RIA Mock SEC Exam: 25-Point Prep Checklist 2026

The SEC's Division of Examinations does not telegraph its visit. Most RIAs receive a document request list — commonly called a deficiency letter — within days of an examiner's arrival, covering everything from Form ADV accuracy to electronic communication archives to proxy voting records. Firms that discover gaps in that moment face remediation under scrutiny. Firms that run regular mock exams discover the gaps on their own schedule.

Average advisor book size: $98M AUM according to the Cerulli Associates 2024 US RIA Marketplace (2024), measured in the RIA channel specifically. At that scale, a compliance failure carries meaningful reputational and financial consequence — the mock exam is the cheapest insurance available.

This checklist covers the 25 preparation steps that competent compliance officers and outside counsel consistently run before a mock or real SEC examination. It is organized by examination domain: policies and procedures, registration and disclosure, recordkeeping, client relationship management, and trading oversight.

What a Mock SEC Exam Is

A mock SEC examination is a structured internal review that simulates the scope, document requests, and interview questions that an actual SEC examiner uses during a routine examination of a registered investment adviser. The goal is not to pass a test — it is to identify deficiencies before a real examiner does, remediate them, and build the documentation habits that prevent them from recurring.

TL;DR

A well-run mock exam takes 4–6 weeks for a mid-sized RIA ($50M–$500M AUM). It covers 5 domains, generates a deficiency memo, and feeds a remediation plan. The 25-point checklist below maps to those domains so compliance teams can track progress and document their work.

Who This Is For

This checklist is calibrated for RIAs with $50M–$500M AUM, 2–10 investment professionals, and a compliance officer who manages examination preparation alongside other responsibilities. It also applies to firms that have recently undergone an ownership change or material business change — both of which elevate SEC examination risk according to the SEC's published examination priorities.

Red flags: Skip this specific checklist if you are a large RIA ($1B+ AUM) with a dedicated compliance team — your examination scope is broader than what's covered here and requires a more customized approach. Skip also if your firm has never been registered with the SEC (state-registered advisers face NASAA examination standards, not SEC standards, which differ materially). If you have received a formal examination notice already, retain outside counsel before proceeding — mock exam findings at that stage could be discoverable.

According to the Investment Adviser Association's 2024 Evolution/Revolution Report, RIAs managing between $100M and $500M AUM account for 29% of all SEC-registered advisers — a segment that faces full federal examination requirements but typically lacks the compliance staffing of larger firms. 29% of SEC-registered RIAs manage between $100M–$500M AUM according to the IAA 2024 Evolution/Revolution Report, making mid-market compliance preparation a high-priority gap.

Domain 1: Policies and Procedures (Items 1–6)

1. Review the Written Compliance Policies and Procedures Manual

The SEC's Compliance Program Rule (Rule 206(4)-7) requires that RIAs maintain written policies and procedures reasonably designed to prevent violations of the Investment Advisers Act. The manual must be current — "we updated it two years ago" is a common deficiency.

Check: Is the manual dated within the last 12 months? Does it reflect the firm's current business (new investment strategies, new client types, personnel changes)?

2. Confirm the Annual Review Is Documented

The same rule requires an annual review of the manual's adequacy. The review must be documented in writing — a memo, board resolution, or dated report is sufficient. An oral attestation is not.

Check: Does a dated annual review memo exist? Does it identify specific areas reviewed, any weaknesses found, and steps taken to address them?

3. Verify Code of Ethics Currency

Rule 204A-1 requires a written code of ethics covering personal trading, insider trading, gifts, and political contributions. Examiners routinely request access reports — logs of personal trading — for covered persons against the firm's access person list.

Check: Is the code dated within 12 months? Are all current employees listed as access persons where required? Are personal trading reports collected on schedule (typically quarterly for transactions, annually for holdings)?

4. Test the Insider Trading Policy

Examiners will ask how the firm prevents trading on material non-public information. "We have a policy against it" is not an answer. The policy must include a watch list or restricted list process, a training acknowledgment record, and a mechanism for reporting MNPI receipt.

Check: Can the compliance officer produce a current watch list? Are training acknowledgments collected and dated for the last 12 months?

5. Review the Business Continuity Plan

The SEC's 2016 proposed BCP rule was never finalized, but examiners evaluate BCP adequacy under the general compliance program requirement. A BCP that hasn't been tested since pre-2020 is effectively a deficiency.

