
(average,
below
average,
above
average).
Qualitative
assessment
techniques
alone
may
be
used
for
multiple
reasons.
For
example,
the
results
of
qualitative
assessments
can
capture
subjective
elements
and
be
easily
interpreted.
Additionally,
it
may
not
make
sense
to
quantify
the
risks
when
consistent
data
is
not
available.
Quantitative
techniques
are
typically
associated
with
more
complex
risk
assessments
and
are
generally
used
in
conjunction
with
qualitative
assessments.
Although
an
entity
need
not
use
common
assessment
techniques
across
all
areas
of
its
business,
an
advisor
will
find
it
advantageous
to
use
a
consistent
process
and
attempt
to
simplify
the
process
to
the
extent
possible.
The
following
is
an
illustration
of
applying
a
methodology
to
risks
associated
with
obtaining
best
execution.
ABC
firm
identifies
a
potential
risk
in
that
execution
is
being
done
through
an
affiliated
broker.
Qualitatively,
the
firm
opines
that
this
is
a
significant
risk
because
the
firm
could
use
an
electronic
communication
network
(or
ECN),
but
chooses
to
use
the
affiliated
broker
for
90%
of
all
transactions
executed.
The
firm
could
be
perceived
as
putting
in
its
own
best
interest
ahead
of
its
clients
best
interest
if
the
firm
is
not
comparing
execution
alternatives
and
documenting
its
due
diligence
review.
Quantitatively,
the
firm
could
use
a
1-5
scale
and
rate
this
risk
as
a
5
or
use
algorithms
to
determine
an
estimated
monetary
measure.
Alternatively,
the
firm
could
measure
this
risk
in
relative
terms.
If
executing
the
majority
of
trades
through
an
affiliated
broker
could
present
high
regulatory,
financial,
and
informational
risk,
the
advisor
may
rate
the
risk
simply
as
high
or
above
average
when
compared
to
other
potential
risks.
________________________________________________________________________________________________________
6
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
Another alternative measurement approach may be to apply the performance measurements used by management in determining the extent to which objectives are being achieved. It may be useful to use the same unit of measure when considering the potential impact of a risk to the achievement of a specified objective. Management may assess how events correlate, where sequences of events combine and interact to create significantly different probabilities or impacts. While the impact of a single event might be slight, a sequence of events might have a more significant impact. Where potential events are not directly related, management assesses them individually; where risks are likely to occur within multiple business units, management may assess and group identified events into common categories. There is usually a range of possible results associated with a potential event, and management considers these potential results as a basis for developing a risk response. Prioritizing the Risks Based on Measurements Once an advisor has measured its inherent risks that is, the impact and likelihood of a risk event in the absence of controls it is time to create an action plan and prioritize the risks by first addressing the areas that have the greatest exposure in terms of their measurement. A practical technique to prioritizing risks is assessing how well existing controls address those risks. By evaluating the adequacy and effectiveness of controls, an advisor can gauge the amount of inherent risk that is not mitigated by existing controls; often referred to as residual risk. Revisiting the best execution example, the inherent risk is the risk that the firm could be obtaining better execution by using another unaffiliated broker to execute transactions. However, if the advisor reviews transactions and compares them against market executions and finds that the transactions executed by the affiliated broker are generally better than those executed elsewhere, the advisor essentially has potentially reduced its risk. The control is the review and comparison of trades executed in the market versus those executed by the affiliated broker. Therefore, the residual risk is the instances in which the affiliated broker might not execute at a better price than another broker. Management should recognize that some level of residual risk might exist even after the application of controls. Areas with higher residual risks should receive a priority in an action plan. Just as risk can be measured in relative terms, priorities can be classified in relative terms (high, medium, and low) or in a timeline with target dates or timeframes. An action plan should call for the development or improvement of policies, procedures, and control activities to address these risk areas with the intent to mitigate the impact and/or probability of these risks occurring. Managing the Risks In executing the action plan, the advisor should take into account its risk tolerance and each risks cost and relative benefit as a result of the activity that creates the risk. The advisor should identify controls
________________________________________________________________________________________________________ 7
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
that
are
expected
to
bring
risk
likelihood
and
impact
within
the
advisors
risk
tolerance.
Controls
may
be
implemented
to
avoid
risk,
reduce
it,
share
it
and
when
appropriate,
accept
it.
For
example,
the
advisor
may
determine
that
the
risk
related
to
potential
conflicts
or
perceived
conflicts
associated
with
employees
trading
in
their
personal
investment
accounts
is
not
worth
accepting.
