Overview of Audit Standards
Two organizations are responsible for setting professional auditing standards, the American Institute of Certified Public Accountants (“AICPA”) and the PCAOB. The AICPA issued Statement on Auditing Procedure No. 1 in October 1939 following the financial scandal that occurred at McKesson & Robbins. The PCAOB was created by the Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) following the failures of WorldCom and Enron. Sarbanes-Oxley required auditors of broker-dealers and public companies to register with the PCAOB and mandated the PCAOB to adopt auditing standards for its Registered Public Accountants to follow for public company audits. While AICPA and PCAOB standards bear similarities, there are differences. The SEC’s 2011 Proposing Release identified two differences that existed at the time: (1) The audit-documentation requirements contained in PCAOB Auditing Standard (“AS”) No. 3 were not required by Generally Accepted Auditing Standards (“GAAS”); and (2) The engagement-quality-review requirements in PCAOB AS No. 7 were not required by GAAS. As indicated in the Rule 17a-5 history discussion above, following the Madoff scandal, Dodd-Frank gave the PCAOB complete jurisdiction over audits of broker-dealers. Although the change in auditing standards from AICPA to PCAOB impacted the nature and extent of work done on the audit of financial statements by the Registered Public Accountant, the financial-statement audit does not generally give rise to legal questions that are unique to broker-dealers audits.
While securities lawyers and the general public may generally refer to the activities of Registered Public Accountants as “audits,” their professional practice standards make distinctions. Generally, the term “audit” is used in connection with audits of financial statements as distinguished from other “attest” services where the Registered Public Accountant is engaged to issue an examination, a review, or an agreed-upon-procedures report on subject matter, or an assertion about the subject matter, that is the responsibility of another party. Audits and other attest engagements vary in terms of degrees of levels of “assurance.” Professional auditing standards provide for three levels of assurance. The highest level occurs where the Registered Public Accountant obtains “reasonable assurance” with respect to the matter that is the subject of the Registered Public Accountant’s engagement and provides an opinion. The reasonable assurance standard is required with respect to audits and examinations. The second level is moderate assurance, which is applicable in a “review” engagement. The third level of attestation engagement involves the Registered Public “[A]ccountant perform[ing] agreed-upon procedures, which results in no assurance,” only a report of its findings. As discussed below, the 2013 Amendments significantly altered the Rule 17a-5 reporting requirements that are executed concurrent with the financial-statement audit and brought those requirements more in line with the professional attest standards.
Supplemental Reports and Supporting Schedules
The SIPC Supplemental Report
Under SIPA, SIPC is required to maintain a fund for its expenditures and is required to assess its members a revenue-based fee when the fund is below certain parameters. During those periods when SIPC is assessing a revenue-based fee, Rule 17a-5(e)(4) previously required a broker-dealer that files Form SIPC-3 or Form SIPC-7 to also file with each of the Commission, the broker-dealer’s designated examining authority (“DEA”), and SIPC a supplemental report (“SIPC Supplemental Report”) “covered by an opinion of the independent public accountant.” Among other things, the report needed to cover the SIPC annual general assessment reconciliation or exclusion from membership forms (i.e., Form SIPC-7 or Form SIPC-3). In addition, the rule required that the review by the accountant include certain minimum procedures.
Prior to the 2013 Amendments, paragraph (e)(4) of Rule 17a-5 used the terms “opinion” and “review” to describe the work of the independent public accountant associated with the SIPC Supplemental Report, while at the same time identifying specific procedures that the independent public accountant must perform related to the SIPC fees. The issuance of an opinion is a characteristic of an audit of financial statements and examination attest engagements, which involve the highest level of assurance, “reasonable assurance.” As discussed above, a “review” involves a lower level, “moderate assurance.” When the Registered Public Accountant is engaged to issue a report of findings based on specific procedures performed on subject matter, it is typically done in an “agreed-upon procedures” attest engagement, with no level of assurance.
Even before the 2013 Amendments, the AICPA’s Brokers and Dealers in Securities Audit Guide (“2011 Audit Guide”) included an illustrative example of the SIPC Supplemental Report that was in an agreed-upon procedures format and specifically did not provide an opinion. In the 2013 Amendments, the Commission adopted an agreed-upon procedures format for the rule, thereby conforming it to existing professional standards.
