chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2021-2022 | Volume 77, Issue 1

What Lawyers Need to Know About Broker-Dealer Audit Requirements

Michael P Jamroz


  • Almost every broker or dealer conducting a general securities business registered with the Securities and Exchange Commission (“SEC” or “Commission”) must comply with SEC Rule 17a-5, “Reports to be made by certain brokers and dealers.” Among other things, Rule 17a-5 requires all registered broker-dealers to obtain an audit from an independent public accounting firm registered with the Public Company Accounting Oversight Board (“PCAOB”). Following the Madoff fraud, Congress gave the PCAOB complete jurisdiction over broker-dealer audits and Rule 17a-5 was amended to, in addition to the previously required audit of financial statements, require (1) broker-dealers that have custody of investor assets to have their PCAOBregistered independent public accountants report on the internal controls related to compliance with SEC Rules 15c3-1, 15c3-3, 17a-13, and the customer statement rules of the Financial Industry Regulatory Authority (“FINRA”), and (2) broker-dealers that do not maintain custody of customer assets to have their PCAOB-registered independent public accountants review their compliance with the Rule 15c3-3 exemptions.

    Attorneys routinely are not involved in the audit and other attest work done by auditors and are generally brought in when an issue has been raised. At that point, the field work is near completion, and the attorney is challenged with having to quickly become familiar with Rule 17a-5 and the related attest processes and standards. This article provides an overview of the Rule 17a-5 attest requirements with references to applicable PCAOB auditing and attestation standards, with a particular focus on items that frequently arise in discussions with securities counsel.
What Lawyers Need to Know About Broker-Dealer Audit Requirements

Jump to:


With few exceptions, a broker-dealer conducting a securities business that is required to register with the SEC under section 15(b) of the Securities Exchange Act of 1934 (“Exchange Act”) must comply with Rule 17a-5. Generally, Rule 17a-5 requires broker-dealers to file certain financial reports and to engage a PCAOB-registered independent public accountant (“Registered Public Accountant”) to annually audit its financial statements and perform certain additional attest services. For the most part, compliance with Rule 17a-5 falls within the domain of the financial accounting, regulatory reporting, and operations departments of securities firms and lawyers in the firm are not routinely involved. When the auditor discovers a problem that may require a regulatory notification or report, the firm’s in-house lawyers or its outside counsel are then frequently consulted. Typically, they are then faced with quickly becoming familiar with Rule 17a-5 at a stage when time is critical, and the issue may be important to the firm. This article will provide a brief history of the rule, describe the audit and other attest reports broker-dealers are required to obtain, and reference the auditing and attestation standards generally applicable to those reports. Special attention will be given to common areas of concern that lawyers typically face once they become involved.

Brief History of Rule 17a-5

Rule 17a-5 was adopted by the Commission on November 28, 1942, one month after it adopted Rule 15c3-1, known as the Net Capital Rule, also applicable to all SEC-registered broker-dealers. The original rule called for a report on financial condition certified by a certified or independent public accountant but did not require all SEC-registered broker-dealers to obtain it. In addition to those firms that were already required to obtain a certified audit by a state or another agency, firms that had a practice of (1) extending credit, (2) safeguarding securities, or (3) carrying credit balances of customers were required to obtain a certified audit.

The certification requirement stayed largely intact until the 1970s. In 1967, large increases in trading volume caused firms serious problems in trade processing known as the “Paper Work Crisis,” which was followed by a severe market downturn that led to the failure of several large brokerage firms. Those events gave rise to congressional action and a flurry of SEC activity. Congress enacted the Securities Investor Protection Act of 1970 (“SIPA”), which created the Securities Investor Protection Corporation (“SIPC”), and which called for Commission rulemaking to “provide safeguards with respect to the financial responsibility and related practices of brokers and dealers including, but not limited to, the acceptance of custody and use of customers’ securities, and the carrying and use of customers’ deposits or credit balances,” resulting in the adoption of the SEC’s Customer Protection Rule. In 1972, the Commission amended Rule 17a-5 to require broker-dealers to provide a statement to their customers when their independent public accountants commented on “any material inadequacies found to exist in [their] accounting system[s], internal accounting controls, procedures for safeguarding securities, or the procedures followed in complying with [Rule] 17a-13” and that a copy of “such report and comments” was available for inspection at the SEC. The Securities Acts Amendments of 1975 amended Section 17(e) of the Exchange Act to require annual audited financial statements of all broker-dealers whether or not they extended credit or handled customer property. Later that year, the Commission amended Rule 17a-5 to conform with the amended Exchange Act. In the same release, the Commission required a broker-dealer to obtain from an independent public accountant two supplemental reports: (1) an opinion related to the status of its SIPC membership and SIPC fees, and (2) a report on any material inadequacies found to exist at the audit date. In 1977, the Commission added a definition of the term “material inadequacy” to the rule.

