This article was originally printed in Schwab Institutional's Compliance Review, April 2007,

Volume 16 Issue 3.

DECODING COMPLIANCE BUZZWORDS:

THE PRACTICAL APPLICATION OF RISK ASSESSMENT AND FORENSIC TESTING

By: Janaya Moscony and Robert Tull of SEC Compliance Consultants, Inc.

Risk assessment is a phrase used to describe the process of identifying and estimating the
exposure to real and potential risks. Forensic testing is colorful shorthand to refer to
periodic tests used to evaluate the effectiveness of controls. However, the application of
these notions goes beyond the simple definitions since risk assessment and forensic
testing are pillars for a sound compliance program.

Understanding the Risk Assessment Process

The Relevance of Risk Assessment for Investment Advisors

Risk assessment is arguably the most vital activity that Chief Compliance Officers
(“CCO”) should oversee in the development of an adequate compliance program. In
adopting Investment Adviser Rule 206(4)-7 and Investment Company Rule 38-1, the
Compliance Rules, the Securities and Exchange Commission (“SEC”) stated that “each
adviser, in designing its policies and procedures, should first identify conflicts and other
compliance factors creating risk exposure for the firm and its clients in light of the firm's
particular operations, and then design policies and procedures that address those risks.” 1
The intention is for each advisor to create a customized compliance program based on a
risk assessment that is appropriate given the nature and scope of the advisor’s business.
It is apparent that compliance expectations for investment advisors continue to escalate as
the industry swells in terms of assets.

1
Compliance Programs of Investment Companies and Investment Advisers. Release No. IC-26299 and
IA-2204 (December 17, 2003).

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 1

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

According to the 2006 study conducted by the Investment Adviser Association and
National Regulatory Services, “Evolution Revolution,” investment advisors have more
assets under management than ever before. 2 In fact, total AUM among registered
investment advisors increased 17.2 percent from 2005 to 2006, from $26.8 trillion up to
$31.4 trillion. However, what is interesting about the study is that most of those assets
are managed by a small number of firms. The study found that 90 percent of registered
advisors reported that they have 50 or fewer employees. Only 4 percent of the firms
reportedly manage 82 percent of the total discretionary AUM for all advisors. According
to the survey, the typical registered investment advisor - the median point in the data -
has $96 million in discretionary AUM, six to 10 employees and 26 to 100 clients, who
consist of individuals, high-net worth clients, pensions and profit-sharing plans.
Therefore, it is conceivable that the vast majority of investment advisors will approach
risk assessment without the luxury of dedicated risk management resources.

Risk Assessment Options

When determining how to approach risk assessment, an advisor should consider its size
and the depth of its business. There are various theories and approaches with regard to
risk assessment and management including, but not limited to, those enumerated in The
Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control
– Integrated Framework, 3 Enterprise Risk Management, 4 Key Risk Indicators, 5 and
Statement on Auditing Standards (SAS) No. 109,6 to name a few. Many financial firms
rely on a variety of methodologies. However there is not a one-size fits all solution; a
publicly traded large institution may require a much more technical process than a typical
investment advisor.

In the context of an advisor’s compliance program, the rationale is to prevent, detect, and
when necessary correct any areas where there may be violations. A violation is often the
result of a risk event. When formulating a risk assessment process, there are several
types of risks that an advisor should keep in mind; these risks can be classified by the
potential consequence, such as: financial risk, informational risk, reputational risk, and
regulatory risk. Some of these risks have more obvious implications than others;
however, the less obvious ones can be just as severe.

2
http://www.icaa.org/public/evolution_revolution-2006.pdf
3
http://www.coso.org/publications/executive_summary_integrated_framework.htm
4
http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
5
http://www.continuitycentral.com/BusinessSpecificKeyRiskIndicatorspartone.pdf
http://www.continuitycentral.com/BusinessSpecificKeyRiskIndicatorsPart2.pdf
6
https://www.aicpa.org/download/members/div/auditstd/SAS109.PDF

