ai for automated invoice processing

A Guide to SEC Audits

March 20, 2024 |

Benjamin Franklin famously said, “Nothing is certain but death and taxes.”


For RIAs, you can add one more certainty to that list: SEC audits. Some examiners pay a visit to a new RIA within the first year or so and regularly throughout its life. Regulators might also show up unannounced from time to time, looking to ensure compliance with a specific area of interest or responding to a complaint.

Most audits generally follow a similar process. First, you are notified of the audit by mail or phone, followed by a request for documentation. You’ll then meet with examiners, who review the documents they’ve requested.

From there, examiners will follow up with you with any additional questions, followed by a final report listing their findings and actions you must take, if any. The process can take anywhere from a few weeks to a few months or longer, depending on what examiners are looking for.

While stressful, understanding the types of audits, how they are conducted, and what they’ll look for can make audits far less disruptive. This guide provides an extensive overview of the audit process, and how to prepare your firm for when regulators come knocking at your door.

SEC Audit Types

There are three types of audits that the SEC conducts: routine, for-cause, and sweep examinations.

Routine inspections

The most common is the routine inspection, which is intended to be a comprehensive review for compliance with applicable laws and regulations.

A routine inspection also examines the processes a firm uses to ensure compliance and whether or not they’re making the necessary disclosures. Examiners compare their findings with what the firm listed in their Form ADV and look for discrepancies.

New RIAs may undergo a routine inspection, sometimes referred to as a welcome exam, within the first year or two of operation.

While most of the time a firm will receive advanced notice of routine inspections, the SEC does occasionally arrive unannounced. On average, RIAs can expect to undergo a routine inspection once every three to five years.

For-cause inspections

If the SEC has reason to believe a firm is not in compliance, a for-cause inspection may occur. A whistleblower or complaint often triggers these inspections and they can occur unannounced.

In most cases, these investigations are initially limited to a particular area or activity of the firm, such as improper client disclosures.  However, should the SEC find evidence of more widespread non-compliance, these inspections can grow in scope.

Sweep or limited scope examinations

When state and federal level regulators want to ensure compliance with specific areas, such as advertising, custody, and so on, or investigate the need for further regulation, they obtain data through a sweep examination. While firms often receive some type of warning, they can occur with limited advanced notice as well.

These initiatives are often conducted at multiple firms simultaneously (i.e., a ‘sweep’ of the industry). While limited in scope, firms targeted by sweep examinations should still expect to be asked to produce a significant amount of documentation.

Every firm will be the target of a routine inspection at some point, and many the target of either sweep examinations or at-cause inspections. Regardless of the type, what you should expect from an SEC audit and how you should react is generally the same.

The basics of an RIA compliance examination

The SEC and state regulatory bodies have broad authority to conduct examinations and there are few limits on the type and amount of documentation they can demand. A firm or its employees cannot impede these efforts without a sound legal basis.

Any interactions with examiners should go through the Chief Compliance Officer. Given some recent data security (phishing) attempts, firms should take care to validate that the examination is legitimate; the CCO be sure to contact the regulatory body to confirm the credentials if the inspection is done virtually.

Examinations vary widely in length and may be scheduled or unannounced. Following an audit, it may be weeks or months, or even years before a final report is released while examiners study their findings.  From time to time, it may be necessary for examiners to conduct additional interviews or request follow-up information.


Following receipt of the examiners’ final report, RIAs will generally have 30 days to respond to any deficiencies, if any. Once these deficiencies are addressed, or the RIA ‘passes’ the inspection, a closing letter is usually issued and the audit is concluded, but note that anecdotally, more firms are reporting that the SEC is keeping examinations open for extended periods of time, and occasionally does not issue a formal close letter. Firms are encouraged to insist on a formal close letters for books and records purposes.

How to prepare your RIA for an audit

The threat of an SEC audit might intimidate new RIAs. However, as long as your firm and its employees are taking the necessary steps to stay in compliance daily, you’ll already have the information examiners are seeking and in the form they want it.

Maintain your books and records

SEC Rule 204-2 requires RIAs to retain copies of all advertisements and communications that they’ve published either directly or indirectly, along with information substantiating any performance information included in those communications.