The revelation of the Madoff fraud in 2008 spurred additional congressional and Commission action. In 2010, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), which granted the PCAOB complete jurisdiction over broker-dealer audits. In 2013, the Commission amended Rule 17a-5 (“2013 Amendments”) to require that the audits of broker-dealers are done under PCAOB standards, by a Registered Public Accountant, and to replace the material inadequacy report requirement with the Compliance and Exemption Reports discussed below. As the 2013 Amendments gave rise to the rule as it exists today, those amendments will be the primary focus of this article, along with some interpretive guidance that has been issued in the meantime.

Overview of Audit Standards

Two organizations are responsible for setting professional auditing standards, the American Institute of Certified Public Accountants (“AICPA”) and the PCAOB. The AICPA issued Statement on Auditing Procedure No. 1 in October 1939 following the financial scandal that occurred at McKesson & Robbins. The PCAOB was created by the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) following the failures of WorldCom and Enron. Sarbanes-Oxley required auditors of broker-dealers and public companies to register with the PCAOB and mandated the PCAOB to adopt auditing standards for its Registered Public Accountants to follow for public company audits. While AICPA and PCAOB standards bear similarities, there are differences. The SEC’s 2011 Proposing Release identified two differences that existed at the time: (1) The audit-documentation requirements contained in PCAOB Auditing Standard (“AS”) No. 3 were not required by Generally Accepted Auditing Standards (“GAAS”); and (2) The engagement-quality-review requirements in PCAOB AS No. 7 were not required by GAAS. As indicated in the Rule 17a-5 history discussion above, following the Madoff scandal, Dodd-Frank gave the PCAOB complete jurisdiction over audits of broker-dealers. Although the change in auditing standards from AICPA to PCAOB impacted the nature and extent of work done on the audit of financial statements by the Registered Public Accountant, the financial-statement audit does not generally give rise to legal questions that are unique to broker-dealers audits.

While securities lawyers and the general public may generally refer to the activities of Registered Public Accountants as “audits,” their professional practice standards make distinctions. Generally, the term “audit” is used in connection with audits of financial statements as distinguished from other “attest” services where the Registered Public Accountant is engaged to issue an examination, a review, or an agreed-upon-procedures report on subject matter, or an assertion about the subject matter, that is the responsibility of another party. Audits and other attest engagements vary in terms of degrees of levels of “assurance.” Professional auditing standards provide for three levels of assurance. The highest level occurs where the Registered Public Accountant obtains “reasonable assurance” with respect to the matter that is the subject of the Registered Public Accountant’s engagement and provides an opinion. The reasonable assurance standard is required with respect to audits and examinations. The second level is moderate assurance, which is applicable in a “review” engagement. The third level of attestation engagement involves the Registered Public “[A]ccountant perform[ing] agreed-upon procedures, which results in no assurance,” only a report of its findings. As discussed below, the 2013 Amendments significantly altered the Rule 17a-5 reporting requirements that are executed concurrent with the financial-statement audit and brought those requirements more in line with the professional attest standards.

Supplemental Reports and Supporting Schedules

The SIPC Supplemental Report

Under SIPA, SIPC is required to maintain a fund for its expenditures and is required to assess its members a revenue-based fee when the fund is below certain parameters. During those periods when SIPC is assessing a revenue-based fee, Rule 17a-5(e)(4) previously required a broker-dealer that files Form SIPC-3 or Form SIPC-7 to also file with each of the Commission, the broker-dealer’s designated examining authority (“DEA”), and SIPC a supplemental report (“SIPC Supplemental Report”) “covered by an opinion of the independent public accountant.” Among other things, the report needed to cover the SIPC annual general assessment reconciliation or exclusion from membership forms (i.e., Form SIPC-7 or Form SIPC-3). In addition, the rule required that the review by the accountant include certain minimum procedures.

Prior to the 2013 Amendments, paragraph (e)(4) of Rule 17a-5 used the terms “opinion” and “review” to describe the work of the independent public accountant associated with the SIPC Supplemental Report, while at the same time identifying specific procedures that the independent public accountant must perform related to the SIPC fees. The issuance of an opinion is a characteristic of an audit of financial statements and examination attest engagements, which involve the highest level of assurance, “reasonable assurance.” As discussed above, a “review” involves a lower level, “moderate assurance.” When the Registered Public Accountant is engaged to issue a report of findings based on specific procedures performed on subject matter, it is typically done in an “agreed-upon procedures” attest engagement, with no level of assurance.

