SEC Examination Checklist for RIAs
An SEC examination is one of the most resource-intensive events an RIA will face. The average exam costs firms $50,000–$150,000 in staff time, outside counsel, and opportunity cost — and that's when it goes well. Firms that can't produce clean documentation quickly face extended examinations, deficiency letters, and in worst cases, enforcement actions.
This checklist covers what SEC examiners actually request, how to organize your evidence, the most common deficiencies firms get cited for, and how to stay exam-ready year-round instead of scrambling when the notification arrives.
1. Before the Exam: Ongoing Readiness
The firms that handle examinations well aren't the ones that prepare best when notified — they're the ones that maintain exam-ready evidence continuously. The SEC's exam philosophy has shifted from "show us your policies" to "show us your policies working."
Continuous compliance infrastructure
- Compliance manual is current and reflects actual firm practices (not boilerplate)
- Annual compliance review completed with written findings and remediation
- Code of Ethics attestations collected from all access persons (at hire + annually)
- Personal trading pre-clearance and quarterly transaction reports current
- All marketing materials reviewed and approved before publication, with records retained
- Client advisory agreements signed and on file for every relationship
- Fee billing reconciled against agreements — every quarter, every account
- Cybersecurity policies documented and tested (incident response, BCP, access controls)
- Vendor due diligence files maintained with current SOC reports
- Form ADV consistent between Part 1 and Part 2 (fees, services, custody, AUM)
2. When the Notification Arrives
The SEC sends a notification letter (sometimes called a "document request letter" or "initial request list") typically 1-2 weeks before examiners arrive. Some examinations begin with a phone call first.
Immediate actions (Day 1-2)
- Notify outside counsel immediately
- Identify the exam team lead and establish communication channel
- Brief all staff — who can and cannot speak with examiners, and about what
- Assign one person as the document production coordinator
- Review the request list item by item — flag anything unclear for clarification
- Begin assembling documents (don't wait for clarification on ambiguous items)
- Check for any open compliance issues that need immediate remediation
- Prepare a physical or virtual workspace for the exam team
Key principle: Respond quickly and completely
Slow or incomplete document production is the single biggest factor in extending examinations. Examiners interpret delays as either disorganization or evasion. Firms that deliver clean, organized document packages within 3-5 days of the request consistently experience shorter, less adversarial examinations.
3. The Document Request: What They Ask For
While every examination is different, SEC document requests follow well-established patterns. Here's what examiners almost always request:
Organizational documents
- Form ADV Parts 1, 2A, 2B — current and most recent annual amendment
- Organizational chart
- List of all supervised persons and their registration status
- Partnership/operating agreement
- List of all related persons and affiliated entities
Client records
- Complete client list with AUM, fee schedules, and account types
- Sample advisory agreements (the SEC often requests specific client files)
- Fee billing records — invoices, calculations, custodian deduction confirmations
- Client correspondence samples (especially regarding fees, conflicts, performance)
- New account documentation for accounts opened in the exam period
Trading and portfolio
- Trade blotter for the examination period
- Best execution review documentation
- Trade error log and resolution records
- Soft dollar arrangements and disclosure
- Cross-trading documentation (if applicable)
Compliance program
- Written compliance policies and procedures (full manual)
- Annual compliance review report
- Code of Ethics — the document and all employee acknowledgments
- Personal trading reports (quarterly) and pre-clearance records
- Political contributions log (Pay-to-Play Rule 206(4)-5)
- Compliance training records
- Marketing review approvals for all materials used in the exam period
Cybersecurity and business continuity
- Written information security policy
- Business continuity plan (BCP) and most recent test results
- Incident response plan and any incident logs
- Vendor risk assessment for critical service providers
- Access control documentation — who has access to what systems
- Employee cybersecurity training records
Stop assembling exam packages manually
Let PitCrew pull documents from connected systems and assemble response packages automatically.
