The examination notice arrives and the first call the CCO makes is usually to their compliance consultant. The second call, more often than not, is to whoever manages the shared drive.
What follows is a familiar pattern for anyone who’s guided a firm through SEC exam preparation. The documents that should be immediately producible aren’t. The ones that exist are scattered across systems that were never designed to talk to each other. The ones that don’t exist, or exist in a form that won’t survive scrutiny, require a conversation about how to handle the gap. And all of it happens against a clock, with an examiner waiting on the other end.
The scramble isn’t random. It happens at the same places, for the same reasons, across firms of different sizes and different compliance budgets. Understanding where the predictable failures are is what separates exam preparation that’s genuinely proactive from exam preparation that just starts a few weeks earlier.
The Initial Document Request and Why It Lands Hard
The SEC’s Division of Examinations publishes its examination priorities annually, and most compliance consultants track them closely. What’s less discussed is the structure of the initial document request itself, the list of records examiners ask for at the start of an examination before they’ve identified any specific areas of focus.
That list is broader than most firms expect the first time they see it. Marketing materials and the performance documentation that supports them. Code of ethics records, employee acknowledgments, access person reports, personal trading logs. Trade blotters and order records. Compliance policies and written supervisory procedures, along with evidence of the most recent annual review. Exception logs. Cybersecurity incident reports. Vendor oversight documentation.
Each of these is a discrete record-keeping system. Each one was probably built at a different time, by a different person, using whatever tools were available when the need first arose. The initial document request treats them as a unified compliance program. Most firms discover in the process of responding that they aren’t.
Marketing Materials: The Most Consistently Incomplete Category
The Marketing Rule has been fully enforced since 2024. Most RIAs know this. The compliance review process is in place. Content is being reviewed before it goes out.
What’s missing, in the majority of firms a compliance consultant walks into, is the audit trail.
The review happened. It happened over email, or in a conversation in the hallway, or through a comment on a shared Google Doc. There’s no timestamped record attached to the piece of content itself showing who reviewed it, what version was reviewed, when the review occurred, and what the outcome was. The content is compliant. The documentation of the review isn’t.
The specific documents that generate the most scramble in this category: testimonials and endorsements posted to the firm’s website or social platforms, particularly ones that went up in the early days of the Marketing Rule when the review process was still being established. Third-party ratings and reviews on platforms the firm didn’t solicit but didn’t remove. Older blog posts and video content that was produced before the current review workflow existed and has never been retroactively reviewed and documented.
The examiner’s question isn’t whether the firm has a marketing review process. It’s whether the firm can produce a complete log, by content piece, with dates, versions, and reviewer attribution, for every advertisement published in the relevant period. For most firms, assembling that log is the single most time-consuming part of exam preparation.
Code of Ethics Records: The Completion Rate Problem
Annual code of ethics attestations exist at almost every firm. The completion rate is usually high, 90 percent, 95 percent, sometimes higher. The problem is the documentation behind the rate.
The attestation cycle runs through email or a PDF form. The CCO tracks completions on a spreadsheet. By the time the exam arrives, the spreadsheet has gone through multiple versions as people completed the cycle at different times, follow-ups went out to stragglers, and the original tracking document accumulated edits from more than one person. The final version shows everyone completed the attestation. The metadata tells a different story, modified dates, multiple editors, gaps between when the cycle closed and when the last names were added.
The secondary problem in this category is access person reporting. Employees with access to client portfolio information are required to report personal securities holdings and transactions. Most firms have a process. The process generates paper, brokerage statements, transaction reports, or platform exports, that gets filed somewhere. When the examiner asks for the access person reports for the last 24 months, “somewhere” becomes a project.
What generates the scramble specifically: employees who joined or left mid-cycle and whose records are incomplete. Outside brokerage accounts that were disclosed late or amended after the original submission. The gap between what the written supervisory procedures describe as the access person reporting process and what the actual process looks like in practice.
Written Supervisory Procedures: The Version Problem
Every RIA has written supervisory procedures. Most of them are out of date.
Not dramatically, the core policies are usually current. The specific gaps tend to be in the sections that govern activities that changed in the last 18 to 24 months: the marketing review process that was updated when the Marketing Rule came into effect, the cybersecurity policy that was revised when the new SEC cybersecurity rules were finalized, the crypto asset handling procedures added when clients started asking about digital assets. These sections were updated in the document. The update process, who reviewed the revision, who approved it, when it became effective, whether employees were trained on the new version, wasn’t documented with the same care as the revision itself.