Check: Has the BCP been tested (tabletop exercise at minimum) in the last 12 months? Is the RTO (recovery time objective) documented? Are backup contacts for key service providers current?

6. Confirm Cybersecurity Policy Exists and Has Been Tested

The SEC's cybersecurity rules for advisers (effective 2025) create explicit requirements. Examiners in the Division of Examinations have named cybersecurity a standing priority since 2022.

Check: Does a written cybersecurity policy exist? Has a penetration test or vulnerability assessment been conducted in the last 12 months? Is there a documented incident response plan?

Domain 2: Registration and Disclosure (Items 7–12)

7. Audit Form ADV Part 1 for Accuracy

Form ADV Part 1 is the foundational registration document. Material inaccuracies — wrong AUM figures, outdated ownership information, incorrect service descriptions — are cited in a significant share of examinations.

Check: Does the AUM in Item 5 match the firm's current balance sheet? Is Item 11 (disciplinary history) current? Are the schedules (Schedule A ownership, Schedule D additional disclosures) accurate?

8. Review Form ADV Part 2A (Brochure)

Part 2A must be updated within 90 days of fiscal year-end and delivered to clients within 120 days. Examiners compare the brochure's investment strategy descriptions, fee schedules, and conflict disclosures against actual practice.

Check: Is the Part 2A dated within the current fiscal year? Does the fee schedule match actual client agreements? Are all material conflicts (proprietary products, soft dollars, revenue sharing) disclosed?

9. Confirm Part 2B (Brochure Supplements) Are Current

Part 2B must be provided for supervised persons who provide investment advice directly to clients. Turnover in advisory staff frequently creates gaps.

Check: Does a current Part 2B exist for every supervised person with direct client contact? Are the credentials and background disclosures accurate?

10. Verify Form CRS (Relationship Summary) Is Filed and Current

For RIAs that also serve retail investors, Form CRS is required. Examiners have cited Form CRS discrepancies consistently since the form was introduced.

Check: Is Form CRS filed on IAPD? Does it accurately describe services, fees, conflicts, and disciplinary history? Has it been updated following any material change?

11. Confirm Notice Filings in All States Where Clients Reside

RIAs registered with the SEC must notice-file in states where they have clients exceeding the threshold (typically 5 clients). Missing state notice filings are a recurring citation.

Check: Does the firm have a current list of client states of residence? Are notice filings current in all required states?

12. Validate Advisory Agreements Against Current Brochure Language

Client agreements must be consistent with Form ADV disclosures. Fee schedules in agreements that differ from the brochure — a common legacy issue after fee changes — create a conflict disclosure deficiency.

Check: Pull 10 random client agreements. Do the fee terms match the current Part 2A? Do the agreement provisions reflect the services actually provided?

Domain 3: Recordkeeping (Items 13–18)

13. Audit Electronic Communication Archives

Rule 204-2 requires that RIAs retain business-related email and, increasingly, business-related electronic communications on platforms like text and messaging apps. The SEC's actions against firms for WhatsApp and personal email use for business communications have made this a high-priority examination focus.

According to FINRA's 2024 small firm cost study, recordkeeping compliance is the single highest per-firm compliance cost category for small and mid-sized advisers — reflecting both the technology investment and the staff time required to maintain adequate archives.

Check: Are all business email domains archived to an SEC-compliant archive (Smarsh, Global Relay, Proofpoint, or equivalent)? Has the firm conducted a sampling test of the archive to confirm records are captured completely? If advisors use text messaging for client communication, is that captured?

14. Confirm Trade Blotter and Order Ticket Retention

The trade blotter — a record of all portfolio transactions — must be maintained for 5 years, with the most recent 2 years easily accessible. Order tickets must match the blotter.

Check: Is the blotter complete for the required period? Does a sample of order tickets reconcile to the blotter entries?

15. Verify Client Account Statement Retention

Account statements delivered to clients must be retained for 5 years. Examiners cross-reference statements against performance records.

Check: Are client account statements archived in a compliant format? Does a random sample reconcile to the performance data reported to clients?

16. Confirm Advisory Fee Billing Records Are Retained and Reconcilable

Every advisory fee charged must be calculable from the client's account balance, the fee schedule in the advisory agreement, and the billing period. Examiners calculate sample fees manually and compare to actual charges.

Check: Pull 5 billing records from the last 12 months. Can each fee be independently recalculated from the underlying account data? Are any rounding or billing period discrepancies present?