Even before the 2013 Amendments, the AICPA’s Brokers and Dealers in Securities Audit Guide (“2011 Audit Guide”) included an illustrative example of the SIPC Supplemental Report that was in an agreed-upon procedures format and specifically did not provide an opinion. In the 2013 Amendments, the Commission adopted an agreed-upon procedures format for the rule, thereby conforming it to existing professional standards.

SIPC is the sole user of the SIPC Supplemental Report. As such, the 2013 Amendments adopted a provision that transitioned the SIPC Supplemental Schedule out of Rule 17a-5 and into SIPC’s rules. Under the amendment, a broker-dealer would be required to file the SIPC Supplemental Reports with SIPC using the existing formats for the reports until the earlier of the Commission approving a rule adopted by SIPC or two years. In March 2016, SIPC adopted the SIPC Supplemental Report as its Rule 600 and the SIPC Supplemental Report is no longer a Rule 17a-5 requirement.

The 2013 Amendments also amended Rule 17a-5 to require that the annual audited financial statements and related Compliance and Exemption Reports be filed with SIPC. The amendment was intended to address a potential legal hurdle that SIPC may confront when pursuing claims against a broker-dealer’s Registered Public Accountant where the accountant’s failure to adhere to professional standards in auditing a broker-dealer caused a loss to the SIPC Fund. In the period from 1971–2011, SIPC initiated 324 proceedings under SIPA to liquidate a failed broker-dealer, and during that period, it initiated only nine lawsuits against accountants.

Supporting Schedules

Paragraph (d)(2)(ii) of Rule 17a-5 requires that the financial report, which must be examined by the Registered Public Accountant, contain “[s]upporting schedules that include, from Part II or Part IIA of Form X-17A-5 … , a Computation of Net Capital Under [Rule] 15c3-1, a Computation for Determination of Customer Reserve Requirements under … Exhibit A of [Rule] 15c3-3, … and Information Relating to the Possession or Control Requirements for Customers under [Rule] 15c3-3.” The PCAOB has stated that the auditor’s responsibilities when performing audit procedures and reporting on those supporting schedules are covered under Auditing Supplemental Information Accompanying Audited Financial Statements: AS 2701. AS 2701.06 states:

[T]o form an opinion on the supplemental information, the auditor should evaluate whether the supplemental information, including its form and content, is fairly stated, in all material respects, in relation to the financial statements as a whole, including whether the supplemental information is presented in conformity, in all material respects, with the relevant regulatory requirements or other applicable criteria.

Supplemental Reports on Rule 15c3-4

Rule 15c3-4 was originally intended to require an SEC-registered over-the-counter derivatives dealer (“OTC Derivatives Dealer”) to “establish, document, and maintain a system of internal risk management controls to assist it in managing the risks associated with its business activities, including market, credit, leverage, liquidity, legal, and operational risks,” but has later been applied to broker-dealers that seek quantitative model approval under Appendix E to Rule 15c3-1, as well as all firms that register as securities-based swap dealers. Rule 15c3-4(c)(3) requires “[p]eriodic reviews (which may be performed by internal audit staff ) and annual reviews (which must be conducted by independent certified public accountants) of the OTC derivatives dealer’s risk management systems.”

Rule 17a-12 is a reporting rule similar to Rule 17a-5 that applies to OTC Derivatives Dealers. Rule 17a-12 requires a supplemental report by the independent public accountant that indicates

the results of the certified public accountant’s review of the OTC derivatives dealer’s internal risk management control system with respect to the requirements of [Rule] 15c3-4. This review shall be conducted in accordance with procedures agreed to by the OTC derivatives dealer and the certified public accountant conducting the review. The purpose of the review is to confirm that the OTC derivatives dealer has established, documented, and maintained an internal risk management control system in accordance with [Rule] 15c3-4, and is in compliance with that internal risk management control system.

Rule 17a-5(k) requires a similar supplemental report based on agreed-upon procedures to be filed by broker-dealers that have received approval from the SEC to use quantitative models to compute market- and credit-risk deductions under Rule 15c3-1e.

Securities-based swap dealers are subject to Rule 18a-7, which is also similar to Rule 17a-5 but does not include a paragraph specifically requiring the supplemental report required in Rules 17a-5(k) and 17a-12(l). The proposing release states, however, that the annual review required under Rule 15c3-4(c)(3) “must be conducted in accordance with procedures agreed to by the firm and the independent public accountant conducting the review.”