SIPC is the sole user of the SIPC Supplemental Report. As such, the 2013 Amendments adopted a provision that transitioned the SIPC Supplemental Schedule out of Rule 17a-5 and into SIPC’s rules. Under the amendment, a broker-dealer would be required to file the SIPC Supplemental Reports with SIPC using the existing formats for the reports until the earlier of the Commission approving a rule adopted by SIPC or two years. In March 2016, SIPC adopted the SIPC Supplemental Report as its Rule 600 and the SIPC Supplemental Report is no longer a Rule 17a-5 requirement.
The 2013 Amendments also amended Rule 17a-5 to require that the annual audited financial statements and related Compliance and Exemption Reports be filed with SIPC. The amendment was intended to address a potential legal hurdle that SIPC may confront when pursuing claims against a broker-dealer’s Registered Public Accountant where the accountant’s failure to adhere to professional standards in auditing a broker-dealer caused a loss to the SIPC Fund. In the period from 1971–2011, SIPC initiated 324 proceedings under SIPA to liquidate a failed broker-dealer, and during that period, it initiated only nine lawsuits against accountants.
Supporting Schedules
Paragraph (d)(2)(ii) of Rule 17a-5 requires that the financial report, which must be examined by the Registered Public Accountant, contain “[s]upporting schedules that include, from Part II or Part IIA of Form X-17A-5 … , a Computation of Net Capital Under [Rule] 15c3-1, a Computation for Determination of Customer Reserve Requirements under … Exhibit A of [Rule] 15c3-3, … and Information Relating to the Possession or Control Requirements for Customers under [Rule] 15c3-3.” The PCAOB has stated that the auditor’s responsibilities when performing audit procedures and reporting on those supporting schedules are covered under Auditing Supplemental Information Accompanying Audited Financial Statements: AS 2701. AS 2701.06 states:
[T]o form an opinion on the supplemental information, the auditor should evaluate whether the supplemental information, including its form and content, is fairly stated, in all material respects, in relation to the financial statements as a whole, including whether the supplemental information is presented in conformity, in all material respects, with the relevant regulatory requirements or other applicable criteria.
Supplemental Reports on Rule 15c3-4
Rule 15c3-4 was originally intended to require an SEC-registered over-the-counter derivatives dealer (“OTC Derivatives Dealer”) to “establish, document, and maintain a system of internal risk management controls to assist it in managing the risks associated with its business activities, including market, credit, leverage, liquidity, legal, and operational risks,” but has later been applied to broker-dealers that seek quantitative model approval under Appendix E to Rule 15c3-1, as well as all firms that register as securities-based swap dealers. Rule 15c3-4(c)(3) requires “[p]eriodic reviews (which may be performed by internal audit staff ) and annual reviews (which must be conducted by independent certified public accountants) of the OTC derivatives dealer’s risk management systems.”
Rule 17a-12 is a reporting rule similar to Rule 17a-5 that applies to OTC Derivatives Dealers. Rule 17a-12 requires a supplemental report by the independent public accountant that indicates
the results of the certified public accountant’s review of the OTC derivatives dealer’s internal risk management control system with respect to the requirements of [Rule] 15c3-4. This review shall be conducted in accordance with procedures agreed to by the OTC derivatives dealer and the certified public accountant conducting the review. The purpose of the review is to confirm that the OTC derivatives dealer has established, documented, and maintained an internal risk management control system in accordance with [Rule] 15c3-4, and is in compliance with that internal risk management control system.
Rule 17a-5(k) requires a similar supplemental report based on agreed-upon procedures to be filed by broker-dealers that have received approval from the SEC to use quantitative models to compute market- and credit-risk deductions under Rule 15c3-1e.
Securities-based swap dealers are subject to Rule 18a-7, which is also similar to Rule 17a-5 but does not include a paragraph specifically requiring the supplemental report required in Rules 17a-5(k) and 17a-12(l). The proposing release states, however, that the annual review required under Rule 15c3-4(c)(3) “must be conducted in accordance with procedures agreed to by the firm and the independent public accountant conducting the review.”
