Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
9JULY 2025What can Go Wrong?Investment management firms have the potential to grow into remarkably complex organizations very quickly. In today's landscape where third-party systems are frequently employed and vast quantities of data are stored in "the cloud," it can be shockingly easy to lose track of records. The looming possibility of an unfavorable regulatory audit, a major data breach, or any situation where sensitive information is compromised are inches closer to reality when financial services professionals fall short in prioritizing data compliance.Beyond the necessity of preparing for SEC scrutiny, the above scenarios underline why it is crucial for CIOs to implement thorough practices for storing and organizing data internally. In addition to compliance considerations and the general need for organization, such measures also provide a degree of control over ensuring no data is lost, a perennial risk with outside providers. Should a firm need to terminate services with a third party or transfer substantial amounts of data, they are beholden to the protections implemented by a service provider with a smaller stake in the quality of the information and how it's organized; if an emergency arises, the matter is effectively out of the CIO's hands. The SEC's exams take these security concerns into mind and have been known to fine financial firms to the tune of six figures for vulnerabilities in their cybersecurity policies and procedures. Along with outsourcing crucial IT services, many firms also struggle with the challenge of disparate data sets. This issue may arise from organizations that have grown or gone through multiple acquisitions, producing disordered data sets reflecting dissimilar organizational methods or priorities from different time periods. When the time comes for auditors to conduct exams, organizing this disjointed information together in a unified format can prove challenging for compliance professionals. How can forward-thinking CIOs effectively prepare their firms for audits? There are several straightforward, immediately actionable steps that CIOs can take to limit exposure and ensure compliance. Mainly, this includes implementing adequate internal policies and procedures to ensure that the required data is properly maintained. IT staff should not be working in a vacuum and making isolated decisions concerning data -- firms should make sure their standard procedures are well-known among employees, up to date and easily accessible. Because data has to be maintained for six years or longer in order to address audit demands, these practices should be conceived and executed with longevity in mind.A top priority of these internal measures should be streamlining how the firm's data is stored and presented. For the sake of facilitating eased access for both a regulator and the organization itself, the necessary information should be unified through a standardized format and put into a singular database. During audits concerning data from the previous two years, the SEC expects that information to be readily available for data requests. It is in the best interest for firms to be able to immediately pull this data up, as regulators look poorly upon delays. Although it may be possible to request as much as two weeks' extension time for more expansive audits, the more data is strewn all over the place, the longer it will take to assemble and the greater risk for errors. As such, CIOs would benefit from conducting mock exams testing their firm's ability to respond to auditor requests. These should be conducted in collaboration with organizations' Compliance Departments using sample SEC Document Request lists obtained from industry associations such as the National Society of Compliance Professionals, the Investment Advisor Association, and the Investment Company Institute. It is important to closely adhere to the sample instructions -- particularly when producing files containing specific fields requested by the regulator -- in order to best prepare for an audit's practical demands. More often than not, these mock exams turn up some form of data quandary. There are instances where the data simply does not exist in a format or location that can be easily accessed or is so scattered that it can be incredibly time-consuming to stitch them all together. Taking federal laws requiring that this data be produced in a timely manner into account, practice runs are an invaluable endeavor for all stakeholders. The necessity of quality data compliance goes beyond business continuity, as failure to comply can lead to financial and legal exposure as well as certification losses. The forward-thinking CIO's data infrastructure should support the daily needs of middle and back-office departments -- including compliance -- while foregrounding regulatory requirements. Correcting unruly data sets may seem daunting, but given the time, money, and goodwill that may be exposed to audits, it is as savvy and cost-effective a move as a CIO can make. Meaningful compliance may entail some expenses, but the financial cost and ripple effects of an unsuccessful audit could cripple an entity's ability to even conduct business
< Page 8 | Page 10 >