That
advisor
could
adopt
a
policy
prohibiting
personal
trading.
Another
advisor
may
not
want
to
be
so
prohibitive
with
employees.
This
second
advisor
may
be
willing
to
accept
the
potential
risk
that
an
employee
trade
could
present
a
perceived
conflict
despite
implementing
policies
and
procedures
intended
to
shield
this
risk.
Such
an
arrangement
would
not
only
be
a
potential
regulatory
risk,
but
it
could
also
be
a
potential
concern
to
clients.
The
advisor
may
be
willing
to
accept
the
risk
taking
into
consideration
that
employees
shouldnt
be
unduly
constrained
with
regard
to
their
personal
finances
as
a
result
of
their
affiliation
with
the
advisor.
Monitoring
the
Risks
Risk
assessment,
and
the
management
of
those
risks,
is
not
a
one-day
or
a
one-time
project.
Both
should
be
viewed
as
an
ongoing
activity.
An
advisors
risk
assessment
should
be
revisited
during
the
annual
review
of
the
compliance
program.
We
advocate
the
annual
review
of
the
compliance
program
be
conducted
as
a
rolling
review,
include
documented
forensic
testing,
and
tie
back
to
the
most
recent
risk
assessment.
As
an
advisors
business
and
applicable
regulations
change,
the
advisors
overall
compliance
program
will
need
to
evolve.
Thus,
an
advisor
should
keep
the
risk
assessment
process
evergreen
by
ensuring
that
it
is
relevant
and
reflective
of
the
current
operational
and
regulatory
environment.
The
action
plan
itself
should
be
periodically
monitored
and
revisited.
Designing
and
Applying
Realistic
Forensic
Tests
Forensic
testing
provides
the
best
approach
to
monitoring
risks
and
testing
compliance
functions.
The
SEC
staff
has
stated
repeatedly
during
the
2006
CCOutreach
Seminars7,
and
in
numerous
speeches
and
articles,
that
advisors
should
conduct
various
types
of
forensic
testing
as
part
of
their
annual
(and
interim)
reviews
of
their
compliance
program.
The
term
forensic
testing
is
generally
associated
with
technical
sleuthing,
such
as
linking
evidence
to
criminal
behavior
as
glamorized
in
popular
television
programs.
However,
the
actual
practice
is
far
less
intimidating
or
exciting.
When
the
SEC
references
forensic
testing,
the
agency
is
intending
to
reference
the
testing
that
advisors
should
be
conducting
of
their
compliance
programs
in
order
to
identify
areas
where
there
are
weaknesses8.
This
style
of
testing
involves
gathering
operational
data
or
information
and
analyzing
it
(either
directly
or
through
various
manipulations)
in
order
to
draw
conclusions
with
regard
to
certain
compliance
functions
and
controls.
If
the
concept
still
seems
enigmatic,
a
good
place
to
start
for
examples
of
forensic
testing
is
the
SEC
Examination
Request
List.
Not
only
will
the
request
list
give
you
a
good
idea
of
where
you
should
be
7 8
http://www.sec.gov/info/ccoutreach.htm http://www.sec.gov/info/cco/adviser_compliance_questions.htm
________________________________________________________________________________________________________ 8
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
conducting forensic testing, but it will also offer some insight as to what the SEC will be doing when they visit you to conduct an examination. Examples of Types of Forensic Tests Certain forensic tests are rather straightforward. Example 1 Advisory Fees: This can be accomplished by sampling and recalculating fees, trending instances of refunds, comparing advisory fee revenues from quarter to quarter, and cross-referencing advisory fee receivables with amounts collected from clients. If a CCO or his or her designee tests advisory fee calculations and finds that there are inaccuracies, it would be sensible to conclude that the risks of inaccurately assessing fees is not mitigated to an appropriate level and that the compliance program in this area is weak. Example 2 Reporting of Personal Trades: Likewise, if a CCO or his or her designee reviews reports submitted by access persons with regard to personal securities transaction requirements and finds that the reports are incomplete or late, it could be an indication of weak controls. If one particular employee or members in a particular department are consistently submitting insufficient reports, it could be an indication that risks within that department are not fully addressed. Additionally, analytical testing could include cross-referencing personal trading activities with client transactions (or pre-approval documentation) or comparing the profitability of employee transactions to client transactions. The results of these reviews indicate whether or not gaps remain in the compliance program, thus leaving exposure to certain risks identified and assessed. Example 3 Accurate Pricing: Why does the SEC request a list of client portfolio holdings as of certain dates? The SEC may use the holding reports to review for window dressing or for accurate pricing. Many firms use exchange quotes and broker quotes to value their securities, but firms also should use multiple sources and cross-check them to ensure they are accurate. If a broker is used, the advisor should conduct due diligence on that broker by inquiring as to whether the broker is a market maker and whether the broker back-tests the prices. One approach to testing the dependability of security valuation is an acid test, where the selling price of the security in the open market is compared to the most recent pricing obtained for that security from the pricing service. As an illustration, if a security is priced at $50/share on the 30th of the prior month and the advisor executes a sale of the security in the open market on the following trading day for $35/share, in the absence of material market or company specific developments or news, then an advisor should take additional steps to evaluate if pricing risks are adequately mitigated by using that particular pricing source. Other areas of compliance testing can be considered a bit more onerous or technical. For example, the analysis of a trade blotter can produce a wealth of information if an advisor is willing to become comfortable with breadth of data. It is not surprising that we find this to be an area where
