How to Prepare for your next Regulatory Audit

Rate: (2 Ratings)

According to the experts at mindSHIFT Technologies (www.mindshift.com) being the target of an SEC audit can be a stressful experience, even for investment firms with impeccable track records. Do you have the systems and resources in place to avoid potential negative outcomes, such as a deficiency letter or sanction? When you have an examination, you must be able to demonstrate compliance with all of your firm’s electronic communications, including your messaging applications. A few straightforward, proactive strategies will set the stage for a successful examination, audit, inquiry, or discovery – minimizing stress, decreasing the amount of time spent, and limiting your organization’s exposure as much as possible.

Flag Article

Instructions

Difficulty: Moderately Easy

Step1

1. Be prepared to show a search performed against your email and instant message archive.

Most NASD and SEC examinations include a request to show how email and instant messages (IMs) are surveyed as well as who is reviewing them, what percent are being reviewed, if there is a lexicon being used, and how often surveillance is being performed. A web-based demonstration to show how the review is set up and a few reports showing frequency and configuration usually suffices.

2. Make sure you can produce requested information in a timely fashion.

One of the biggest problems many companies have is their inability to demonstrate quick access to archived data. If archived data is on a tape and must be restored prior to access or if it spans several CDs/DVDs, it can take a long time for requested data to be accessed. This may not seem like a big problem, but an examination or inquiry is usually stressful, with several other requests being made simultaneously across multiple departments. If one request takes a lot of time, it may be put on the back burner and eventually become a “failure to comply” situation.

Step2

3. Make sure you have the resources, either internal staff or consultants, to help with data production requests and to show the examiner or auditor how you meet surveillance and archive requirements.

If you have 50 or more requests in an examination, it helps to have several people working in conjunction with each other to meet every audit point. Very few compliance teams from smaller firms have the manpower to handle all aspects of an examination or inquiry without help. If you use consultants or managed services companies, make sure they have experienced staff available that can help you during a stressful examination period.

4. Be prepared to produce specific emails and instant messages which are over two years old, with certain words in the subject or message body, sent to or from an employee or external address.

If data has been stored on tapes or CD/DVDs, it is difficult to locate specific messages. Having legacy data as well as new data available which is online and indexed (easily searchable using a search-engine type interface) makes this process quick, easy and stress-free while minimizing any exposure you might face by over-producing. Freeing staff from such tasks as data restoration and search using rudimentary tools will save your firm time and money.

Step3

5. Make sure you can “pass” SEC 17a-4 in its entirety by being able to provide information on your designated third-party (D3P) download provider.

Do you know that all data required to be stored under SEC 17a-3 must be stored to comply with SEC 17a-4? Among the requirements are two copies on non-erasable, non-rewriteable media AND a designated third party download provider who has access to this data and can download it. Many firms are finding out the hard way that the SEC is serious about compliance on this point.

6. Be certain that your data is stored on non-eraseable, non-rewriteable or write-once-read-many (WORM) media.

Even if you are not required to comply with SEC 17a-4, the safest way to store your data is on non-erasable, non-rewriteable media with a second copy in a separate data center. With the Investment Advisors Act of 1940, the new Federal Rules of Civil Procedure, and other industry best practices, it really makes sense to leverage this technology to protect and store your critical information.

Tips & Warnings

7. Ensure that all emails are stored with a full accounting of who they were sent to, including both Bcc recipients as well as all members of any distribution list, at the time the message was sent.
Several messaging systems and archive systems do not maintain Bcc recipient information or show all the individual email addresses which were in a distribution list at the time the message was sent. If this is the case with your system, your firm could be exposed to problems later when trying to prove who was or was not sent a message. The problem is further compounded when private or local distribution lists/mailing groups are used. The list membership is stored on an individual user’s computer and is not stored centrally. It becomes almost impossible to determine without a doubt, to whom a message was actually sent.
8. Prohibit the use of public email systems to conduct business.
Because of several “holes” in the capture and archive of messages which go through public email systems (such as Hotmail, AOL, and Yahoo!), most firms block access to these websites with technology or policy or both. If a message was sent from one of your firm’s employees from one of these systems and was not captured in your firm’s archive but is produced later by either the recipient or the firm the recipient works for, your firm’s exposure could potentially be detrimental.
9. Either block the use of public instant messaging systems or, if you allow them, make sure you have the technology and policies in place to control the use of this technology.
One of the most widely used and difficult to control communication technologies is instant messaging. If you allow public instant messaging, make sure you have technology in place to capture and archive it, and that your employees know when they can and cannot use the systems. If your public IM capture solution works in the office, but not on the road, make sure your employees do not use it when traveling. Also, it is important that they don’t conduct business using several different screen names. If you decide to block this technology, make sure you have both the technical solution in place as well as the policy to do so.
10. Consider an enterprise-class instant messaging system for greater control, compliance and security.
Recently mainstream companies such as Microsoft, IBM, and Jabber have released new enterprise-class instant messaging technology which ties into your firm’s identity management/directory system, provides logging of all messages regardless of where the end-user is located, and enables enhanced security such as anti-virus and anti-SPIM (a type of spam targeting users of instant messaging services).
Conclusion A successful examination or audit depends on a positive result to numerous tests (tens to hundreds depending on your business and your examiner). With proper planning, resources and systems, your messaging archive, surveillance, discovery, and protection should prevent you from having a negative outcome, such as a deficiency letter or sanction. About mindSHIFT Technologies, Inc. With operations in Boston, New York, Philadelphia and Washington D.C., mindSHIFT is a leading Managed Services Provider (MSP) offering managed IT services, software-as-a-service (SaaS), VoIP, compliance and professional services to small and medium-sized organizations. The company’s portfolio of managed services provides a comprehensive solution which includes such critical services as email management and administration, electronic backup for servers and desktops, virus and spam protection, desktop support, and server management – either at the customers’ premises or completely off-site. Managed services customers are supported by both a 24-hour Network Operations Center for proactive management support and a call center which diagnoses and resolves all end-user desktop issues. For advanced and larger businesses, the company provides business application migrations, storage area network upgrades and complex hosting applications. Additionally, mindSHIFT has superior expertise and experience in meeting the compliance requirements of financial services firms, as well as the complex demands of the legal community for the integration of applications such as document management. For additional information, visit www.mindSHIFT.com. Copyright © 2007 by mindSHIFT Technologies, Inc. All rights reserved. mindSHIFT Technologies is a registered trademark of mindSHIFT Technologies, Inc. All other names are trademarks of their respective companies.