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 2

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

For example, at the 2005 NSCP National Membership Meeting, Lori Richards, Director
of the SEC’s Office of Compliance Inspections and Examinations, shared an anecdote
about the importance of compliance and the implications to a firm’s reputation. 7
According to Ms. Richards, a research analyst at a major wire house divided the top 25
fund firms into three groups: those that were very much involved in the fund scandals,
those that were somewhat involved, and those that were not touched at all. The analyst
then calculated the growth rates of the firms in each category in the 18 month period after
the scandals came to light. The funds that were very much involved shrank by 24%,
while those that were somewhat involved grew by 13%, and those that were not involved
at all grew by 15%. Ms. Richards continued, “the next time someone says to you:
‘compliance is a cost center, not a business center,’ you should reply, ‘when was the last
time your department had a 15% impact on the growth of this business?’”

The risk assessment process should be comprehensive, factoring in all relevant and
potential risks. Aside from the benefits to an advisor’s compliance program, conducting
a risk assessment of your firm can add value by forcing an advisor to take new
perspectives on operations, affiliations, relationships, and even outside industry practices.
The desired outcome of every business decision should be to add value. When
considering the risk of certain decisions versus the potential reward, advisors are not only
considering the benefits presented to clients, but also shareholders of the entity itself.

A Team Effort

While the CCO should oversee or manage the process, an effective risk assessment
cannot be carried out by one person alone - regardless of size of the firm. Risk
assessment requires insight into the essential functions within the firm and this is often
only available through input from operational personnel. Operational expertise and
various perspectives add value to the process. It's very important that supervisors buy
into the risk assessment process, not only for the financial and reputational benefits but as
part of the firm’s culture of compliance.

Documentation Tools

Documenting the risk assessment process has two primary benefits. First, documentation
is one of the hallmarks of an adequate compliance program. Evidencing the risk
assessment process adds credibility and confidence to the compliance program. Secondly,
documentation can serve as a tool to navigate the risk assessment process.

7
Remarks before the National Society of Compliance Professionals National Membership Meeting by
Lori Richards. October 25, 2005. http://www.sec.gov/news/speech/spch102605lr.htm.

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 3

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

Risk Assessments can be documented in various ways. A grid or matrix can be used to
show the various areas of compliance, where each risk corresponds to controls. Lists or
“inventories” are another alternative, but can presumably be less detailed and could tend
to be too simplistic for many firms. Charts, graphs, and heat maps can be used and are
often preferred as visual summaries. These tools can also communicate the results of the
risk assessment to those parties that were not involved with the process, which makes
them ideal for high level reporting, such as to a firm’s or fund’s Boards of Directors.

A Practical Approach to Risk Assessment

Regardless of the theories an advisor wishes to incorporate and the personnel involved,
the purpose of the risk assessment is five-fold and includes the following components:
(1) identifying the potential regulatory and operational risks associated with the activities
conducted within each area of the compliance program; (2) measuring those risks with a
standard set of terms or metrics; (3) prioritizing any gaps associated with those risks; (4)
formulating a timely action plan to manage the risk; and (5) monitoring those risks on an
ongoing basis.

1. Identifying the Risks

Identifying risks is the initial phase in the risk assessment process. There are two major
categories of risk that advisors should consider: risks inherent to the industry (such as soft
dollars, performance marketing, direct debiting fees, and code of ethics) and business
specific risks (such as affiliations, business lines or products, and client profile). Risks
can be efficiently identified through a four step process.

Step One – Start with the Compliance Rule. The adopting release for the Compliance
Rule identifies certain areas that each advisor should address in its policies and
procedures to the extent they are relevant. To initiate the risk identification process, the
advisor can brainstorm some of the risks in these same areas by asking basic questions.

 Portfolio management processes – How are investment opportunities identified

and allocated? How are client restrictions or mandates monitored?
 Trading practices – Are trades bunched or blocked for multiple clients? How are
trades allocated? Are disclosures about trading practices accurate and
understandable?
 Proprietary trading – Does the advisor allow personal trading in the same
securities that are traded for client accounts? How are conflicts managed to
ensure that clients’ interests always come first?
 Accuracy of disclosures – Has the advisor adequately disclosed its business,
affiliations and activities to clients? How often are disclosures reviewed and
updated?
 Safeguarding of client assets – How are client assets protected from unauthorized
access or transfer? If clients ever send checks directly to the advisor rather than
the custodian, how is this handled?