The Material Inadequacy Report
Prior to the 2013 Amendments, Rule 17a-5 required broker-dealers to file a supplemental report that covered any “material inadequacies” found to exist at the audit date. While that report is no longer required under Rule 17a-5, it remains applicable to OTC Derivatives Dealers under Rule 17a-12 and to futures commission merchants under the rules of the Commodity Futures Trading Commission, so some discussion of it is warranted.
The rule, as it existed prior to the 2013 Amendments, was largely adopted in 1975. Unlike the much more transparent SEC releases of today, the 1975 Release does not reveal the extent to which the staff of the SEC’s Division of Trading and Markets attempted to align the rule with the audit standards in place at the time. The release does not mention the Office of Chief Accountant. It contains a single reference to the AICPA in footnote 12, wherein the Commission states that it expects the AICPA to “promulgate guidelines and educational materials” concerning the extent and timing of audit procedures.
The term “material inadequacy” did not exist in the audit standards in the 1970s when the SEC incorporated it into the rule. Indeed, when, in 1976, the AICPA did promulgate the anticipated guidance, its only references to “material inadequacy” appeared in language quoted from the SEC or Rule 17a-5. The illustrative internal control report in the guidance uses the term “weaknesses” instead.
In addition to the use of the term “material inadequacy,” the “Audit Objectives” section previously in paragraph (g) of the rule appeared to combine coverage of compliance with specific rules into a report on internal accounting control. “Internal Accounting Control,” as used the AICPA guidance, is similar to the PCOAB’s “Internal Controls over Financial Reporting,” in that each refer to internal controls related to the accuracy of the financial statements, as opposed to management controls related to compliance or other activities. Paragraph (g)(1) required “reviews” of specific provisions of the financial responsibility rules, including the Net Capital Rule, the Customer Protection Rule, Rule 17a-13, and the prompt payment for securities provision of Regulation T, but the definition of “material inadequacy” in paragraph (g)(3) excluded violations of the “Commission’s recordkeeping and financial responsibility rules,” unless the violation included any condition which has contributed substantially to or, if appropriate corrective action is not taken, could reasonably be expected to:
(i) inhibit a broker or dealer from promptly completing securities transactions or promptly discharging [its] responsibilities to customers, other broker-dealers, or creditors;
(ii) result in material financial loss; [or]
(iii) result in material misstatements of the broker’s or dealer’s financial statements.
The first paragraph of the illustrative material inadequacy report in the 2011 Audit Guide, which was still in place when the 2013 Amendments were proposed, stated “we considered the Company’s internal control over financial reporting (internal control) as a basis for designing our auditing procedures for purposes of expressing our opinion on the [consolidated] financial statements, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control.” It goes on to explicitly state that an opinion is not expressed, despite the fact that paragraph (g)(1) specifically called for “reasonable assurance,” a level of assurance associated with expressing an opinion.
Among other things, the 2013 Amendments aligned the rule more closely with the professional auditing standards. The SEC replaced the material inadequacy report, which was applicable to all broker-dealers, with reports issued by a Registered Public Accountant—the Compliance Report, for firms with custodial responsibilities, and the Exemption Report, for firms which are generally not subject to Rule 15c3-3. The Compliance Report, the Exemption Report, and the related reports issued by the Registered Public Accountants are discussed in the sections that follow.
The Compliance Report
Under the terms of the rule, a broker-dealer that does not claim an exemption under Rule 15c3-3 is now required to annually file a Compliance Report and to engage a Registered Public Accountant to issue a report based on an examination of the statements required to be made in the Compliance Report done in accordance with PCAOB standards. Unlike the material inadequacy report that was addressed in the prior section of this article, the Compliance Report and the related examination report by the Registered Public Accountant align with the audit standards. Within three months of the adoption of the Compliance Report by the SEC, the PCAOB adopted Attestation Standard No. 1: Examination Engagements Regarding Compliance Reports of Brokers and Dealers (“AT No. 1”).
