Regulated securities firms need to take significant actions to ensure that their company is complying with the legal requirements set out by regulations promulgated by the U.S. Securities and Exchange Commission (SEC) and the federal securities laws that it enforces, including the Securities Exchange Act, the Investment Company Act, the Investment Advisers Act, and the Securities Act. Chief among those actions is to conduct internal audits of any compliance mechanisms that the firm has adopted. Those audits should act as compliance inspections to check to make sure that the compliance protocol is being followed correctly and that it still works to insulate the company from liability.

Conducting those audits, however, is not easy. Doing them well is even more difficult. Here are four things that Dr. Nick Oberheiden, founding partner of the national law firm Oberheiden P.C. and an SEC-compliance lawyer who has represented numerous securities firms in the past, thinks that securities professionals should know about the process.

1. Some Internal Auditors Can File Whistleblower Claims, So Be Careful Who You Hire

One of the most important things that securities firm executives and stakeholders need to know about internal Securities and Exchange Commission compliance auditing is that, generally, internal auditors cannot benefit from filing a whistleblower claim, and so have little to gain from taking this action that would effectively end their auditing career.

However, to the surprise of many securities professionals, broker dealers and firms, there are exceptions to this rule.

Knowing these exceptions is crucial. Internal auditors dig into data that can uncover securities fraud or other financial misconduct that could potentially expose the firm to legal liability. That is the job of the auditor. The fact that some auditors could, in some cases, potentially use the very information that they find in the course of their job to call in the SEC (Securities and Exchange Commission) and financially benefit from blowing the whistle can be shocking.

The times when your internal SEC compliance auditor can blow the whistle on the very firm they are auditing are limited, though. Under Section 21F-4(b)(4)(v) of the Securities and Exchange Act (codified at 17 C.F.R. § 240.21F-4), an auditor can become a whistleblower if:

1. There is a reasonable basis for the auditor to believe that disclosing the information is necessary to prevent the securities firm from doing something that would cause substantial injury to the firm or to investors,
2. The auditor has a reasonable basis to believe that the securities firm is impeding an investigation of the misconduct discovered, or
3. At least 120 days have passed since the auditor provided the information, usually in the form of the final audit report.

As Dr. Nick Oberheiden tells clients, “Most securities firm executives will look at these exceptions and think that they have nothing to worry about. Unfortunately, they should also remember that SEC compliance audits often uncover information that high-level stakeholders had no idea existed. Make sure you hire an auditing team that you can trust to keep the audit internal.”

2. Take Prompt Action on Information in the Final Audit Report

It is always a wise move to take prompt action on the final report from the audit. If it describes compliance issues like weakness or failure, it is in your firm’s interest to patch the holes quickly before potential liability becomes actualized. If the audit finds an inefficient system of policies and procedures in your firm that is costing you money, it is in your interest to make the changes necessary to rectify the problems.

However, the fact that internal auditors can take their incriminating findings to the SEC (Securities and Exchange Commission) if they are not acted on within 120 days is another incentive to act quickly. It can ensure that the information in the audit report does not get out.

3. Auditing and Compliance Should Be Distinct from Each Other

Many securities firms and investment advisers that have compliance teams on board lean towards using those compliance officers to conduct internal audits. This practice, however, is unwise for several reasons.

From a fundamental level, auditors benefit significantly when they approach the compliance structure with a fresh eye. It helps them see the compliance protocols without bias or an attachment to how it was put together – either of which can color the auditor’s view of the existing compliance mechanisms in ways that keep them from finding problems with it. In short, outside compliance auditors are far more likely to catch problems than internal auditors with a connection to the company or, worse, with a connection to the compliance protocols that are in place and getting audited.

Secondly, outside compliance auditors are professionals in what they do. It is very unlikely for a securities firm’s internal team to have the level of experience and expertise that outside consultants can bring to the table.

Thirdly, and perhaps most importantly, the SEC itself has stressed the need to keep auditing and compliance separated. This is in line with recommendations from the International Organization of Securities Commissions (IOSCO), and is intended to make sure that any auditing of a product of the compliance team is done by an independent reviewer.

4. Compliance Evolves

Finally, it is critical to remember that compliance requirements evolve when conducting an internal audit of your security firm’s compliance protocols. The SEC and other securities-regulating agencies, like the Financial Industry Regulatory Authority (FINRA) are still struggling to keep up with novel developments in the securities industry, like cryptocurrencies and blockchain technologies. Those efforts of the Financial Industry Regulatory Authority to stay abreast of these new ways of investing in securities instruments can have unforeseen outcomes: The changes that these agencies make to regulate new means of investing can alter the compliance requirements that have been imposed on the old.

The professionals who conduct an internal SEC compliance audit need to keep this in mind as they plan and execute the audit. Changes made throughout the wide body of securities law in the time since the last audit may have altered the compliance demands that are about to be inspected. What used to be sufficient may no longer be adequate, and can be exposing your securities firm to serious legal liability. Auditors need to be aware of that.