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 4

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

 Books and Records – How are e-mails retained? How are books and records
secured from unauthorized alteration or use and protected from untimely
destruction?
 Marketing – Are marketing materials reviewed for misleading statement and
applicable disclosures? How are solicitor arrangements documented, disclosed,
and supervised?
 Valuation of client holdings and Advisory Fees – Does the advisor use the
custodians to value client portfolios? Does the advisor fair value positions or
over-ride third-party valuations? What valuations are used for the basis of
advisory fees?
 Privacy – How is access to confidential client records controlled? How does the
firm dispose of confidential information?
 Business continuity plans – How effective is the disaster recovery or business
continuity plan? Does the firm have loss of key man/woman provisions?

Step Two – Review Form ADV Part 1 and Part II. Read through Form ADV Part 1
(IARD) as if you were evaluating the firm from an outsider’s perspective – a potential
client or a regulator. Where are the potential risks? For example, if your advisor has
affiliated companies, potential related risks should be included in your risk assessment.
Does the advisor recommend that clients purchase insurance through a related entity? Is
the advisor receiving compensation? Disclosures regarding discretion, brokerage,
solicitors, and affiliations are easy places to begin. While the disclosures in Part II of
Form ADV may be narrative and specific, they generally involve inherent risks. Not only
are Form ADV responses used to provide relevant, material information about a firm’s
operations, but also the responses are used by the SEC in order to create a risk profile for
each firm.

Step Three – Walk through the major operational and regulatory areas of the firm.
Which areas present more risk and what has not been identified yet? Is there a proper
delineation of responsibility and oversight within the organization to prevent and deter
unethical behavior? Brainstorm with operational level personnel, leveraging the
expertise and knowledge base of all staff. Be creative about the less obvious risks and
create scenarios on how certain risks might manifest themselves.

Step Four – Industry Information. The advisor needs to stay current on the rules and
regulations. Best practices and industry buzz can assist the advisor in knowing where to
focus. The advisor can find guidance by looking to industry publications, SEC releases
and speeches, and service provider knowledge-bases. Also, advisors should not overlook
the value of using peers or competitors as a benchmark. Assess how they are
approaching compliance risks and how their operations and business lines evolving.

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 5

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

This identification process should yield a comprehensive inventory of relevant risks.

Depending on the documentation tool used, an advisor may take this opportunity to drill
down to link these risks to a procedure. It is also useful to link policies and procedures to
applicable staff members who are responsible for executing the policies and supervising
their effectiveness. It is beneficial to conduct interviews to ensure individuals take
responsibility and memorialize that responsibility in writing.

2. Measuring the Risks Identified

At this stage, the advisor should measure the risks identified by considering their impact
and probability (or likelihood) of a risk event in the absence of controls (these risk are
often referred to as “inherent risks”). Likelihood represents the possibility that a given
event will occur, while impact represents its effect should it occur. When evaluating
impact, the advisor should look at the impact to clients or potential clients, the impact to
disclosure, financial impact, impact to reputation, and regulatory impact. The advisor
should also consider materiality when assessing impact .

Probability is the anticipated frequency of a risk event given the regularity of the activity
or process that is associated with the risk. For example, the risk of incorrectly assessing
quarterly advisory fees could occur on a quarterly basis. Adequate controls will decrease
the probability. The measurement should provide a baseline for an advisor to assess how
well its policies and procedures control or manage the inherent risk – i.e.: decrease the
probability or impact. Projecting and estimating these measurements should be based on
the nature of the risk.

Estimates of risk likelihood and impact often are determined using data from past
observable events and forensic testing. This helps to provide a more objective basis rather
than entirely subjective estimates. Caution should be used when using past events to
make predictions about the future, as factors influencing events may change over time.
In addition, internally generated data based on an advisor’s own experience may reflect
subjective bias. Advisors may want to consider having an independent third party assist
with the risk assessment or some other piece of the compliance program.