The Compliance Report focuses on “Internal Controls Over Compliance” with a selected subset of the financial responsibility rules. Those rules (“Covered Financial Responsibility Rules”) are:
- (1) Rule 15c3-1 (the Net Capital Rule);
- (2) Rule 15c3-3 (the Customer Protection Rule);
- (3) Rule 17a-13 (the Quarterly Security Count Rule); and
- (4) the customer statement rules of the firm’s DEA.
The Commission selected the Covered Financial Responsibility Rules because “these rules contain important baseline protections concerning broker-dealer capital adequacy and the protection of customer funds and securities.”
The Compliance Report must contain “statements” as to whether:
- (1) the broker-dealer has established Internal Controls Over Compliance and whether those controls were effective during, and at the end of, the fiscal year;
- (2) the broker-dealer was in compliance with Rule 15c3-1 and Rule 15c3-3(e) at the end of the fiscal year; and
- (3) the information used to state whether it was in compliance with Rule 15c3-1 and Rule 15c3-3(e) was derived from the books and records of the broker or dealer.
The statements required by the rule are significant as they operate as “assertions” under AT No. 1. The auditor’s objective in a Compliance Report examination under AT No. 1 is “to express an opinion regarding whether the assertions made by the broker or dealer in its compliance report are fairly stated, in all material respects.” While its proposal used the term “assertions,” the Commission’s final rule used the term “statements” instead, but made it clear that “the assertions contained in the proposal are now referred to as statements” and that there was no intent to “substantively change the nature of the matters stated in the compliance report or which of the statements are to be examined by the independent public accountant.”
Material Weakness Notifications
In addition to the statements, the Compliance Report must also describe each material weakness in “Internal Control Over Compliance” during and as of the end of the fiscal year, as well as any instance of non-compliance with Rule 15c3-1 or Rule 15c3-3(e) as of the end of the fiscal year. As the identification of a material weakness requires prompt notification of regulators and others, its determination typically involves urgent deliberation by the securities firm’s management, including its legal counsel. Although Rule 17a-11(d) imposes on broker-dealers twenty-four and forty-eight-hour filing deadlines, the Commission has historically recognized that the determination of material inadequacies requires some prompt deliberation:
A determination of a material inadequacy may, in many instances, require completed audit procedures in a particular area, appropriate review at the decision-making level of management and the independent accountant, and possible consultation with counsel. While it is expected that a determination in this context involves a contemplative process, the length and complexity of the deliberations should depend on the circumstances and be completed in the shortest time possible.
As the determination of a material weakness involves an analogous set of circumstances, presumably the SEC staff would expect a similar urgent deliberation to take place.
It is important to note that, in addition to sending notifications to regulators, notifications may be required to be made to clearing agencies and key counterparties pursuant to their rules or contractual provisions. Generally, third parties that require a copy of the firm’s monthly FOCUS Report will also require related notifications. A practical way to determine the range of entities that the securities firm might be required to notify is to review the distribution list for the monthly FOCUS Report typically maintained by the firm’s regulatory reporting department.
Also note that notices related to the same incident may be required under multiple regulatory provisions. Management and counsel for the securities firm should consider combining all notices related to an instance of non-compliance to avoid the impression the firm has an ongoing problem that is giving rise to repeated notices.
Material Weakness Determinations
Paragraph (d)(3)(iii) defines the terms “material weakness” and “deficiency” and paragraph (d)(3)(i) uses the term “instance of non-compliance,” which is simply an instance in which the broker-dealer failed to comply with one of the Covered Financial Responsibility Rules. The term “deficiency” is defined to exist
when the design or operation of a control does not allow the management or employees of the broker or dealer, in the normal course of performing their assigned functions, to prevent or detect on a timely basis non-compliance with [Rule] 15c3-1, [Rule] 15c3-3, [Rule] 17a-13, or any Account Statement Rule.
The term is broader than “instance of non-compliance” in that it is possible that a control deficiency might not prevent or detect a potential instance of non-compliance, even though the firm was fortunate enough to not have an instance of non-compliance take place.
