Internal Audit Checklist

Review the prior-year audit plan, recent SEC / FINRA exam findings, and the firm's risk register. Scope should map to ADV Part 1 business activities — discretionary AUM, custody arrangements, advertising, private fund activity. Document any scope carve-outs and the rationale.

Registration drives applicable rule set. State-registered RIAs follow NASAA model rule books and recordkeeping; SEC-registered RIAs follow Advisers Act 204-2; dual-registrants pull in FINRA Rule 3110 supervision and Reg BI. Capture the answer here so downstream sections only test the rules that apply.

Pull samples per Rule 204-2: advisory agreements, fee invoices, trade blotters, advertising / RIA marketing pieces, e-comms archive (Smarsh / Global Relay), code of ethics personal trading reports, and complaint log. A 90-day sample window is typical; calibrate sample size to firm AUM and prior findings.

Pull board / management committee minutes for the audit period. Confirm CCO reports were delivered, risk register was reviewed at least annually, and material incidents (trade errors, complaints, breach attempts) were escalated. Missing minutes are an SEC exam citation magnet.

Confirm the firm has a written risk appetite statement covering investment, operational, compliance, and reputational risk. Verify thresholds are quantified (e.g., max single-position concentration, error account loss tolerance) rather than aspirational language.

SEC Rule 206(4)-7 requires an annual review of compliance policies and procedures. Locate the prior-year review memo, confirm CCO sign-off, and verify findings were tracked to remediation. Missing annual review is one of the most-cited deficiencies in OCIE/Exams reports.

If the prior-year 206(4)-7 review is missing or incomplete, open a finding with a named remediation owner and target close date. This finding must be addressed before the next regulatory exam window — late annual reviews are difficult to defend.

Sample at least 20 client files. Confirm Part 2A brochure delivery within 120 days of fiscal year end and any material change update. Confirm Part 2B delivered for each client's primary advisor. Skipped delivery is the #1 ADV-related citation.

Reg BI / IA Form CRS must be delivered to retail at first recommendation, new account, or new service. Pull the CRM trigger log and reconcile against new account openings in the period. Retain client acknowledgments per the firm's books and records policy.

Pull 15-25 recommendations across rollovers, alts, annuities, and concentrated positions. Verify each file documents the why — costs considered, alternatives considered, and best-interest determination. Boxes-checked-only files do not survive a Reg BI exam.

For each sampled new account, confirm CIP completion, beneficial owner collection on entity accounts (25%+ owners per CDD rule), and OFAC screening on every party including beneficiaries added later. Document any PEP status and EDD evidence.

Pull a sample from the marketing log and Hearsay / Smarsh archive. Confirm pre-approval evidence, performance presentation disclosures (Marketing Rule 206(4)-1), and testimonial / endorsement disclosures where applicable. LinkedIn posts by IARs are a common gap.

For dual-registered firms only. Sample principal review evidence under FINRA Rule 3110 — trade reviews, e-comm sampling, OSJ branch inspection schedule, and Form U4 amendment timeliness. Document any rep with disclosure events that warrant heightened supervision.

Verify the written information security program, identity theft prevention program (Red Flags Rule), and annual Reg S-P privacy notice delivery. The 2024 Reg S-P amendments require a 30-day breach notification — confirm the policy reflects this.

Pull entitlement reports for Schwab Advisor Center / Fidelity Wealthscape / Pershing NetX, the CRM (Salesforce, Wealthbox, Redtail), portfolio system (Black Diamond, Orion, Tamarac), and email archive. Confirm quarterly access reviews and timely terminations for offboarded staff.

Confirm policy prohibits personal email and unapproved texting for client communications, and that approved tools (MyRepChat, Hearsay Relate, Smarsh Connected Capture) are deployed. Spot-check rep devices or attestations. The 2022-2024 SEC sweep produced $2B+ in fines for off-channel gaps.

Confirm the business continuity plan was tested in the audit period, the recovery point objective is documented, and offsite / cloud backups are validated. Pull the most recent restore-test evidence — many firms have backups that have never been restored.

Pull the incident log for the audit period and confirm each entry has a triage record, root cause, and remediation. Test a tabletop exercise was held. Wire-fraud near-misses are common and should appear in this log if controls are working.

Three-way reconciliation: fee invoice, custodian fee debit, internal calculation. Sample at least one quarter across the audit period. Confirm fee methodology (average daily balance vs. period-end vs. period-start) matches the IAA — this is the single most common operational error.

Material fee exceptions require client-by-client restitution with interest, written notification, and disclosure on the next ADV amendment under Item 9 if custody implications attach. Loop in outside counsel before notifying clients.

Inventory all SLOAs, bill-pay arrangements, and trustee / POA roles. Confirm each meets the SEC no-action letter conditions: ADV disclosure, signed third-party authorization on file, written confirmation. Inadvertent custody from SLOAs is the most-missed custody trigger.

Confirm same-day reporting and a documented 5-day resolution SLA. Sample error account journal entries; verify gains went back to the client and losses were borne by the firm. Confirm no errors were netted across clients.

If the firm claims GIPS compliance, confirm composite construction, dispersion calculations, and verifier attestation are current. For non-GIPS performance shown in marketing, confirm Marketing Rule disclosures are present and net-of-fee returns are shown alongside any gross figures.

Pull 10-15 new accounts from the period. Verify signed IAA, risk profile (Riskalyze / Tolerisk), KYC documentation, OFAC clear, ACATS confirmation, and CCO sign-off on the new client file. NIGO accounts are a common operational drag — note the rate.

Run a drift report from iRebal / Tamarac / Eclipse. Identify accounts beyond threshold for more than 60 days without an advisor sign-off. Persistent drift in volatile markets is how clients end up off-policy without anyone noticing.

Pull the RMD tracker against the custodian's required-minimum-distribution report. Confirm every applicable client has either taken the RMD or has a scheduled distribution before Dec 31. Missed RMDs trigger a 25% excise tax under SECURE 2.0 and are firm-reputational events.

Sample access-person quarterly reports and pre-clearance logs. Test against the restricted list and front-running thresholds. Confirm initial / annual holdings reports were submitted within 10 / 45 days respectively per Rule 204A-1.

Each finding gets a severity rating, named owner, and target close date. Cross-reference to prior-year findings — repeated findings escalate severity automatically and require root-cause analysis, not just remediation.

Walk the committee through findings, residual risk ratings, and remediation timelines. Capture committee responses in the minutes. The minutes are part of the books and records and will be requested at the next exam.

Final audit file with workpapers, sample selections, exception listings, management responses, and CCO sign-off. Retain per books and records (5 years easily accessible, 2 years on-site for SEC RIAs).