The Material Inadequacy Report

Prior to the 2013 Amendments, Rule 17a-5 required broker-dealers to file a supplemental report that covered any “material inadequacies” found to exist at the audit date. While that report is no longer required under Rule 17a-5, it remains applicable to OTC Derivatives Dealers under Rule 17a-12 and to futures commission merchants under the rules of the Commodity Futures Trading Commission, so some discussion of it is warranted.

The rule, as it existed prior to the 2013 Amendments, was largely adopted in 1975. Unlike the much more transparent SEC releases of today, the 1975 Release does not reveal the extent to which the staff of the SEC’s Division of Trading and Markets attempted to align the rule with the audit standards in place at the time. The release does not mention the Office of Chief Accountant. It contains a single reference to the AICPA in footnote 12, wherein the Commission states that it expects the AICPA to “promulgate guidelines and educational materials” concerning the extent and timing of audit procedures.

The term “material inadequacy” did not exist in the audit standards in the 1970s when the SEC incorporated it into the rule. Indeed, when, in 1976, the AICPA did promulgate the anticipated guidance, its only references to “material inadequacy” appeared in language quoted from the SEC or Rule 17a-5. The illustrative internal control report in the guidance uses the term “weaknesses” instead.

In addition to the use of the term “material inadequacy,” the “Audit Objectives” section previously in paragraph (g) of the rule appeared to combine coverage of compliance with specific rules into a report on internal accounting control. “Internal Accounting Control,” as used the AICPA guidance, is similar to the PCOAB’s “Internal Controls over Financial Reporting,” in that each refer to internal controls related to the accuracy of the financial statements, as opposed to management controls related to compliance or other activities. Paragraph (g)(1) required “reviews” of specific provisions of the financial responsibility rules, including the Net Capital Rule, the Customer Protection Rule, Rule 17a-13, and the prompt payment for securities provision of Regulation T, but the definition of “material inadequacy” in paragraph (g)(3) excluded violations of the “Commission’s recordkeeping and financial responsibility rules,” unless the violation included any condition which has contributed substantially to or, if appropriate corrective action is not taken, could reasonably be expected to:

(i) inhibit a broker or dealer from promptly completing securities transactions or promptly discharging [its] responsibilities to customers, other broker-dealers, or creditors;

(ii) result in material financial loss; [or]

(iii) result in material misstatements of the broker’s or dealer’s financial statements.

The first paragraph of the illustrative material inadequacy report in the 2011 Audit Guide, which was still in place when the 2013 Amendments were proposed, stated “we considered the Company’s internal control over financial reporting (internal control) as a basis for designing our auditing procedures for purposes of expressing our opinion on the [consolidated] financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control.” It goes on to explicitly state that an opinion is not expressed, despite the fact that paragraph (g)(1) specifically called for “reasonable assurance,” a level of assurance associated with expressing an opinion.

Among other things, the 2013 Amendments aligned the rule more closely with the professional auditing standards. The SEC replaced the material inadequacy report, which was applicable to all broker-dealers, with reports issued by a Registered Public Accountant—the Compliance Report, for firms with custodial responsibilities, and the Exemption Report, for firms which are generally not subject to Rule 15c3-3. The Compliance Report, the Exemption Report, and the related reports issued by the Registered Public Accountants are discussed in the sections that follow.

The Compliance Report

Under the terms of the rule, a broker-dealer that does not claim an exemption under Rule 15c3-3 is now required to annually file a Compliance Report and to engage a Registered Public Accountant to issue a report based on an examination of the statements required to be made in the Compliance Report done in accordance with PCAOB standards. Unlike the material inadequacy report that was addressed in the prior section of this article, the Compliance Report and the related examination report by the Registered Public Accountant align with the audit standards. Within three months of the adoption of the Compliance Report by the SEC, the PCAOB adopted Attestation Standard No. 1: Examination Engagements Regarding Compliance Reports of Brokers and Dealers (“AT No. 1”).

The Compliance Report focuses on “Internal Controls Over Compliance” with a selected subset of the financial responsibility rules. Those rules (“Covered Financial Responsibility Rules”) are:

  • (1) Rule 15c3-1 (the Net Capital Rule);
  • (2) Rule 15c3-3 (the Customer Protection Rule);
  • (3) Rule 17a-13 (the Quarterly Security Count Rule); and
  • (4) the customer statement rules of the firm’s DEA.

The Commission selected the Covered Financial Responsibility Rules because “these rules contain important baseline protections concerning broker-dealer capital adequacy and the protection of customer funds and securities.”

The Compliance Report must contain “statements” as to whether:

  • (1) the broker-dealer has established Internal Controls Over Compliance and whether those controls were effective during, and at the end of, the fiscal year;
  • (2) the broker-dealer was in compliance with Rule 15c3-1 and Rule 15c3-3(e) at the end of the fiscal year; and
  • (3) the information used to state whether it was in compliance with Rule 15c3-1 and Rule 15c3-3(e) was derived from the books and records of the broker or dealer.