Paragraph (d)(3)(iii) defines the term “material weakness” to be
a deficiency, or a combination of deficiencies, in Internal Control Over Compliance such that there is a reasonable possibility that non-compliance with [Rule] 15c3-1 [or Rule] 15c3-3(e) … will not be prevented or detected on a timely basis or that non-compliance to a material extent with [Rule] 15c3-3, except for paragraph (e), … [Rule] 17a-13, or any Account Statement Rule will not be prevented or detected on a timely basis.
The definition of the term “material weakness” in paragraph (d)(3)(iii) distinguishes between non-compliance with Rule 15c3-1 or Rule 15c3-3(e) and non-compliance “to a material extent” with the other Covered Financial Responsibility Rules. For the other Covered Financial Responsibility Rules, the determination of what is “noncompliance to a material extent” is largely dependent on judgement. The Commission recognized “the practical difficulties in creating a system of control that will eliminate a reasonable possibility of the occurrence of any instances of non-compliance with certain requirements of the financial responsibility rules.” For those financial responsibility rules, the 2013 Adopting Release is clear that it takes more than a single instance of non-compliance: “For example, the inadvertent failure to send one account statement out of thousands of such statements would not constitute non-compliance to a material extent with the Account Statement Rules though it would be an instance of non-compliance.”
An instance of non-compliance in either Rule 15c3-1 or Rule 15c3-3(e), however, is indicative of a material weakness. In the words of the SEC, “the final rule focuses on provisions that trigger notification requirements when they are not complied with, namely, Rule 15c3-1 and the customer reserve requirement in paragraph (e) of Rule 15c3-3,” which are the “core requirements of the financial responsibility rules.”
It is important to note that, as in the case of deficiencies, a material weakness can be found to exist even when no instances of non-compliance exist. The definition of material weakness in Rule 17a-5 includes control deficiencies that result in a “reasonable possibility that non-compliance with [Rule] 15c3-1 [or Rule] 15c3-3(e) … will not be prevented or detected on a timely basis.”
In addition to whether instances of non-compliance result in material weaknesses, counsel may be asked by management to advise on whether specific instances are in fact non-compliant with the Covered Financial Responsibility Rules. The complexity of those financial responsibility rules—particularly Rules 15c3-1 and 15c3-3—frequently give rise to interpretive questions. The Registered Public Accountant may be faced with interpretive matters that arise in a variety of contexts. Generally, as explained below, many of these issues involve some evaluation of the “evidence” gathered by the auditor.
Evidence
AT No. 1 states that, in order for the Registered Public Accountant “[t]o express an opinion on the assertions made by a broker or dealer in a compliance report, the auditor must plan and perform the examination engagement to obtain appropriate evidence that is sufficient to obtain reasonable assurance.” Regarding the meaning of “appropriate” and “sufficient,” AT No. 1 cross-references Audit Evidence: AS 1105, which generally links the term “appropriate” to the quality of the evidence and the term “sufficient” to the quantity of it. AS 1105 also provides guidance on evaluating the reliability of evidence.
For example, the reliability guidance states: “Evidence obtained directly by the auditor is more reliable than evidence obtained indirectly.” A practical example of the application of this guidance involves a representation by the securities firm to its Registered Public Accountant regarding the receipt of guidance from a regulator involving an issue under question. Rather than relying on the securities firm’s representation concerning the regulator’s guidance, the Registered Public Accountant may need to contact the regulator directly.
The reliability guidance also states: “Evidence obtained from a knowledgeable source that is independent of the company is more reliable than evidence obtained only from internal company sources.” This guidance is also implicated in the example above, but would also apply to written examination findings of regulators, such as FINRA. Attorneys that are advising securities firms regarding potential examination findings of non-compliance should be aware that those findings will be a source of reliable audit evidence under AS 1105, regardless of the likelihood of potential enforcement action by the regulator.
