Is Your Technology Ready for an Audit?

June 29, 2015 at 08:00 PM
Share & Print

When it's time to face a regulatory audit, you can expect it will involve a lot of work: reviewing your firm's adherence to regulatory rules, producing any number of documents and reports, evaluating the procedures and processes followed, and ultimately identifying potential risk areas. Considering all the work involved once the audit begins, it is worth taking all the measures possible to prepare for it. The most critical step of all is to make sure that your technology is also up to the task of a regulatory audit. There are a number of areas to review that will help you be better prepared.

Technology is probably the backbone of most of your firm's processes and procedures. A challenge for a number of firms is keeping documented processes and procedures up to date as technology evolves. For example, do your asset movement procedures use the latest best practices and technology to minimize risk? This would include how your firm utilizes its internal systems and those offered by your custodian to ensure each transaction is verified and properly approved.

Remember that depending on the experience of the auditor, they may be aware of what is "standard" in the industry based on audits of other firms. If you're not fully leveraging your technology to minimize various risks, you don't want to be informed of this by the auditor.

Another area to review is the criteria and evaluation process that your firm followed in selecting your technology providers and solutions. Many of your firm's technology solutions fulfill critical areas of your business. Whether it is your reporting system, trading, CRM or imaging, it is important to be able to demonstrate the level of detail and care that went into your selection of each provider. Firms that have used the same solutions for years might have limited information in this area. If that is the case for your firm, consider briefly documenting your current experience with your existing providers. Specific areas to highlight include reliability, security, service levels and the scalability of the solution.

It is also important to stay up to date with your technology reviews and evaluation. As an example, consider sending an annual letter to the providers that store or access your confidential client data confirming that they have not had any data breaches or security issues. Of course, these providers should tell your firm at the time of any data or security breach, so their response should not be new information, but documenting your review is the important step.

With new state rules on business continuity going into effect soon, you should prepare to have processes and procedures in place to ensure that critical business functions can continue during and after a disaster or other significant business interruption. When was the last time your firm conducted a business resumption drill? Hopefully, you are doing them at least once per year. After conducting a drill, do you document the results of the exercise? For example, if you removed your primary Internet connection and successfully re-established connectivity using your back-up Internet service, you should keep a record of when you did it and any issues that arose. Then, while using your back-up connection, you should conduct several business processes (e.g., trading, money movement, opening an account). Keep in mind, it doesn't take a significant amount of documentation to demonstrate that your firm conducted an adequate business resumption drill.

Your firm's technology infrastructure and data security is often on the evaluation list during an audit. Many firms rely on their current IT provider to ensure they are compliant in this area. This makes sense, but as your firm grows, you might consider hiring another IT provider to audit your network. Essentially, you are getting a second opinion that everything is in good order and there are not any holes in your network.

Review Today Your Employees' Access Credentials

Who at your firm has access to your systems and technology products? Hopefully it is not one size fits all, where every employee has the same level of access. Some employees might need administrator access on their computer, but others may not. Some employees might need the ability to place trades, while others may require only access to view account information. Often an unnecessary risk at a firm is when an employee has access credentials that are way beyond their needs or capabilities. Take the time to create specific access credentials for each employee or group area, and then document the information.

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center