The statements required by the rule are significant as they operate as “assertions” under AT No. 1. The auditor’s objective in a Compliance Report examination under AT No. 1 is “to express an opinion regarding whether the assertions made by the broker or dealer in its compliance report are fairly stated, in all material respects.” While its proposal used the term “assertions,” the Commission’s final rule used the term “statements” instead, but made it clear that “the assertions contained in the proposal are now referred to as statements” and that there was no intent to “substantively change the nature of the matters stated in the compliance report or which of the statements are to be examined by the independent public accountant.”

Material Weakness Notifications

In addition to the statements, the Compliance Report must also describe each material weakness in “Internal Control Over Compliance” during and as of the end of the fiscal year, as well as any instance of non-compliance with Rule 15c3-1 or Rule 15c3-3(e) as of the end of the fiscal year. As the identification of a material weakness requires prompt notification of regulators and others, its determination typically involves urgent deliberation by the securities firm’s management, including its legal counsel. Although Rule 17a-11(d) imposes on broker-dealers twenty-four and forty-eight-hour filing deadlines, the Commission has historically recognized that the determination of material inadequacies requires some prompt deliberation:

A determination of a material inadequacy may, in many instances, require completed audit procedures in a particular area, appropriate review at the decision-making level of management and the independent accountant, and possible consultation with counsel. While it is expected that a determination in this context involves a contemplative process, the length and complexity of the deliberations should depend on the circumstances and be completed in the shortest time possible.

As the determination of a material weakness involves an analogous set of circumstances, presumably the SEC staff would expect a similar urgent deliberation to take place.

It is important to note that, in addition to sending notifications to regulators, notifications may be required to be made to clearing agencies and key counterparties pursuant to their rules or contractual provisions. Generally, third parties that require a copy of the firm’s monthly FOCUS Report will also require related notifications. A practical way to determine the range of entities that the securities firm might be required to notify is to review the distribution list for the monthly FOCUS Report typically maintained by the firm’s regulatory reporting department.

Also note that notices related to the same incident may be required under multiple regulatory provisions. Management and counsel for the securities firm should consider combining all notices related to an instance of non-compliance to avoid the impression the firm has an ongoing problem that is giving rise to repeated notices.

Material Weakness Determinations

Paragraph (d)(3)(iii) defines the terms “material weakness” and “deficiency” and paragraph (d)(3)(i) uses the term “instance of non-compliance,” which is simply an instance in which the broker-dealer failed to comply with one of the Covered Financial Responsibility Rules. The term “deficiency” is defined to exist

when the design or operation of a control does not allow the management or employees of the broker or dealer, in the normal course of performing their assigned functions, to prevent or detect on a timely basis non-compliance with [Rule] 15c3-1, [Rule] 15c3-3, [Rule] 17a-13, or any Account Statement Rule.

The term is broader than “instance of non-compliance” in that it is possible that a control deficiency might not prevent or detect a potential instance of non-compliance, even though the firm was fortunate enough to not have an instance of non-compliance take place.

Paragraph (d)(3)(iii) defines the term “material weakness” to be

a deficiency, or a combination of deficiencies, in Internal Control Over Compliance such that there is a reasonable possibility that non-compliance with [Rule] 15c3-1 [or Rule] 15c3-3(e) … will not be prevented or detected on a timely basis or that non-compliance to a material extent with [Rule] 15c3-3, except for paragraph (e), … [Rule] 17a-13, or any Account Statement Rule will not be prevented or detected on a timely basis.

The definition of the term “material weakness” in paragraph (d)(3)(iii) distinguishes between non-compliance with Rule 15c3-1 or Rule 15c3-3(e) and non-compliance “to a material extent” with the other Covered Financial Responsibility Rules. For the other Covered Financial Responsibility Rules, the determination of what is “noncompliance to a material extent” is largely dependent on judgement. The Commission recognized “the practical difficulties in creating a system of control that will eliminate a reasonable possibility of the occurrence of any instances of non-compliance with certain requirements of the financial responsibility rules.” For those financial responsibility rules, the 2013 Adopting Release is clear that it takes more than a single instance of non-compliance: “For example, the inadvertent failure to send one account statement out of thousands of such statements would not constitute non-compliance to a material extent with the Account Statement Rules though it would be an instance of non-compliance.”

An instance of non-compliance in either Rule 15c3-1 or Rule 15c3-3(e), however, is indicative of a material weakness. In the words of the SEC, “the final rule focuses on provisions that trigger notification requirements when they are not complied with, namely, Rule 15c3-1 and the customer reserve requirement in paragraph (e) of Rule 15c3-3,” which are the “core requirements of the financial responsibility rules.”