The examiner’s question isn’t just whether the WSP reflects current practice. It’s whether the firm can demonstrate a governance process around WSP maintenance: that changes were deliberate, reviewed, approved, communicated, and trained on. A WSP that’s substantively current but has no documented revision history looks, under examination, like a document that was edited to match the exam rather than a document that was maintained throughout the year.
The second version of this problem is the WSP that describes a process the firm no longer follows. Marketing review through a specific workflow that was replaced six months ago. Trade monitoring procedures that reference a vendor relationship that ended. Supervision procedures for a role that doesn’t exist anymore. The document is accurate as of when it was last updated. The firm has drifted from it since.
Vendor Documentation: The Renewal Gap
Vendor oversight has become a higher-priority examination area following the SEC cybersecurity rules and the updated Reg S-P requirements. Examiners are looking for evidence that firms understand what data their critical vendors access, have conducted due diligence on those vendors, and are monitoring vendor relationships on a defined cycle.
The document that’s missing most often isn’t the initial due diligence questionnaire. Most firms did that when the vendor was onboarded. It’s the re-review documentation, the evidence that the firm went back to the vendor 12 months later, confirmed that the security posture and data handling practices were still adequate, and updated its own records accordingly.
The gap is almost always the same: the re-review was supposed to happen, a calendar reminder was set, and either the reminder was missed or the re-review happened but wasn’t documented with the same formality as the initial onboarding. The firm knows its vendors are fine. There’s no paper trail that would allow them to demonstrate that to an examiner.
The specific vendors that generate the most scramble: data aggregation platforms, portfolio management systems, CRM tools, and any third party with access to client personal information. These are the vendors examiners care most about under Reg S-P, and they’re often the ones whose re-review documentation is least current.
Exception Logs: The Document That Usually Doesn’t Exist
Every compliance program generates exceptions, moments where something fell outside normal parameters, required a judgment call, or triggered a review process that ended differently than it usually does. How those exceptions are handled matters. Whether they’re documented consistently matters more.
Most firms handle exceptions reasonably well in practice. A trade that triggered a surveillance flag gets reviewed, cleared or escalated, and resolved. A marketing piece that raised a compliance question gets revised and resubmitted. An employee disclosure that was late gets a follow-up conversation and eventually gets filed.
What most firms don’t have is a formal exception log, a running record that documents what the exception was, when it occurred, who reviewed it, what the resolution was, and what policy change or corrective action, if any, resulted. The exception handling happened. The documentation of it didn’t.
Under examination, the absence of an exception log raises a specific concern: it looks like either exceptions aren’t being identified systematically, or they’re being identified and resolved informally in ways that don’t create accountability. Neither is the impression a firm wants to make.
Annual Review Documentation: The Deliverable Without a Home
The Investment Advisers Act requires an annual review of the compliance program. Most firms conduct it. The documentation of it is consistently the weakest part of the compliance record.
The review happens. Notes get taken. Conclusions get reached. Somewhere in the CCO’s files there’s a document, or a collection of documents, that represents the annual review. But it wasn’t structured as a formal deliverable with a clear scope, a methodology, a summary of findings, and a signature from the person responsible for the program. It was more like a compliance conversation that got partially written down.
When the examiner asks for the most recent annual review documentation, the response is often an assembly of materials that were never intended to stand alone as evidence of a formal review process. The work was done. The deliverable that proves the work was done wasn’t.
The Pattern Underneath All of It
Every document category on this list breaks down the same way. The compliance activity happened. The evidence of it wasn’t captured in a form designed to survive examination.
Marketing reviews conducted informally. Attestation cycles tracked on spreadsheets that weren’t built for audit trails. WSP updates made without revision governance. Vendor re-reviews that happened in conversations rather than documented processes. Exceptions resolved without formal logging. Annual reviews conducted without producing a formal deliverable.
The firms that go through exams without a scramble didn’t do more compliance work than the ones that struggle. They built the documentation infrastructure alongside the compliance activity, so the record was created at the moment the work happened, not reconstructed afterward under pressure.
For a compliance consultant preparing a client for their first or second examination, that’s the diagnostic question worth asking early: for each of these categories, does the firm have a process that creates evidence in real time, or a process that will require reconstruction when the document request arrives?
The answer determines whether exam preparation is a two-week sprint or a two-day export.