The reliability guidance regarding “[e]vidence obtained from a knowledgeable source that is independent of the company” also includes a note referencing “the evaluation of evidence from a company’s specialist.” Appendix A to AS 1105—“Using the Work of a Company’s Specialist as Audit Evidence”—“applies when an auditor uses the work of a company’s attorney as audit evidence,” but does not apply to information provided by a company’s attorney concerning litigation, claims, or assessments. Appendix A provides many specific requirements regarding the evaluation of the competence and work of specialists of all varieties. Appendix A directs the Registered Public Accountant to “assess the relationship to the company of the specialist and the entity that employs the specialist (if other than the company)—specifically, whether circumstances exist that give the company the ability to significantly affect the specialist’s judgments about the work performed, conclusions, or findings.” As acknowledged by the American Bar Association’s Model Rules of Professional Conduct, attorneys perform various functions when representing clients. They may serve as an “evaluator” by “examining a client’s legal affairs and reporting about them to the client or to others.” AS 1105 recognizes this role for attorneys: “[A]n auditor [may] use[] the work of a company’s attorney as audit evidence in other matters relating to legal expertise,” such as when the work involves “a legal interpretation of a contractual provision.”
Attorneys may also serve as an advocate, however, where the “lawyer zealously asserts the client’s position.” This may be the case when a material weakness or other deficiency involving a potential regulatory notification is under discussion. AS 1105 states that: “As the significance of the specialist’s work and risk of material misstatement increases, the persuasiveness of the evidence the auditor should obtain for those assessments also increases.” By acting as an advocate, outside counsel may be considered to be acting on behalf of the securities firm, as opposed to a “knowledgeable source that is independent of the company.”
Attorneys occasionally might question why Registered Public Accountants are not as eager to defend the interests of their client. By comparison to the professional standards for a lawyer, who is an advocate, the ethical standards applicable to Registered Public Accountants for all engagements require objectivity, and, in attest engagements, such as those required by Rule 17a-5, independence from the client and its affiliates.
The Exemption Report
Classes of Firms
As explained below, generally, securities firms that are not required to file the Compliance Report must file the Exemption Report. The Exemption Report is somewhat misnamed, because, in addition to being filed by firms that are specifically exempt from Rule 15c3-3, it is also filed by firms that do not meet the Rule 15c3-3(k) exemptions because they do not handle customer funds or because they have received a waiver from filing the Compliance Report from the SEC staff.
Paragraph (d)(1)(i)(B)(2) of Rule 17a-5 requires firms that claimed an exemption from Rule 15c3-3 during the year to file the Exemption Report. The exemptions in paragraph (k) of Rule 15c3-3 are specific. All anticipate that the firm will receive customer funds and securities and “promptly transmit” them. Paragraph (k)(1) limits the firm to certain activities, such as the sale and redemption of redeemable securities of registered investment companies or of interests or participations in an insurance company separate account. Paragraph (k)(2)(i) refers to the use of a Special Account for the Exclusive Benefit of Customers of the broker-dealer. Paragraph (k)(2)(ii) is limited to firms that introduce the accounts of their customers to be carried by another broker-dealer.
Many registered securities firms do not have contact with customer funds and securities, and, although they do not have responsibilities under Rule 15c3-3, they do not meet the specifics of the Rule 15c3-3(k) exemptions (“Non-Covered Firms”). As the terms of the rule only make the Exemption Report available to firms that fit within one of the Rule 15c3-3 exemptions, Non-Covered Firms would be required to file the Compliance Report, absent SEC exemptive action. The Commission recognized this problem and addressed it in footnote 74 of the 2013 Adopting Release: “There may be circumstances in which a broker-dealer has not held customer securities or funds during the fiscal year, but does not fit into one of the exemptive provisions … . [T]hese broker-dealers should file an exemption report and related accountant’s report.”
Footnote 78 of the 2013 Adopting Release addresses firms that have “limited custodial activities” and offers those firms an opportunity to seek exemptive relief from filing the Compliance Report. As discussed below, typically relief from filing the Compliance Report is only granted by the SEC staff if the firm agrees to file an Exemption Report.