It is important to note that, as in the case of deficiencies, a material weakness can be found to exist even when no instances of non-compliance exist. The definition of material weakness in Rule 17a-5 includes control deficiencies that result in a “reasonable possibility that non-compliance with [Rule] 15c3-1 [or Rule] 15c3-3(e) … will not be prevented or detected on a timely basis.”

In addition to whether instances of non-compliance result in material weaknesses, counsel may be asked by management to advise on whether specific instances are in fact non-compliant with the Covered Financial Responsibility Rules. The complexity of those financial responsibility rules—particularly Rules 15c3-1 and 15c3-3—frequently give rise to interpretive questions. The Registered Public Accountant may be faced with interpretive matters that arise in a variety of contexts. Generally, as explained below, many of these issues involve some evaluation of the “evidence” gathered by the auditor.


AT No. 1 states that, in order for the Registered Public Accountant “[t]o express an opinion on the assertions made by a broker or dealer in a compliance report, the auditor must plan and perform the examination engagement to obtain appropriate evidence that is sufficient to obtain reasonable assurance.” Regarding the meaning of “appropriate” and “sufficient,” AT No. 1 cross-references Audit Evidence: AS 1105, which generally links the term “appropriate” to the quality of the evidence and the term “sufficient” to the quantity of it. AS 1105 also provides guidance on evaluating the reliability of evidence.

For example, the reliability guidance states: “Evidence obtained directly by the auditor is more reliable than evidence obtained indirectly.” A practical example of the application of this guidance involves a representation by the securities firm to its Registered Public Accountant regarding the receipt of guidance from a regulator involving an issue under question. Rather than relying on the securities firm’s representation concerning the regulator’s guidance, the Registered Public Accountant may need to contact the regulator directly.

The reliability guidance also states: “Evidence obtained from a knowledgeable source that is independent of the company is more reliable than evidence obtained only from internal company sources.” This guidance is also implicated in the example above, but would also apply to written examination findings of regulators, such as FINRA. Attorneys that are advising securities firms regarding potential examination findings of non-compliance should be aware that those findings will be a source of reliable audit evidence under AS 1105, regardless of the likelihood of potential enforcement action by the regulator.

The reliability guidance regarding “[e]vidence obtained from a knowledgeable source that is independent of the company” also includes a note referencing “the evaluation of evidence from a company’s specialist.” Appendix A to AS 1105—“Using the Work of a Company’s Specialist as Audit Evidence”—“applies when an auditor uses the work of a company’s attorney as audit evidence,” but does not apply to information provided by a company’s attorney concerning litigation, claims, or assessments. Appendix A provides many specific requirements regarding the evaluation of the competence and work of specialists of all varieties. Appendix A directs the Registered Public Accountant to “assess the relationship to the company of the specialist and the entity that employs the specialist (if other than the company)—specifically, whether circumstances exist that give the company the ability to significantly affect the specialist’s judgments about the work performed, conclusions, or findings.” As acknowledged by the American Bar Association’s Model Rules of Professional Conduct, attorneys perform various functions when representing clients. They may serve as an “evaluator” by “examining a client’s legal affairs and reporting about them to the client or to others.” AS 1105 recognizes this role for attorneys: “[A]n auditor [may] use[] the work of a company’s attorney as audit evidence in other matters relating to legal expertise,” such as when the work involves “a legal interpretation of a contractual provision.”

Attorneys may also serve as an advocate, however, where the “lawyer zealously asserts the client’s position.” This may be the case when a material weakness or other deficiency involving a potential regulatory notification is under discussion. AS 1105 states that: “As the significance of the specialist’s work and risk of material misstatement increases, the persuasiveness of the evidence the auditor should obtain for those assessments also increases.” By acting as an advocate, outside counsel may be considered to be acting on behalf of the securities firm, as opposed to a “knowledgeable source that is independent of the company.”

Attorneys occasionally might question why Registered Public Accountants are not as eager to defend the interests of their client. By comparison to the professional standards for a lawyer, who is an advocate, the ethical standards applicable to Registered Public Accountants for all engagements require objectivity, and, in attest engagements, such as those required by Rule 17a-5, independence from the client and its affiliates.

The Exemption Report

Classes of Firms

As explained below, generally, securities firms that are not required to file the Compliance Report must file the Exemption Report. The Exemption Report is somewhat misnamed, because, in addition to being filed by firms that are specifically exempt from Rule 15c3-3, it is also filed by firms that do not meet the Rule 15c3-3(k) exemptions because they do not handle customer funds or because they have received a waiver from filing the Compliance Report from the SEC staff.