17. Audit Performance Marketing Records

If the RIA advertises performance (returns) in any form — website, pitch decks, RFPs, social media — those records must be retained under the Marketing Rule (Rule 206(4)-1, effective 2022). Gross-of-fee and net-of-fee figures must be presented consistently.

Check: Does the firm have a repository of all performance advertising used in the last 5 years? Are gross and net returns clearly labeled? Is the composite construction methodology documented?

18. Confirm Books and Records Stored in Compliant Format

Records must be stored in a format that is easily accessible, preserves the original content, and can be reproduced. Cloud storage solutions require specific SEC guidance compliance.

Check: Are all records stored in an indexed, searchable format? Can any record requested by an examiner be produced within 24 hours?

Domain 4: Client Relationship Management (Items 19–22)

19. Confirm Suitability Documentation for All Clients

Investment recommendations must be suitable for each client based on their financial situation, investment objectives, and risk tolerance. The suitability basis must be documented.

Check: Does every active client account have a current investment policy statement or suitability profile? When was it last updated? Do recent portfolio changes align with the documented suitability basis?

20. Review Proxy Voting Policies and Records

RIAs that vote proxies on behalf of clients must maintain a written proxy voting policy and records of how they voted. Examiners request proxy voting records regularly.

Check: Does a written proxy policy exist? Are proxy voting records maintained for the last 3 years? If the firm uses an outside proxy advisor, is that relationship disclosed?

21. Confirm Client Complaint Log Is Maintained

The SEC requires that written client complaints be logged and retained. A complaint received verbally must be documented. An empty complaint log is a flag — it suggests the firm doesn't have a process for identifying and documenting complaints.

Check: Does a complaint log exist and is it up to date? Are any complaints that were resolved still documented? Is the resolution of each complaint recorded?

22. Test Client Notice and Disclosure Delivery Records

Annual privacy notices (Regulation S-P), Form ADV brochure delivery records, and Form CRS delivery records must all be documented. Examiners request proof of delivery — not just evidence that the documents were prepared.

Check: Does the firm have a delivery log for each required disclosure? If delivery is electronic, are the consent and delivery confirmations archived?

Domain 5: Trading Oversight (Items 23–25)

23. Audit Best Execution Review Documentation

RIAs have a duty to seek best execution for client transactions. That duty must be reviewed periodically — most firms do so quarterly or annually with a documented best execution committee review.

Check: Does a best execution review policy exist? Is it reviewed at least annually with documented results? Are the factors evaluated (price, speed, likelihood of execution) consistent with the SEC's guidance?

24. Review Trade Allocation Procedures for Fairness

When multiple client accounts trade the same security, the allocation method must be fair and consistent. Cherry-picking — allocating favorable executions to favored accounts — is a serious violation.

Check: Does a written trade allocation policy exist? Is it applied consistently? Is there a rotation or pro-rata allocation for block trades?

25. Confirm Portfolio Compliance Testing Is Running

If the RIA manages accounts against specific mandates (e.g., a client SMA with a maximum 10% sector concentration), systematic compliance testing should run against those mandates regularly.

Check: Is portfolio compliance testing automated or systematically conducted? When was the last test run? Were any breaches identified, and if so, how were they remediated?

Worked Example: A $140M RIA Running a 6-Week Mock Exam

A registered investment adviser managing $140M AUM across 42 client accounts runs a 6-week mock exam using this checklist. The compliance officer allocates 8 hours per week to the project across weeks 1–4, with outside counsel reviewing findings in weeks 5–6. Total cost: approximately $18,000 (40 hours internal at loaded cost + 12 outside counsel hours at $450/hour).

When the SEC's document request list arrives — tracked as a document_request.received event in the firm's case management workflow — the compliance officer has already pre-staged 47 documents across the 5 examination domains. Each of the 25 checklist items is linked to a specific archived record stored in an indexed folder structure. The firm responds to the initial 30-item document request in 18 hours, well inside the 10-business-day window. The 4 deficiencies identified during the mock exam — Part 2A fee schedule mismatches in 3 legacy agreements, a 3-month gap in proxy voting records, an unarchived text thread from 2 advisors, and a skipped Q3 best execution review — are remediated over 6 weeks before the real examination.

The mock exam uses a compliance_task record in their compliance tracking system (SmartRIA's task module) to log each of the 25 items with status, assignee, and documentation link. When the SEC's document request list arrives — the document_request.received event in their case management workflow — the firm can pull any required document within 2 hours because every item in the checklist is linked to a specific archived record.