Examples of what should be retained include:

  • E-mails
  • Social media posts
  • Revisions of information on your website

In addition, advisors should also retain logs of any communications over other channels, as necessary.  With the recent enforcement actions related to the failure(s) to retain required communications, it is recommended that firms chose platforms that are able to retain multiple different types of communications, and ensure that employees are restricting work communications to these recorded, firm sponsored and approved channels.

Records that should be regularly maintained include all account statements that reflect all activity on client accounts and any worksheets used to calculate the return for these accounts.

Other examples of records you should actively maintain include, but not limited to:

  • All marketing materials
  • Any product and performance related materials and calculations
  • Financial account records
  • Client investment advice and transactions
  • Records of client communications and recommendations made
  • Evidence of your authority to conduct business on behalf of the client
  • Registration and client disclosures
  • Records of votes cast on behalf of clients
  • Client custody ledgers
  • An up-to-date copy of your firm’s ethics code
  • Details of any programs used to attract referrals
  • Political contributions of the firm or staff
  • Details of any compliance issues, and steps taken to resolve them

Keeping good records won’t matter if there is no system to organize or efficiently retrieve them. Delays and issues in producing the information may trigger a deficiency notice for poor recordkeeping practices.

Implement a compliance program

SEC Rule 206(4)-7 requires that firms review the “effectiveness” and “adequacy” of their compliance policies at least once a year. Originally just a requirement that the review occurs, the rule was revised in November 2023 to make a written report of the findings mandatory.

This is likely not an issue for larger firms that already have substantial compliance programs, and likely a compliance officer that isn’t wearing multiple hats. However, for smaller firms, the new documentation requirements may require rethinking how you’re handling compliance.

The changes to Rule 206(4)-7 intentionally don’t specify a format or medium, so you’re free to use whatever works best for your firm.

In many cases, you might find that your records are spread out across several formats and locations. We recommend selecting a single location and using standard formats (PDF, etc.) to make retrieval easier.

Whomever the Chief Compliance Officer is, this person should conduct no less than annual reviews, and document the process and any actions taken to address deficiencies.

The CCO should also not assume that everyone understands compliance equally, and methods of educating employees of the requirements and mandates often occur through the delivery of the Code of Ethics, Compliance Manual, new hire and ongoing mandatory training, and quarterly or annual employee certifications.

It’s also important to remember that SEC rules are meant to serve as a basis for compliance. A generic compliance program provides generic protection. Firms are expected to identify areas of risk specific to their business and take steps to tailor their compliance program accordingly.

While the SEC mandates an annual review, compliance experts recommend moving to a quarterly review instead. In theory, this should make annual reviews easier since problems (especially those appearing shortly after a review is completed) are caught much sooner.

And while CCOs are where the buck stops when it comes to compliance, creating a system where some tasks are delegated to other ‘lines of defense’ and management firm is encouraged.  CCOs generally don’t control the business and cannot be everywhere, all at once.  Compliance should not be put into a position of supervising the business, but instead are responsible for developing a regulatory framework, implementing that framework, and auditing to ensure that the business is following policies, procedures, and best practices.

Ensure that client fees are disclosed, and that the fee calculations are accurate

A clear record of all actions taken, and accuracy, is key to ensuring compliance. This includes transactions, user actions, account changes, and more, and how they’re connected. In an audit, examiners are not only looking for what and when an incident occurred, but why.

The audit trail inside your billing system provides just this and makes it easier for you to produce a complete picture of your firm’s billing activities to regulators. If you’re using a finance-specific billing system, it is likely such a feature is included.

Envestnet’s Billfin provides a detailed audit trail that tracks all changes their team makes to client billing. This includes changes to the householding (groupings of accounts that are billed together) and changes to the fee schedule assigned to clients and accounts. Tracking like this is critical for firms with multiple users since it helps them to quickly determine who made a change and when it was made.

Billfin’s Billing Details report provides an up-to-date snapshot of every client’s billing setup, so users can quickly check that any client’s setup matches the billing expectations established in the advisor’s ADV. With the help of these reports, users and auditors can identify if a billing setting is wrong and at which point it was changed (if in the last 6 months). In those instances, firms will be able to provide auditors with individual client invoices and an audit trail from BillFin.

If your billing system cannot generate detailed audit reports, it’s likely whatever other history the application provides will not be sufficient to comply with SEC regulations.

