How They Work
Checklists are nothing new. They have been used in one form or another for centuries. The checklists that make up the KeVer On-Line Review System (KORS) differ in that they are specifically designed to address the unique requirements of firms subject to securities laws, rules and regulations and the obligations and responsibilities as registered entities. KORS was created solely to provide CCOs with a one method to address a variety of compliance requirements and help reduce the administrative burden associated with fulfilling those requirements. KORS was also designed to give CCOs a means to leverage other available personnel to assist in situations where compliance resources may be limited.
The Review Requirement
Compliance reviews are necessary to a proactive compliance program. Regular periodic reviews are essential to the firm’s ability to determine if necessary controls are in place to prevent, detect and correct prohibited practices or unlawful conduct; and, are essential to establishing a reasonable belief that the controls are effective and working as intended. KORS Checklists simplify the review process by providing a “grab and go” tool that helps compliance identify, at an early stage, compliance problems and practices that place the firm at risk and could harm clients/customers.
At the beginning of each checklist you will find “Compliance Objectives” which are an expression of stated requirements based on the rules, regulations and other source documents that govern or speak to the business area or activity being reviewed. Compliance Objectives are not all inclusive and may be expanded depending on the purpose of the review and Chief Compliance Officer (CCO) directions regarding the review. These objectives are provided to lend focus to the review and express what should be accomplished based on regulatory requirements.
The Compliance Objectives are followed by six columns. Column One contains tracking numbers for easy reference. Column Two contains Subject Matter Queries (SMQ) which are statements, in question form, about regulatory requirements, compliance obligations and responsibilities, business activities, firm policies, procedures and processes, and other compliance-related subjects derived from the primary regulatory authorities and various other sources. Each Subject Matter Query should be thoroughly examined using a variety of techniques (e.g., interviews, sampling, reviews, etc.) to ensure responses are true and accurate.
Columns Three, Four and Five represent the three possible responses, YES, NO or N/A (Not Applicable), available for each Subject Matter Query in Column Two. Place a check (ü) or “X” in the column as appropriate, when the response matches one of the response descriptions detailed below. The color/shaded bars running across these columns are blockers to indicate questions or statements where no response is required in the blocked/shared area of the checklist.
A YES response (Column 3) indicates that the firm is in compliance with the law, rule and regulation and is fulling all associated compliance requirements or obligations. Stated compliance objectives are achieved. There are internal controls and compliance systems in place that are adequate and sufficient to ensure compliance, are working as expected or intended; and, the firm has or is able to produce documental evidence to support compliance claims.
NO responses (Column 4) indicate that no documental evidence exists or the evidence provided is not sufficient to support compliance. Internal controls and compliance systems are insufficient or do not exist, or are not operating as intended. Written policies and procedures do not exist or those the firm has adopted are weak or deficient and the way things are actually being done differ from established policies and procedures. Stated compliance objectives have not been met.
Since firm’s have different business models, structures, operations, and other unique characteristics, not every checklist or item on a checklist will apply to all firms. A check (ü) or “X” in this column (Column 5) indicates that the reviewer has assessed the subject area or activity; and, based on that assessment has determined that the item or checklist does not apply to the firm’s business model. The person conducting the review should be able to explain, if necessary, how this conclusion was reached and provide an adequate and truthful explanation in the firm’s disclosure documents where necessary and required.
Column 2 may also contain Reviewer’s Notes. These are statements following SMQs that clarify a requirement, provide definitions and other information of note that a reviewer should understand, look for or consider during the course of the review, or recommended actions a reviewer should take to get documental evidence of compliance. Not all checklists or all Subject Matter Queries will have Reviewer’s Notes. Reviewer’s Notes, like the Compliance Objectives, are not all inclusive and may be further defined or added to, as appropriate and necessary by the CCO, to ensure a thorough review that addresses firm-specific compliance issues or concerns is conducted.
Responsible party (Column 6) refers to the individual(s) designated responsibility for administering, supervising, maintaining or keeping accurate and up-to-date records related to subject areas in Column 2. These individuals are the primary points of contact for the Reviewer and compliance staff for anything that pertains to his/her area of responsibility. Enter the name of the designated individual(s) in Column 6.
Each responsible party should be knowledgeable of the subject area and capable of producing records in a timely manner. The Responsible Party also works with the Reviewer to help ensure he/she fully understands how something is done and the processes used relevant to their area of responsibility. The Responsible Party should be able to produce documents or other electronically-generated data as required and in a timely manner.
In order for KORS to be an effective compliance tool, the person(s) conducting the reviews must seek to understand, for each item on the checklist: how the firm complies with the requirement; how the firm ensures its policies and procedures are adequate; what kind of tests are performed to ensure implementation methods and internal controls are working; who is responsible for supervision and other aspects of compliance; when certain activities are conducted or reported; and, in the event compliance is not working in a given area, why.
Toward this end, the Reviewer must collect and review a representative sample of documents and conduct interviews necessary and appropriate to ensure he/she has a true picture and understands how the firm actually complies with a given requirement, and whether the manner in which the firm complies is in accordance with established policies, procedures and processes, rules and regulations, and as disclosed.
If the Reviewer is a person other than the CCO, he/she should document interviews, create process workflows and take other measures to that will give the CCO a clear, overall view of compliance in the area reviewed.
The Reporting Requirement
Compliance program requirements include specific executive level and senior management reporting responsibilities with respect to compliance assessments and plans to address issues uncovered in the reviews. KORS Checklists help support the reporting structure by providing information that may be used as the basis for compliance reports submitted to the firm’s board of directors and top management on the effectiveness of the firm’s compliance system.
The Checklists not only provide information about the subjects covered during the review, SMQ responses provide information about what is being done well, areas of weakness and area where material compliance breaches have been identified, all of which should be reported to the executive level.
The Training Requirement
Compliance training for employees, whether a mandatory regulatory requirement or not, is necessary to an effective compliance system. The training component of compliance helps reduce regulatory risks by ensuring employees understand the firm’s compliance policies and procedures and their obligations with respect to those policies and procedures.
KORS Checklists may be used to meet the firm’s annual or periodic compliance training requirements. Column Four responses when checked indicate deficiencies in compliance and should be assessed and trained according to the results of that assessment (e.g., individual or group training, one-time or ongoing). Simply circle the item(s) to be trained or conduct training on all items with a “NO” response and use the Checklist to develop the training plan.
The Documentation Requirement
Documenting the actions of compliance staff and being able to show regulatory authorities how the firm complies with laws, rules and regulations that govern the firm’s businesses and activities is essential to an effective compliance program. KORS Checklists helps support the documentation requirement by giving CCOs a record of reviews conducted including: what was reviewed, by whom, when, and for what period of time. The Checklists will also provide documental evidence of actions taken as a result of the review, through workpapers and other documents that contain reports, analyses, conclusions, opinions and other data collected during the review and attached to or filed with the Checklist.