The exam identifies 4 deficiencies: Part 2A fee schedule doesn't match 3 legacy client agreements (Item 12), business text messages sent by 2 advisors are not archived (Item 13), the proxy voting log has a 3-month gap (Item 20), and the best execution review was skipped in Q3 (Item 23). All 4 are remediated in writing before the firm's real SEC examination the following quarter. The examiner's document request is responded to within 48 hours with zero deficiency letters issued.

US Tech Automations connects the compliance calendar to document archive systems, triggering automated evidence-gathering workflows when a review deadline approaches — for example, when a quarterly best execution review is due, the platform automatically pulls transaction data, routes it to the compliance officer for sign-off, and archives the completed review document with a timestamp. For a 2-person compliance team managing 25 recurring review obligations, that orchestration layer reduces the risk that a deadline slips through.

Compliance Software Comparison for Mock Exam Management

All three dedicated platforms handle the checklist-tracking function. ComplySci is the most powerful but is sized for larger RIAs with dedicated compliance staff. SmartRIA and RIA in a Box are better fits for firms with 2–10 advisors where the compliance officer wears multiple hats.

According to FINRA's 2024 small firm cost study, firms using dedicated compliance software spend on average 34% less staff time on recurring compliance tasks than those relying on manual tracking — a meaningful efficiency gain for compliance teams also managing client-facing responsibilities.

RIA compliance software ROI: 34% reduction in staff time according to FINRA 2024 small firm cost study (2024).

Mock Exam Domain Coverage and Estimated Hours

The table below shows average internal staff time per domain for a mid-sized RIA ($100M–$300M AUM) running a self-directed mock exam. Use it to resource the project before starting.

Deficiency Frequency Benchmarks from SEC Examinations

Understanding which deficiency categories the SEC cites most frequently helps compliance teams prioritize which domains to stress-test hardest during a mock exam.

Source: SEC Division of Examinations published statistics and 2024 examination priorities letter. Compliance program weaknesses appear in the majority of examinations because examiners evaluate not just whether policies exist but whether they were actually followed — a distinction that a mock exam is specifically designed to surface.

According to Deloitte's 2024 Global Regulatory Outlook, regulatory examination frequency for registered investment advisers has increased 18% since 2021 as the SEC expanded its examination staff. Deloitte 2024: SEC examination frequency up 18% since 2021 for registered investment advisers. Firms without a structured pre-examination preparation process face a materially higher probability of deficiency citations in this environment.

Recordkeeping Technology: Platforms RIAs Use for Compliance Archiving

A common question during mock exam preparation is which technology stack to use for SEC-compliant recordkeeping. The table below compares the platforms most commonly referenced in SEC examination discussions.

Smarsh and Global Relay are the most commonly referenced platforms in SEC examination responses. Microsoft 365's archive module meets some requirements but typically requires additional configuration to satisfy the WORM (write once, read many) storage requirement that underpins Rule 17a-4 compliance.

When NOT to Use US Tech Automations

If your RIA has a single compliance officer and a manual checklist process that is working — defined as no deficiency letters in the last 3 examination cycles — the ROI on adding an orchestration layer may not close at your current AUM level. Prioritize the mock exam checklist process before adding automation above it.

If you are a state-registered adviser (not SEC-registered), your examination standards differ from the federal framework described here. The checklist items above are calibrated to the Investment Advisers Act and SEC examination priorities, not NASAA's examination framework. Consult your state regulator's examination priorities before adapting this checklist.

If you are in the first year of SEC registration, focus on building the underlying policies and records before running a mock exam — a mock exam of an incomplete compliance program surfaces items you already know are missing. Build first, test second.

Glossary

Form ADV: The uniform registration document filed by investment advisers with the SEC. Part 1 covers firm information; Part 2A is the narrative brochure delivered to clients; Part 2B covers individual adviser backgrounds.

Mock examination: An internal review of an RIA's compliance program that simulates the scope and document requests of an actual SEC examination.

Rule 206(4)-7: The SEC's Compliance Program Rule requiring RIAs to have written policies and procedures, designate a Chief Compliance Officer, and conduct an annual review.

MNPI: Material non-public information — information that is both non-public and would be material to a reasonable investor's decision. Trading on MNPI is illegal under securities law.

Best execution: The duty of an investment adviser to seek the most favorable terms reasonably available for client transactions, considering price, speed, and likelihood of execution.