Paragraph (d)(1)(i)(B)(2) of Rule 17a-5 requires firms that claimed an exemption from Rule 15c3-3 during the year to file the Exemption Report. The exemptions in paragraph (k) of Rule 15c3-3 are specific. All anticipate that the firm will receive customer funds and securities and “promptly transmit” them. Paragraph (k)(1) limits the firm to certain activities, such as the sale and redemption of redeemable securities of registered investment companies or of interests or participations in an insurance company separate account. Paragraph (k)(2)(i) refers to the use of a Special Account for the Exclusive Benefit of Customers of the broker-dealer. Paragraph (k)(2)(ii) is limited to firms that introduce the accounts of their customers to be carried by another broker-dealer.

Many registered securities firms do not have contact with customer funds and securities, and, although they do not have responsibilities under Rule 15c3-3, they do not meet the specifics of the Rule 15c3-3(k) exemptions (“Non-Covered Firms”). As the terms of the rule only make the Exemption Report available to firms that fit within one of the Rule 15c3-3 exemptions, Non-Covered Firms would be required to file the Compliance Report, absent SEC exemptive action. The Commission recognized this problem and addressed it in footnote 74 of the 2013 Adopting Release: “There may be circumstances in which a broker-dealer has not held customer securities or funds during the fiscal year, but does not fit into one of the exemptive provisions … . [T]hese broker-dealers should file an exemption report and related accountant’s report.”

Footnote 78 of the 2013 Adopting Release addresses firms that have “limited custodial activities” and offers those firms an opportunity to seek exemptive relief from filing the Compliance Report. As discussed below, typically relief from filing the Compliance Report is only granted by the SEC staff if the firm agrees to file an Exemption Report.

Statements and Assertions

Like the Compliance Report, the Exemption Report relies heavily on statements that operate as assertions under the attestation standards. Paragraph (d)(4) of Rule 17a-5 provides:

The exemption report must contain the following statements made to the best knowledge and belief of the broker or dealer:

    (i) A statement that identifies the provisions in [Rule] 15c3-3(k) under which the broker or dealer claimed an exemption from [Rule] 15c3-3;

    (ii) A statement that the broker or dealer met the identified exemption provisions in [Rule] 15c3-3(k) throughout the most recent fiscal year without exception or that it met the identified exemption provisions in [Rule] 15c3-3(k) throughout the most recent fiscal year except as described under paragraph (d)(4)(iii) of this section; and

    (iii) If applicable, a statement that identifies each exception during the most recent fiscal year in meeting the identified exemption provisions in [Rule] 15c3-3(k) and that briefly describes the nature of each exception and the approximate date(s) on which the exception existed.

The PCAOB adopted AT No. 2 in the same release that adopted AT No. 1 shortly after the SEC adopted the Rule 17a-5 amendments in the 2013 Adopting Release. AT No. 2 states:

When performing a review of the statements (“assertions”) made by a broker or dealer in an exemption report … , the auditor’s objective is to state whether, based upon the results of the review procedures, the auditor is aware of any material modifications that should be made to the broker’s or dealer’s assertions for the assertions to be fairly stated, in all material respects.

Regarding that objective, AT No. 2 further states: “[T]he auditor must plan and perform the review engagement to obtain appropriate evidence that is sufficient to obtain moderate assurance about whether one or more conditions exist that would cause one or more of the broker’s or dealer’s assertions” related to compliance with the Rule 15c3-3(k) exemptive provisions or the exceptions therefrom “not to be fairly stated, in all material respects.”

Classes of Firms and Related Statements and Assertions

As the statements and assertions drive the work to be done by the auditor, it is important that exemptions claimed by the broker-dealer on its FOCUS Report, Exemption Report, and FINRA membership agreement align with its business activities. It is possible that the firm’s activities are such that it might be relying on more than one exemption from Rule 15c3-3. For example, a firm might introduce some of its business on a fully disclosed basis to another broker-dealer, which would be exempt under Rule 15c3-3(k)(2)(ii), while conducting other activities in compliance with the exemption under paragraph (k)(2)(i). The SEC addressed this fact pattern in its “Frequently Asked Questions Concerning the July 30, 2013 Amendments to the Broker-Dealer Financial Reporting Rule” and indicated that “[t]he broker-dealer should reflect both exemption provisions supporting its claim of exemption in the exemption report and should also identify any applicable exceptions under each [exemption],” as well as indicate each exemption provision on its FOCUS Report.

