Third-party attestations and surprise exams: A practical guide for registered investment advisors

For registered investment advisors (RIAs), compliance with SEC regulations isn’t just a best practice — it’s a necessity. Among the most critical and often misunderstood aspects of the custody rule (Rule 206(4)-2 under the Investment Advisers Act of 1940) are third-party attestations and surprise examinations. Whether you’re gearing up for your first surprise exam or tightening up your existing processes, preparation is key. Here’s what every RIA needs to know.

Understanding the landscape: Custody rule basics

The SEC’s custody rule is designed to protect client assets and ensure transparency. If an advisor is deemed to have “custody” of client funds or securities — whether directly or through related parties — they may be required to engage an independent public accountant to conduct an annual surprise examination or provide a third-party attestation.

This requirement often catches firms off guard, especially when custody is triggered in unexpected ways, such as:

• Serving as trustee or general partner.
• Possessing account login credentials.  
• Affiliation with a qualified custodian.

Understanding whether your firm has custody — and to what extent — is the first step in avoiding compliance pitfalls.

The surprise exam: What to expect

A surprise examination is exactly what it sounds like. The certified public accountant (CPA) engaged by the RIA will perform an unannounced review of client assets to verify their existence and reconcile records.

Key components of a surprise exam include:  

• Verification of client assets: The CPA will independently confirm balances with custodians and clients.
• Review of internal controls: How are client assets handled internally? Are segregation of duties and approval processes clearly defined?
• Procedural walk-throughs: The CPA will review and test procedures for fee deductions, disbursements and asset transfers.  

The exam typically covers a 12-month period and must be completed within 120 days after the RIA’s fiscal year-end.

Third-party attestations: An alternative route

In some scenarios — particularly when an advisor or affiliate serves as a qualified custodian — the SEC requires a Type II SSAE 18 (formerly SAS 70) report. This third-party attestation evaluates the design and operational effectiveness of internal controls over custody functions.

RIAs must ensure that:

• A PCAOB-registered independent public accountant performs the attestation.
• The report covers a period of no less than six months and is updated annually.
• The scope includes client asset safeguarding controls, as outlined by the SEC.

Common pitfalls and how to avoid them

1. Misunderstanding custody triggers

Many advisors mistakenly believe they don’t have custody. The SEC has cited RIAs for failing to recognize custody via standing letters of authorization (SLOAs), password possession or through related-party arrangements.

How to avoid it: Conduct a thorough internal audit to identify any actions or relationships that could trigger custody status. Consult compliance professionals or legal counsel when in doubt, particularly if your firm lacks internal knowledge in this area.

2. Inadequate recordkeeping

Poor documentation — whether related to client authorizations, account statements or internal controls — is a red flag during examinations.

How to avoid it: Maintain detailed, centralized records of all client transactions, disbursement instructions and account access rights.

3. Unpreparedness for surprise exams

Firms often scramble when an exam is initiated, resulting in delays or findings.

How to avoid it: Conduct mock exams, simulate document requests and be sure your team knows how to respond quickly and efficiently to inquiries.

4. Insufficient internal controls

Even well-intentioned advisors can encounter problems when roles are unclear or processes are not consistently followed.

How to avoid it: Implement documented internal control procedures and review them regularly. Engage an external consultant to assess control design and effectiveness.

Best practices for reducing risk

• Engage the right CPA: Ensure your accountant is experienced in RIA compliance and registered with the PCAOB.
• Create a compliance calendar: Mark key deadlines, including fiscal year-end, report due dates and attestation updates.
• Conduct training and simulations: Prep your team for audits just like you would for any client-facing initiative.
• Communicate with clients: Let clients know their cooperation may be required, especially if your CPA needs to contact them directly.
• Review SEC guidance regularly: Stay current with regulatory updates and evolving interpretations of custody rules.

Surprise exams and third-party attestations don’t have to be stressful, if you’re prepared. With the right planning, internal controls and external partners, RIAs can navigate these requirements confidently and maintain a strong compliance posture. Being proactive today means fewer surprises tomorrow.

How Wipfli can help

Wipfli's investment advisory specialists provide experienced guidance through all aspects of SEC compliance and surprise exams. We can help identify compliance gaps, develop robust internal controls and keep you ahead of regulatory changes with tailored solutions that fit your firm’s specific needs. Contact an advisor today to get started.