Talk to an expert arrow_forward4. Most Common Deficiencies
Based on SEC examination priority letters and published enforcement actions, these are the areas where RIAs most frequently receive deficiency findings:
Fee billing (most common)
- Billing more than the advisory agreement allows — missed breakpoints, household discounts not applied, accounts billed at wrong tier
- Inconsistency between ADV and actual fees — Form ADV says max 1.0%, but some accounts are billed 1.05%
- Inadequate fee billing oversight — no one independently verifies that billing calculations are correct
Compliance program
- Policies not followed — the manual says quarterly reviews happen, but there's no evidence they did
- Annual review deficient — completed as a checkbox exercise without substantive testing
- Code of Ethics violations — personal trading not pre-cleared, quarterly reports missing
Marketing Rule (new since 2022)
- Performance advertising without required disclosures
- Testimonials/endorsements without proper compliance
- Social media posts not reviewed and archived
Cybersecurity (increasing scrutiny)
- No written cybersecurity policy — or policy that doesn't match actual controls
- Lack of multi-factor authentication on client-facing systems
- No evidence of regular security assessments
Books and records
- Missing or incomplete records — especially for client communications and trade documentation
- Off-channel communications — business conducted via text/personal email without capture
5. During the Examination
- Designate one point person for all examiner requests
- Respond to follow-up requests within 24 hours when possible
- Answer exactly what's asked — don't volunteer additional information
- If you don't know, say so. Don't guess.
- Keep a log of every document provided, every question asked, every conversation
- Have counsel review any substantive written responses before sending
- If examiners request employee interviews, prep employees with counsel
- Don't destroy, alter, or withhold any documents
6. After the Examination
If you receive a deficiency letter
- Respond within 30 days (or the specified deadline)
- For each deficiency: acknowledge, explain remediation, provide timeline
- Implement remediation immediately — don't wait for the response deadline
- Document all remediation steps with evidence
- Consider whether the deficiency reveals a systemic issue requiring broader review
Post-exam improvements
- Debrief internally — what took too long to produce? What was hard to find?
- Fix the documentation gaps that caused delays
- Update your compliance calendar based on what examiners focused on
- Consider whether any processes should be automated to prevent future gaps
Stay exam-ready without the manual work
PitCrew automates fee validation, document review, data reconciliation, and response assembly — producing examiner-ready evidence as a byproduct of daily operations.
Talk to an expert arrow_forwardFrequently Asked Questions
How often does the SEC examine RIAs?
The SEC examines approximately 15-20% of registered investment advisors each year. Firms with higher AUM, prior deficiencies, or client complaints are examined more frequently. First-year registrants are almost always examined within 12-18 months.
What documents does the SEC request during an RIA examination?
SEC examiners typically request Form ADV (Parts 1 and 2), client advisory agreements, fee billing records, trade blotters, compliance manuals, marketing materials, cybersecurity policies, code of ethics records, personal trading logs, and client communications samples. The specific list varies based on the examination's focus areas.
How long does an SEC examination take?
A typical SEC examination takes 2-6 weeks from the initial document request to the exit interview. Complex examinations involving potential enforcement actions can extend several months. Firms that respond quickly to document requests typically experience shorter examinations.
What are the most common SEC examination deficiencies for RIAs?
The most common deficiencies include: inadequate compliance policies, fee billing errors (overcharging clients), incomplete books and records, Marketing Rule violations, insufficient cybersecurity controls, undisclosed conflicts of interest, and failure to follow the firm's own stated policies.
Can I refuse to provide documents to SEC examiners?
No. Under the Investment Advisers Act, registered advisors are required to make their books and records available for SEC examination. Refusal or obstruction can result in enforcement action independent of any underlying violations.
What happens if the SEC finds a violation?
Most examinations result in a deficiency letter, which requires the firm to remediate issues and respond in writing. More serious violations may be referred to the Division of Enforcement, which can result in sanctions, fines, or registration revocation. Self-reporting and prompt remediation are viewed favorably.