There are various methodologies that can be used to measure the impact and probability
of risks, such as: Quantitative (1,2,3,4,5 etc), Qualitative (low, medium, high), and
Relative (average, below average, above average). Qualitative assessment techniques
alone may be used for multiple reasons. For example, the results of qualitative
assessments can capture subjective elements and be easily interpreted. Additionally, it
may not make sense to quantify the risks when consistent data is not available.
Quantitative techniques are typically associated with more complex risk assessments and
are generally used in conjunction with qualitative assessments. Although an entity need
not use common assessment techniques across all areas of its business, an advisor will
find it advantageous to use a consistent process and attempt to simplify the process to the
extent possible.

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 6

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

The following is an illustration of applying a methodology to risks associated with

obtaining best execution. ABC firm identifies a potential risk in that execution is being
done through an affiliated broker. Qualitatively, the firm opines that this is a significant
risk because the firm could use an electronic communication network (or “ECN”), but
chooses to use the affiliated broker for 90% of all transactions executed. The firm could
be perceived as acting in its own best interest ahead of its clients best interest if the firm
is not comparing execution alternatives and documenting its due diligence review.
Quantitatively, the firm could use a 1-5 scale and rate this risk as a “5” or use algorithms
to determine an estimated monetary measure. Alternatively, the firm could measure this
risk in relative terms. If executing the majority of trades through an affiliated broker
could present high regulatory, financial, and informational risk, the advisor may rate the
risk simply as “high” or “above average” when compared to other potential risks.

Another alternative measurement approach may be to apply the performance

measurements used by management in determining the extent to which objectives are
being achieved. It may be useful to use the same unit of measure when considering the
potential impact of a risk to the achievement of a specified objective. Management may
assess how events correlate, where sequences of events combine and interact to create
significantly different probabilities or impacts. While the impact of a single event might
be slight, a sequence of events might have a more significant impact. Where potential
events are not directly related, management assesses them individually; where risks are
likely to occur within multiple business units, management may assess and group
identified events into common categories. There is usually a range of possible results
associated with a potential event, and management considers these potential results as a
basis for developing a risk response.

3. Prioritizing the Risks Based on Measurements

Once an advisor has measured its inherent risks – that is, the impact and likelihood of a
risk event in the absence of controls – it is time to create an action plan and prioritize the
risks by first addressing the areas that have the greatest exposure in terms of their
measurement.

A practical technique to prioritizing risks is assessing how well existing controls address
those risks. By evaluating the adequacy and effectiveness of controls, an advisor can
gauge the amount of inherent risk that is not mitigated by existing controls; often referred
to as “residual risk.”

Revisiting the best execution example, the inherent risk is the risk that the firm could be
obtaining better execution by using another unaffiliated broker to execute transactions.
However, if the advisor reviews transactions and compares them against market
executions and finds that the transactions executed by the affiliated broker are generally
better than those executed elsewhere, the advisor essentially has potentially reduced its
risk. The control is the review and comparison of trades executed in the market versus

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 7

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

those executed by the affiliated broker. Therefore, the residual risk is the instances in
which the affiliated broker might not execute at a better price than another broker.
Management should recognize that some level of residual risk might exist even after the
application of controls.

Areas with higher residual risks should receive a priority in an action plan. Just as risk
can be measured in relative terms, priorities can be classified in relative terms (high,
medium, and low) or in a timeline with target dates or timeframes.

An action plan should call for the development or improvement of policies, procedures,
and control activities to address these risk areas with the intent to mitigate the impact
and/or probability of these risks occurring.

4. Managing the Risks

In executing the action plan, the advisor should take into account its risk tolerance and
each risk’s cost and relative benefit as a result of the activity that creates the risk. The
advisor should identify controls that are expected to bring risk likelihood and impact
within the advisor’s risk tolerance. Controls may be implemented to avoid risk, reduce it,
share it and when appropriate, accept it.

For example, the advisor may determine that the risk related to potential conflicts or
perceived conflicts associated with employees trading in their personal investment
accounts is not worth accepting. That advisor could adopt a policy prohibiting personal
trading.. Another advisor may not want to be so prohibitive with employees. This
second advisor may be willing to accept the potential risk that an employee trade could
present a perceived conflict despite implementing policies and procedures intended to
shield this risk. Such an arrangement would not only be a potential regulatory risk, but it
could also be a potential concern to clients. The advisor may be willing to accept the risk
taking into consideration that employees shouldn’t be unduly constrained with regard to
their personal finances as a result of their affiliation with the advisor.