The SEC FAQ also addresses Non-Covered Firms. In addition to making it clear that those firms should not check an exemption box on their FOCUS Reports, the SEC FAQ provides:

A Non-Covered Firm … should include in the exemption report a description of all the firm’s business activities and a statement that during the reporting period the firm (1) did not directly or indirectly receive, hold, or otherwise owe funds or securities for or to customers, other than money or other consideration received and promptly transmitted in compliance with paragraph (a) or (b)(2) of Rule 15c2-4; (2) did not carry accounts of or for customers; and (3) did not carry PAB accounts (as defined in Rule 15c3-3).

The SEC FAQ further provides:

A Non-Covered Firm that limits its business activities exclusively to one or more of the following would be eligible to file an exemption report:

(1) proprietary trading;

(2) effecting securities transactions via subscriptions;

(3) receiving transaction-based compensation for identifying potential merger and acquisition opportunities for clients, referring securities transactions to other broker-dealers, or providing technology or platform services;

(4) participating in distributions of securities (other than firm commitment underwritings) in accordance with the requirements of paragraphs (a) or (b)(2) of Rule 15c2-4; or

(5) engaging solely in activities permitted for capital acquisition brokers (“CAB”) as defined in FINRA’s CAB rules and approved for membership in FINRA as a CAB.

Presumably firms that do not handle customer funds or securities but engage in other securities activities not listed above could seek relief from the Commission from filing the Compliance Report under footnote 78 of the 2013 Adopting Release. The SEC FAQ provides guidance on how those requests should be filed.

Attorneys advising firms that have “limited custodial activities,” as contemplated by footnote 78, and are seeking relief from filing the Compliance Report should anticipate that the Commission staff may seek that the firm’s Registered Public Accountant cover those activities in its Exemption Report review. That coverage can be accomplished by agreeing to a statement (i.e., assertion) to be included in the Exemption Report regarding the safekeeping processes related to those activities, as the scope of work by the Registered Public Accountant is driven by the assertions. As such, the assertion should be crisply worded and vetted with the Registered Public Accountant to ensure the design of appropriate review procedures.


As stated earlier, Rule 17a-5(d)(4)(iii) requires that the Exemption Report include a statement that identifies any “exception during the most recent fiscal year in meeting the identified exemption provisions in [Rule] 15c3-3(k) and that briefly describes the nature of each exception and the approximate date(s) on which the exception existed.” On occasion, attorneys are consulted when exceptions are discovered. Apprehension may arise that an exception from compliance with the Rule 15c3-3(k) exemption will result in the firm being required to comply with Rule 15c3-3 generally and file a Compliance Report. As discussed below, those concerns were voiced by commentators and addressed in the 2013 Adopting Release.

The SEC’s proposal did not require a statement regarding exceptions. The exception-statement requirement in paragraph (d)(4)(iii) of Rule 17a-5 was added in the adopting release in response to comments received. For example, in its comment letter, SIFMA acknowledged that, under the proposal, the Registered Public Accountant would be required to “disclose any ‘material modifications’ that should be made to the broker-dealer’s assertion in the Exemption Report.” SIFMA then pointed out that the 2011 Proposing Release stated that “an example of a discovery that would necessitate a material modification would be a discovery that the broker-dealer failed to promptly forward any customer securities it received.” SIFMA asked for guidance on the determination of material modifications and stated that procedural errors, such as “bank errors, clerical errors or any factor outside the control of the broker-dealer,” should not warrant the material modification of a statement in the broker-dealer’s Exemption Report.

The SEC added the exception-statement requirement to

address commenters’ concerns that the proposed exemption report assertion would create an unworkable standard given the possibility that a broker-dealer might have instances of exceptions to meeting the exemption provisions in paragraph (k) of Rule 15c3-3 and that the proposed requirements with respect to the exemption report did not explicitly provide how exceptions should be treated.

… .

This modification from requiring the broker-dealer to state an absolute (i.e., that it is exempt from Rule 15c3-3) allows the broker-dealer to account for instances in which it had exceptions to meeting the exemption provisions in paragraph (k) of Rule 15c3-3 directly in the exemption report (rather than having to file the compliance report).


As it was adopted eighty years ago and only eight years after the creation of the SEC, Rule 17a-5 has certainly withstood the test of time. Like many SEC rules, it went through major revisions following significant events in the securities industry. Those revisions to Rule 17a-5 came in the mid-1970s following the Paper Work Crisis and more recently in 2013 after the Madoff scandal. In addition to strengthening the protections provided in the rule by requiring, for example, a compliance examination on key financial responsibility rules, the 2013 Amendments far more closely align with the auditing and attestation standards of today.

He would like to thank Beth Goldstein of Deloitte & Touche, L.L.P. for her assistance in the preparation of this article.