Quarterly Operations and Compliance QA Review

Run a position-level reconciliation between Schwab / Fidelity / Pershing / Altruist data and the portfolio system (Black Diamond, Orion, Tamarac, Addepar). Investigate any breaks over $100 or 0.1% of position value. Common sources: late corporate action posting, manual journals, sub-account omissions.

Pull all ACATS-in transfers from the prior quarter and confirm cost basis carried over. Missing or zeroed basis on inherited or rollover positions creates phantom short-term gains at year-end and is a top client-complaint trigger.

Run duplicate checks in Wealthbox / Redtail / Salesforce FSC and against the custodian master account list. Joint-account households often duplicate when one spouse is added later under a separate household ID.

Confirm splits, mergers, spinoffs, and special dividends posted correctly across all accounts. Cross-check against custodian corporate action notices. Manual basis adjustments on spinoffs are a frequent source of long-term reconciliation drift.

Three-way reconciliation: billing system invoice, custodian fee debit, and internal calculation spreadsheet. Confirm the billing methodology matches the IAA — average daily balance vs. period-end vs. period-start produces materially different fees and is a frequent SEC exam finding.

Sample 100% of new retail relationships from the prior quarter. Confirm Form CRS was delivered at first recommendation and that signed acknowledgment is in the client file. Missing CRS delivery is a Reg BI enforcement trigger.

If the quarter contains the 120-day post-fiscal-year-end window, verify ADV Part 2A and 2B (or a summary of material changes) was delivered to every existing advisory client. Skipped delivery is the most common SEC exam citation for small RIAs.

Pull the LexisNexis Bridger / Refinitiv / ComplyAdvantage screening log for the quarter. Confirm every new client, beneficial owner, trustee, beneficiary, and authorized agent was screened against SDN and PEP lists. The common gap is parties added mid-relationship — beneficiaries on IRAs, new trustees on trusts.

Pull a 10% sample of recommendations from the quarter — especially rollovers and product switches. Confirm the file documents the 'why this vs. alternatives' rationale required under Reg BI / PTE 2020-02. Check-the-box suitability forms without narrative are a known examiner red flag.

Pull every standing letter of authorization on file. For each, confirm the seven IM Guidance no-action conditions are satisfied: written client authorization, third-party identification, custodian confirmation to client, transfer logging, ADV disclosure, periodic re-confirmation, and limited authority. Missing any one trips Rule 206(4)-2 custody.

Spot-check Smarsh / Global Relay / Bloomberg Vault capture against advisor mobile devices and personal accounts. Sample five reps and confirm text and WhatsApp traffic is archived. Off-channel comms enforcement has driven over $2B in BD fines since 2022 — assume regulators will ask.

Pull the not-in-good-order log from the custodian and tally the top NIGO reasons. Missing medallion signatures, mismatched names on entity accounts, and outdated beneficiary forms are the recurring offenders. Track rep-level NIGO rates for coaching.

Confirm every written complaint from the quarter is logged with date received, assigned reviewer, resolution date, and outcome. Per FINRA Rule 4513 and SEC books-and-records, retention is required even on resolved complaints.

For Q4 reviews, confirm every IRA / inherited IRA client subject to RMD has a distribution scheduled or completed before December 31. Post-SECURE 2.0 the missed-RMD excise tax is 25% — unrecoverable client harm and a CCO file note.

Run a CRM report for clients without a documented review meeting in the past 12 months. The service agreement promises a cadence; a gap is both a client-experience risk and a fiduciary documentation gap.

Pull quarterly uptime reports from the custodian portal and the portfolio system vendor. Note any incidents that fell during trading or rebalance windows and confirm the remediation steps documented by the vendor.

Run a tabletop or live failover exercise covering core systems: CRM, document vault (NetDocuments / ShareFile), email archive, billing system. Confirm the recovery time aligns with the BCP filed in ADV Part 2A and the firm's WSPs.

Pull MDM / RMM patch reports. Flag any workstations more than 30 days behind on OS or browser security updates. SEC's Reg S-P amendments raised the bar on documented technical safeguards — patch lag is one of the easier findings to write up.

Review user lists in the custodian portal, CRM, billing, and trading system. Confirm terminated employees were removed within 24 hours and that no rep has unsupervised principal-level access. Stale entitlements are a recurring CCO finding.

For each finding, capture: control area, severity, named owner, target remediation date, and verification method. Repeat findings from prior quarters get flagged for CCO escalation.

An OFAC hit, an unsafeguarded SLOA, or unarchived business communication each triggers a same-quarter remediation memo to the CCO. Document the scope of exposure, the immediate containment action, and whether a SAR, SEC self-report, or client notification is required.

CCO and managing principal review the findings register and sign. The signed PDF lives in the firm's compliance file as evidence of supervisory review under Rule 206(4)-7 (RIA) or FINRA Rule 3110 (BD).