Brooke’s note: When we started RIABiz, we hoped to write stories that not only provide news but really go to the front lines of an advisor’s life. This day that Elizabeth spent last week with an auditor brings you into the action. It was a labor of love. Elizabeth lives in Alexandria, Va., and the audit took place down near Richmond, Va., about a two-and-a-half hour drive away and even mock audits last for hours.

The young auditor sits across the conference table from the slightly careworn advisor, who has pulled out a compliance binder, his advertising materials, and a stack of green client files now spread across the conference room table.

“Your e-mail storage system is not compliant,” says the auditor. “They are going to ask to see all of your e-mails.”

The advisor, Bob Hines, a 46-year-old lawyer with a state-registered financial planning practice, stammers and says he’d rather forgo e-mail altogether rather than give up every e-mail from his legal and planning practices.

advertisement

“They can’t have them,” Hines says defiantly, mentioning attorney-client privilege.

Flustered

“This is exactly how an auditor wants him: flustered,” Hovig Melkonian says as an aside to me, sitting at the end of the table, scribbling in my notebook.

We’re in the midst of a mock audit of Hines’ financial planning practice in Colonial Heights, Va. Melkonian is not a real auditor, but a consultant for Lexington Compliance, a new compliance practice started by Manhattan-based set-up firm RIA IN A BOX. The company allowed me to sit in on a mock audit to see what they are like; Hines agreed, too – probably because he has a small practice and as a lawyer he is a meticulous record-keeper.

Even so, Melkonian found issues, including the e-mail storage problem. (RIAs should keep every e-mail about advisory issues.)

That’s the problem with compliance issues: even the most saintly, non-Madoff-type advisor probably has them. And because of Madoff, those issues, minor and major, are probably more likely to be found.

The SEC has been bulking up the compliance and inspections staff that oversees mutual funds and RIAs, from 425 in 2008 to 454 in 2010, according to its budget. The agency recently hired a new director of compliance, Carlo V. di Florio, whose mandate is to “revitalize” SEC compliance.

States regulators, too, are building up their enforcement regimes.

High-risk category

So what’s an advisor to do? I don’t want to blindly recommend mock audits – indeed, consultants say they are most useful for RIAs that are fairly large (with more than $300 million in AUM), fall into the SEC’s high-risk category, or are required by an affiliated broker-dealer to have one.

But I learned a lot from watching this mock audit, both about what the SEC and states look for – and about how a mock audit can help an advisor have some feeling of psychic preparation for a state or SEC audit. Just as there are certain investors who ought to keep 90% of their assets principal-protected, there are some advisors, even small ones, who would probably be better off spending the $1,500 to $7,000 for a mock audit.

“I always find something wrong,” says Ara Jabrayan, compliance consultant with National Compliance Services of Delray Beach, Fla. “Sometimes it’s nitpicky, sometimes it’s not.”

Melkonian says 30-40% of RIA IN A BOX’s 750-plus clients want mock audits.

At Hines’ audit, Melkonian began by giving Hines a list of items the Virginia auditors would ask for. The list was 30 items long.

Melkonian went into excruciating detail, asking about Hines’ web site address (he doesn’t have one), matching his compliance forms to his ADV forms, looking for the handwritten notes and date notations on compliance documents that indicate Hines embraces a “culture of compliance.”

He noted that the fee range in the ADV didn’t match what was recorded in the compliance files.

Deficiency

“That would be a deficiency,” he says.

SEC and state auditors typically send advisors letters with their deficiencies listed, and give them a chance to patch up the holes. Some deficiencies result in fines of tens of thousands of dollars: most often, the deficiencies with fines attached have to do with fees, such as when an advisors withdraws money from an account without permission or makes a mistake on an amount, according to Melkonian.

“I’ve seen a deficiency for a penny,” Melkonian says.

As the audit stretches into the third hour (they can last for as many as three days, but this is only a mock audit and thus will be over in about four hours), Melkonian begins to look at client files. The tricky thing here is documenting all communication. That’s where Hines’ e-mail storage system fell down on the job.

Melkonian advises simply using Outlook to save and file e-mails. But, he says, the solution doesn’t have to be perfect. If an auditor happened into Hines office tomorrow, Melkonian told him, he could explain a few steps he’d taken, such as asking an Internet service provider not to delete e-mails, and explain that he’s still working on a better solution.

Common problem

Documenting all client communications is a common problem found by compliance consultants. Among the others that Melkonian listed were:

• Failing to maintain appropriate books and records

• Fee structure or calculated fees not matching documentation

• Misrepresenting returns or guaranteeing returns

  • Unsuitable investments or strategie sin relationship to customer needs

• Advertising. Hines had two advertising pieces in his file: a newsletter that he puts out, and a book he wrote a few years ago. Some advisors have much more – and walk a much finer line

• Supervision of recordkeeping practices

Aside from the minor glitch of e-mail storage, Hines audit was clean, Melkonian said. His client files were well-ordered; his simple practice lends itself to ease of record keeping.

Drawers lock

On a walkaround tour of the office, Melkonian found nothing amiss: Hines’ desk drawers lock, but he keeps client files at his home, anyway, in a locked filing cabinet there. The office doesn’t even have a shredding company.

If it did, one of the SEC’s requirements is that the shredding company be given a copy of the RIA’s privacy policy.

If you’ve been through an audit, do you have any advice for your fellow RIAs?