5. Monitoring the Risks

Risk assessment, and the management of those risks, is not a one day or a one time
project. Both should be viewed as an ongoing activity. An advisor’s risk assessment
should be revisited during the annual review of the compliance program. We advocate
the annual review of the compliance program be conducted as a “rolling review,” include
documented forensic testing, and tie back to the most recent risk assessment. As an
advisor’s business and applicable regulations change, the advisor’s overall compliance
program will need to evolve. Thus, an advisor should keep the risk assessment process
evergreen by ensuring that it is relevant and reflective of the current operational and
regulatory environment. The action plan itself should be periodically monitored and
revisited.

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 8

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

Designing and Applying Realistic Forensic Tests

Forensic testing provides the best approach to monitoring risks and testing compliance
functions. The SEC staff has stated repeatedly during the 2006 CCOutreach Seminars8,
and in numerous speeches and articles, that advisors should conduct various types of
forensic testing as part of their annual (and interim) reviews of their compliance program.
The term forensic testing is generally associated with technical sleuthing, such as linking
evidence to criminal behavior as glamorized in popular television programs. However,
the actual practice is far less intimidating or exciting.

When the SEC references “forensic testing,” the agency is intending to reference the
testing that advisors should be conducting of their compliance programs in order to
identify areas where there are weaknesses 9 . This style of testing involves gathering
operational data or information and analyzing it (either directly or through various
manipulations) in order to draw conclusions with regard to certain compliance functions
and controls.

If the concept still seems enigmatic, a good place to start for examples of forensic testing
is the SEC Examination Request List. Not only will the request list give you a good idea
of where you should be conducting forensic testing, but it will also offer some insight as
to what the SEC will be doing when they visit you to conduct an examination.

Examples of Types of Forensic Tests

Certain forensic tests are rather straightforward.

Example 1 – Advisory Fees: This can be accomplished by sampling and recalculating

fees, trending instances of refunds, comparing advisory fee revenues from quarter to
quarter, and cross-referencing advisory fee receivables with amounts collected from
clients. If a CCO or his or her designee tests advisory fee calculations and finds that
there are inaccuracies, it would be sensible to conclude that the risks of inaccurately
assessing fees is not mitigated to an appropriate level and that the compliance program in
this area is weak.

Example 2 – Reporting of Personal Trades: Likewise, if a CCO or his or her designee

reviews reports submitted by access persons’ with regard to personal securities
transaction requirements and finds that the reports are incomplete or late, it could be an
indication of weak controls. If one particular employee or members in a particular
department are consistently submitting insufficient reports, it could be an indication that
8
http://www.sec.gov/info/ccoutreach.htm
9
http://www.sec.gov/info/cco/adviser_compliance_questions.htm

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 9

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

risks within that department are not fully addressed. Additionally, analytical testing
could include cross-referencing personal trading activities with client transactions (or pre-
approval documentation) or comparing the profitability of employee transactions to client
transactions. The results of these reviews indicate whether or not gaps remain in the
compliance program, thus leaving exposure to certain risks identified and assessed.

Example 3 – Accurate Pricing: Why does the SEC request a list of client portfolio
holdings as of certain dates? The SEC may use the holding reports to review for window
dressing or for accurate pricing. Many firms use exchange quotes and broker quotes to
value their securities, but firms also should use multiple sources and cross-check them to
ensure they are accurate. If a broker is used, the advisor should conduct due diligence on
that broker by inquiring as to whether the broker is a market maker and whether the
broker back-tests the prices. One approach to testing the dependability of security
valuation is an “acid test,” where the selling price of the security in the open market is
compared to the most recent pricing obtained for that security from the pricing service.
As an illustration, if a security is priced at $50/share on the 30th of the prior month and
the advisor executes a sale of the security in the open market on the following trading day
for $35/share, in the absence of material market or company specific developments or
news, then an advisor should take additional steps to evaluate if pricing risks are
adequately mitigated by using that particular pricing source.