Run a mock audit

There is no need to walk into your first SEC audit unprepared. Independent compliance consultants have extensive experience in helping firms understand areas where examiners might find your firm out of compliance.

Typically, you’ll want the consultant to run the audit based on what examiners look for in a routine inspection. While there’s no guarantee that the consultant will find all the issues an examiner might have, your risk of serious deficiencies in an actual audit will be significantly less.

How to respond to the SEC

It’s important to remember three things about responding to an SEC inquiry: answer as promptly and completely as possible. Not all SEC communications will require a response, however, it is your responsibility to ensure you understand what regulators are asking you to do whether or not they want to hear back from you.

If you don’t understand a request, ask for clarification. This can also shorten the length of an inspection, as the examiner doesn’t have to follow up to clarify their request. If you need more time to respond, such extra time should be requested early along with a reason for the delay.

Answering all questions completely is another important factor. Responses should be well supported by documentation, and the CCO should be prepared to defend those answers.

Lastly, be truthful and transparent.  Falsifying records, cover ups, or obstructing responses during an examination can only lead to materially heavier sanctions and enforcement than ‘owning up’ to deficiencies and gaps at the time of examination.

It’s also important to choose your words carefully. Promising a change in writing will trigger a future examiner to check if your firm made that change.

Good compliance is an ongoing effort

With the multitude of daily tasks already on an advisor’s plate, staying up to date on compliance can sometimes take a backseat. This isn’t an excuse to procrastinate. There are a wide range of books, courses, and online resources that can help your firm and its employees understand compliance and their role with minimal disruption to their daily workflow.

Here are a few suggestions to help your firm stay on top of compliance:

  • Areas where the SEC sees regular issues in audits are published as Risk Alerts. CCOs should regularly review these alerts, share relevant alerts with employees, and adjust the firm’s compliance practices as necessary
  • Another potential resource is the Practicing Law Institute. The PLI offers over two dozen publications covering important compliance topics
  • Keep a current book on compliance in the office at all times available for reference. It’s also important that any reference is relevant to your practice. A generic compliance manual won’t help in more complex situations
  • Compliance requirements evolve over time. The CCO should have a framework in place to continuously educate advisors and staff on current laws and best practices. Any RIA being audited will need to provide evidence of an active training and continuing education program

A word on legal help

Understanding SEC regulations is challenging and it’s tempting to reach out for legal help. However, you’ll want to ensure the attorney you’re speaking with specializes in administrative law.

Attorneys specializing in this area of law have a deeper understanding of the rules and policies of administrative agencies. As a result, they’ll also understand how they operate and can advise you on how regulations may apply to your firm. If you’re still not clear on what the SEC is asking for or how to comply with a request, an administrative law attorney is a great resource.

A word of caution, however: an attorney is not an excuse for ignorance of compliance regulations. As an RIA or IAR, you have a legal responsibility to know these regulations and follow them.

For RIAs, the inevitability of an SEC audit is less a threat and more a regulatory certainty. But for firms that are well-prepared, an audit can affirm the robustness of their compliance culture.

The granularity of preparation—meticulous record-keeping, comprehensive audit trails, proactive compliance programs, and regular internal reviews—can transform an SEC audit from a nightmarish ordeal into a demonstrable strength. Firms are encouraged to tailor their compliance programs to their unique risk profiles and to view the preparation for, and the handling of, SEC audits as an integral, continuous thread in the fabric of their operational integrity.

It’s about creating a system where compliance is not reactive, but built into the daily workings of the firm, ensuring readiness not only for the SEC but for the overarching goal of client trust and marketplace stability.

Billing platforms like BillFin help firms meet their compliance goals. To see how BillFin might be a good fit for your practice, request a demo or free trial.



The information, analysis and opinions expressed herein are for informational purposes only and do not necessarily reflect the views of Envestnet. These views reflect the judgment of the author as of the date of writing and are subject to change at any time without notice. Nothing contained in this piece is intended to constitute legal, tax, accounting, securities, or investment advice, nor an opinion regarding the appropriateness of any investment, nor a solicitation of any type.  Envestnet is not a law firm and as such, does not provide legal or regulatory advice or opinions to any party or client. You should always consult your relevant regulatory authorities or legal counsel as applicable.


FOR INVESTMENT PROFESSIONAL USE ONLY ©2024 Envestnet. All rights reserved.