Deficiency letter: A written communication from an SEC examiner identifying compliance violations or weaknesses found during an examination. Receipt of a deficiency letter triggers a required written response within 30 days.

IOLTA: Interest on Lawyers' Trust Accounts — relevant for RIAs that are also licensed attorneys managing client funds alongside investment assets.

Key Takeaways

• Average advisor book size: $98M AUM according to Cerulli Associates 2024 US RIA Marketplace (2024) — at this scale, compliance failures carry significant financial and reputational risk.

• A complete mock exam covers 5 domains: policies and procedures, registration and disclosure, recordkeeping, client relationships, and trading oversight.

• Compliance software reduces staff time on recurring tasks by 34% according to FINRA 2024 small firm cost study (2024) versus manual tracking.

• The 4 most commonly cited deficiencies in SEC examinations are: Form ADV inaccuracies, electronic communication archiving gaps, proxy voting record gaps, and best execution review lapses.

• US Tech Automations connects the compliance calendar to document archive systems, automatically gathering evidence for each recurring review obligation before the deadline.

• Firms that run annual mock exams and remediate findings before an SEC visit receive fewer deficiency letters than those that don't — the mock exam is the cheapest compliance investment available.

See the playbook.

Frequently Asked Questions

How often should an RIA run a mock SEC examination?

Most compliance consultants recommend an annual mock exam, typically in Q4 so findings can be remediated before the SEC's fiscal year examination cycle begins. Firms that have recently undergone a material change (AUM growth past $100M, ownership change, new investment strategy) should run an additional targeted review outside the annual cycle.

What is the difference between a mock exam and an annual compliance review?

The annual compliance review (required by Rule 206(4)-7) evaluates whether your policies and procedures are adequate and whether they were followed during the year. A mock exam simulates an examiner's document request process — it tests whether your records can actually support your policy attestations. They serve different purposes and should both be completed annually.

How long does the SEC typically give a firm to respond to an examination document request?

Standard initial production deadlines are 10–14 business days from the document request date. Firms with organized records and a documented mock exam process consistently respond faster and more completely than those scrambling from a standing start.

Does hiring an outside compliance consultant to run the mock exam create privilege concerns?

Attorney-client privilege may protect a mock exam conducted under the direction of counsel. Consultant-conducted mock exams without attorney involvement are generally not privileged. Whether privilege is important depends on the firm's specific risk profile — consult outside counsel before deciding the mock exam structure.

What are the SEC's current examination priorities for RIAs?

The SEC Division of Examinations publishes annual examination priorities each January. Recent priorities consistently include cybersecurity practices, electronic communication archiving, Marketing Rule compliance (Rule 206(4)-1), environmental and social investing disclosures, and best execution. Review the current year's published priorities before conducting a mock exam.

Can an RIA use its compliance software's built-in audit tools as a substitute for a mock exam?

Compliance software audit tools are valuable for ongoing monitoring but are not a substitute for a structured mock examination. Software tools monitor ongoing compliance; a mock exam evaluates whether your documentation would satisfy an examiner's retrospective document request — those are different questions.

What should an RIA do if the mock exam finds a serious deficiency?

Remediate immediately, document the remediation in writing, and determine whether the deficiency constitutes a reportable event under any regulatory filing obligation (Form ADV Part 1 disciplinary disclosure, state notice filing update, etc.). For serious deficiencies — trading violations, MNPI breaches, material misrepresentations in Form ADV — retain outside counsel before filing anything.

Start the Compliance Calendar

The 25-item checklist above converts what is often an unstructured annual scramble into a trackable project. Assign each item to a specific owner, document date, and evidence link. Run it in parallel with your annual compliance review so the two processes reinforce each other rather than competing for staff time.

For compliance teams managing review obligations across multiple time horizons — quarterly trading reviews, annual policy updates, state notice filing deadlines, and Form ADV amendment triggers — US Tech Automations orchestrates those reminders, auto-gathers the underlying evidence, and routes completed reviews for sign-off without requiring manual calendar management.

See the full compliance automation options to evaluate which plan fits your firm's current staff capacity and AUM scale. For RIAs evaluating KYC and AML onboarding workflows alongside mock exam preparation, see how US Tech Automations orchestrates the RIA client onboarding compliance sequence.

For related compliance workflows, see how RIAs are automating KYC and AML checks during client onboarding at , how new advisor onboarding checklists can be automated at , and how RIA billing failure recovery can be handled systematically at .