Regulatory audits

(May 9, 2005) While a regulatory audit is not a social call, the staff who undertake these visits to your office point out that they are not out to get you. In fact, in a panel discussion at IFIC’s 4th Annual Compliance Forum today in Toronto, a panel offered tips on how to prepare for such a visit.

“Compliance audits are not about enforcement,” says Milos Barutciski, partner at Davies Ward Phillips & Vineburg. “They can lead to enforcement if things are so egregious that there’s no option but enforcement, but it’s not the same thing.”

Barutciski, who frequently represents corporate clients in regulatory proceedings, was joined on the panel by Noula Antoniou, senior accountant with the OSC’s compliance group and Karen McGuinness, director of compliance at the MFDA.

All members of the panel agreed that as a scheduled regulatory audit approaches, a firm’s compliance team should undertake their own internal audit to identify deficiencies before the auditors arrive. Since the regulatory team is likely to find the same deficiencies anyway, they will look favourably on the firm that presents a remedial plan for these problems at the outset of the audit.

Depending on which regulator is conducting the audit, a firm may not have enough warning to conduct a full audit. The OSC only gives two or three days notice, while the MFDA warns one to two weeks in advance. OFSI can be the most generous, giving up to two months notice of an impending audit.

McGuinness says the MFDA audit teams will request, among other items, a copy of the firm’s policies and processes manual, so the auditors have some idea what kind of environment they are heading into.

Of course, having these policies in place is not enough. In conducting the internal audit, the firm’s compliance team should judge from the regulators perspective on the implementation of policies and processes.

Because the audit can come as a snap inspection, the compliance department has an extra incentive to run a tight ship in the first place. Antoniou recommends compliance officers consult the OSC website for a list of common compliance deficiencies as a starting point.

“I think the majority of firms do want to comply,” she says. “When we go up there I look at it as a learning tool. We’re there in the spirit of co-operation. A lot of firms do want to know how they measure up in compliance.”

The first thing the regulators will look at is the last compliance audit they conducted and how the firm has addressed the deficiencies that were identified.

Recognizing the short notice they offer, Antoniou says the auditors do not expect everything to be in order upon arrival, just that there be sufficient documentation for the team to get down to work.

Antoniou and McGuinness say audits will present deficiencies to the internal compliance team as they are found, which allows the firm to question if the finding is fair or not. Barutciski points out that this debate need not be settled immediately and that once the audit report is delivered, it is too late to raise objections, so the firm should make its point during the audit.

Once the audit file is closed, the regulator will compile a compliance report which is forwarded to the firm. This report will often identify the deficiencies that require immediate attention, acknowledging that some minor flaws will inevitably creep through. This report is the basis of judging compliance when the next audit is commenced.

The regulators on the panel say it is imperative that senior operating managers of the firm attend the exit interview, rather than simply sending the chief compliance officer. The senior executive should be well-versed in the contents of the regulators report, which demonstrates the firm takes compliance matters seriously.

To ensure the executive suite has a chance to study the identified deficiencies, the OSC addresses the final report to the CEO. The firm has 30 days to respond to the report, outlining its plans to improve regulatory compliance.

“Compliance is a cycle, it’s not a one-shot deal,” says Barutciski. “If you’re looking at it as a one-off, even if it’s an annual one-off, you’re missing some key opportunities and some pitfalls that you face. Anything that repeats, you can learn from your mistakes.”

Filed by Steven Lamb, Advisor.ca, steven.lamb@advisor.rogers.com

(05/09/05)

Steven Lamb