________________________________________________________________________________________________________ 9
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
many firms fall short in their forensic testing. A CCO does not have to be a scientist to conduct these reviews, although a basic understanding of programs such as Excel or Access is helpful. Forensic testing of a firms trade blotter should include searching for patterns that occur over time and that may violate the firms internal controls or the law. A typical SEC request list provided during an examination almost always asks for the advisors transactions. The request generally follows the following format: Please provide the following fields of data: (a) trade date, (b) settle date, (c) type of transaction (buy, sell, etc.), (d) security name, (e) CUSIP, (f) ticker symbol, (g) quantity of shares or principal amount, (h) price, (i) total commissions, (j) commission per share, (k) accrued interest, (l) other fees, (m) net amount for client, (n) client name, (o) client account number or code, (p) name of executing broker-dealer, and (q) an indication if trade is stepped-out. Why does the SEC request this information? There are multiple reasons; the most notable of which is that a trade blotter contains a vast amount of flexible data that can be manipulated to assess several different operational areas. There are a number of forensic tests that the SEC can perform with regard to the trade blotter. An advisor should perform these same tests internally. Here are a few tests that an advisor can conduct:
Review transactions to detect any unreported agency or internal cross transactions. For example, review transactions where there are opposite sides of a transaction in a security on the same day, at the same price, through the same broker, and generally, but not necessarily, for the same number of shares. Review if any clients were consistently the buyer or seller in cross transactions and calculate the profitability of buys and sells to see if the firm is dumping securities into certain client accounts. Review the total commissions (and average commission rate) paid to each broker-dealer, the particular client accounts that generated such commissions, and note the average commission per share. This could indicate various issues such as undisclosed soft dollar arrangements and directed brokerage for client referrals. Review for patterns of short-term trading in client accounts. Ensure that this is consistent with client mandates, the clients desired level of risk, and the firms trading philosophy as disclosed to clients. Review the allocation of IPOs and their profitability to determine if any clients were favored in IPO allocations. Review bunched transactions to ensure that clients included in the bunch received comparable prices and paid comparable transaction costs. Further, investigate any instance where certain accounts are consistently excluded from bunched transactions.
________________________________________________________________________________________________________ 10
New York Office: th 1140 Avenue of the Americas, 9 Floor New York, NY 10036 (212) 706-4029
Review transactions involving thinly traded securities to look for indications of market manipulation. Also, review transactions that could be large enough to move the market. Review portfolio turnover for indications of churning (or reverse churning) in client accounts.
As with a risk assessment and other compliance related activities, forensic tests should result in documented conclusions (e.g., no unreported cross transactions in Q4-2006). While there may be some apprehension for fear that documentation could create a roadmap for the SEC when they stop by for a visit, this documentation can demonstrate how the firm proactively addresses and follows-up on compliance issues. Capitalizing on Knowledge Understanding the meaning of risk assessment and forensic testing, and realizing that both activities have practical and useful solutions, places an advisor in a position to get the most compliance mileage out of limited resources. A compliance program built on a thoughtful risk assessment and one that incorporates consistent forensic testing will provide an advisor confidence that it is satisfying regulatory expectations. About SEC Compliance Consultants, Inc. SEC Compliance Consultants, Inc. (SEC3) provides compliance consulting services to financial institutions globally, including hedge fund and private equity fund managers and other investment advisers, investment companies, broker-dealers and transfer agents. SEC3 can assist with regulatory compliance needs and bridge the gap between a firms operations and current regulations. For details, please visit www.seccc.com or contact Janaya Moscony at 1-212-706-4029, ext. 214.
________________________________________________________________________________________________________ 11
________________________________________________________________________________________________________ 12