Other areas of compliance testing can be considered a bit more onerous or technical. For
example, the analysis of a trade blotter can produce a wealth of information if an advisor
is willing to become comfortable with breadth of data. It is not surprising that we find
this to be an area where many firms fall short in their forensic testing. A CCO does not
have to be a scientist to conduct these reviews, although a basic understanding of
programs such as Excel or Access is helpful. Forensic testing of a firm’s trade blotter
should include searching for patterns that occur over time and that may violate the firm’s
internal controls or the law.

A typical SEC request list provided during an examination almost always asks for the
advisor’s transactions. The request generally follows the following format:

“Please provide the following fields of data: (a) trade date, (b) settle date, (c) type
of transaction (buy, sell, etc.), (d) security name, (e) CUSIP, (f) ticker symbol, (g)
quantity of shares or principal amount, (h) price, (i) total commissions, (j)
commission per share, (k) accrued interest, (l) other fees, (m) net amount for
client, (n) client name, (o) client account number or code, (p) name of executing
broker-dealer, and (q) an indication if trade is stepped-out.”

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 10

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

Why does the SEC request this information? There are multiple reasons; the most
notable of which is that a trade blotter contains a vast amount of flexible data that can be
manipulated to assess several different operational areas. There are a number of forensic
tests that the SEC can perform with regard to the trade blotter. An advisor should
perform these same tests internally. Here are a few tests that an advisor can conduct:

 Review transactions to detect any unreported agency or internal cross

transactions. For example, review transactions where there are opposite sides of a
transaction in a security on the same day, at the same price, through the same
broker, and generally, but not necessarily, for the same number of shares. Review
if any clients were consistently the buyer or seller in cross transactions and
calculate the profitability of buys and sells to see if the firm is “dumping”
securities into certain client accounts.

 Review the total commissions (and average commission rate) paid to each broker-
dealer, the particular client accounts that generated such commissions, and note
the average commission per share. This could indicate various issues such as
undisclosed soft dollar arrangements and directed brokerage for client referrals.

 Review for patterns of short-term trading in client accounts. Ensure that this is
consistent with client mandates, the client’s desired level of risk, and the firm’s
trading philosophy as disclosed to clients.

 Review the allocation of IPOs and their profitability to determine if any clients
were favored in IPO allocations.

 Review bunched transactions to ensure that clients included in the bunch received
comparable prices and paid comparable transaction costs. Further, investigate any
instance where certain accounts are consistently excluded from bunched
transactions.

 Review transactions involving thinly traded securities to look for indications of

market manipulation. Also, review transactions that could be large enough to
move the market.

 Review portfolio turnover for indications of churning (or reverse churning) in

client accounts.

As with a risk assessment and other compliance related activities, forensic tests should
result in documented conclusions (e.g., no unreported cross transactions in Q4-2006).
While there may be some apprehension for fear that documentation could create a
roadmap for the SEC when they stop by for a visit, this documentation can demonstrate
how the firm proactively addresses and follows-up on compliance issues.

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 11

 SEC Compliance Consultants, Inc. Bridging your Compliance Gap

Capitalizing on Knowledge

Understanding the meaning of risk assessment and forensic testing, and realizing that
both activities have practical and useful solutions, places an advisor in a position to get
the most compliance mileage out of limited resources. A compliance program built on a
thoughtful risk assessment and one that incorporates consistent forensic testing will
provide an advisor confidence that it is satisfying regulatory expectations.

About the Authors

Janaya Moscony is president of, and Robert Tull is a senior consultant with, SEC Compliance
Consultants, Inc. (SEC3). SEC3 provides compliance consulting services to financial institutions
globally, including investment advisors, investment companies, hedge funds, broker-dealers and
transfer agents. SEC3 can assist with regulatory compliance needs and bridge the gap between a
firm’s operations and current regulations. For details, please visit www.seccc.com or contact
Janaya Moscony at 1-610-415-9261, ext. 114.

This article was originally printed in Schwab Institutional's Compliance Review, April
2007, Volume 16 Issue 3.

Telephone: 610.415.9261  Facsimile: 610.200.1463  seccc.com 12