Statements and Assertions
Like the Compliance Report, the Exemption Report relies heavily on statements that operate as assertions under the attestation standards. Paragraph (d)(4) of Rule 17a-5 provides:
The exemption report must contain the following statements made to the best knowledge and belief of the broker or dealer:
(i) A statement that identifies the provisions in [Rule] 15c3-3(k) under which the broker or dealer claimed an exemption from [Rule] 15c3-3;
(ii) A statement that the broker or dealer met the identified exemption provisions in [Rule] 15c3-3(k) throughout the most recent fiscal year without exception or that it met the identified exemption provisions in [Rule] 15c3-3(k) throughout the most recent fiscal year except as described under paragraph (d)(4)(iii) of this section; and
(iii) If applicable, a statement that identifies each exception during the most recent fiscal year in meeting the identified exemption provisions in [Rule] 15c3-3(k) and that briefly describes the nature of each exception and the approximate date(s) on which the exception existed.
The PCAOB adopted AT No. 2 in the same release that adopted AT No. 1 shortly after the SEC adopted the Rule 17a-5 amendments in the 2013 Adopting Release. AT No. 2 states:
When performing a review of the statements (“assertions”) made by a broker or dealer in an exemption report … , the auditor’s objective is to state whether, based upon the results of the review procedures, the auditor is aware of any material modifications that should be made to the broker’s or dealer’s assertions for the assertions to be fairly stated, in all material respects.
Regarding that objective, AT No. 2 further states: “[T]he auditor must plan and perform the review engagement to obtain appropriate evidence that is sufficient to obtain moderate assurance about whether one or more conditions exist that would cause one or more of the broker’s or dealer’s assertions” related to compliance with the Rule 15c3-3(k) exemptive provisions or the exceptions therefrom “not to be fairly stated, in all material respects.”
Classes of Firms and Related Statements and Assertions
As the statements and assertions drive the work to be done by the auditor, it is important that exemptions claimed by the broker-dealer on its FOCUS Report, Exemption Report, and FINRA membership agreement align with its business activities. It is possible that the firm’s activities are such that it might be relying on more than one exemption from Rule 15c3-3. For example, a firm might introduce some of its business on a fully disclosed basis to another broker-dealer, which would be exempt under Rule 15c3-3(k)(2)(ii), while conducting other activities in compliance with the exemption under paragraph (k)(2)(i). The SEC addressed this fact pattern in its “Frequently Asked Questions Concerning the July 30, 2013 Amendments to the Broker-Dealer Financial Reporting Rule” and indicated that “[t]he broker-dealer should reflect both exemption provisions supporting its claim of exemption in the exemption report and should also identify any applicable exceptions under each [exemption],” as well as indicate each exemption provision on its FOCUS Report.
The SEC FAQ also addresses Non-Covered Firms. In addition to making it clear that those firms should not check an exemption box on their FOCUS Reports, the SEC FAQ provides:
A Non-Covered Firm … should include in the exemption report a description of all the firm’s business activities and a statement that during the reporting period the firm (1) did not directly or indirectly receive, hold, or otherwise owe funds or securities for or to customers, other than money or other consideration received and promptly transmitted in compliance with paragraph (a) or (b)(2) of Rule 15c2-4; (2) did not carry accounts of or for customers; and (3) did not carry PAB accounts (as defined in Rule 15c3-3).
The SEC FAQ further provides:
A Non-Covered Firm that limits its business activities exclusively to one or more of the following would be eligible to file an exemption report:
(1) proprietary trading;
(2) effecting securities transactions via subscriptions;
(3) receiving transaction-based compensation for identifying potential merger and acquisition opportunities for clients, referring securities transactions to other broker-dealers, or providing technology or platform services;
(4) participating in distributions of securities (other than firm commitment underwritings) in accordance with the requirements of paragraphs (a) or (b)(2) of Rule 15c2-4; or
(5) engaging solely in activities permitted for capital acquisition brokers (“CAB”) as defined in FINRA’s CAB rules and approved for membership in FINRA as a CAB.
Presumably firms that do not handle customer funds or securities but engage in other securities activities not listed above could seek relief from the Commission from filing the Compliance Report under footnote 78 of the 2013 Adopting Release. The SEC FAQ provides guidance on how those requests should be filed.
Attorneys advising firms that have “limited custodial activities,” as contemplated by footnote 78, and are seeking relief from filing the Compliance Report should anticipate that the Commission staff may seek that the firm’s Registered Public Accountant cover those activities in its Exemption Report review. That coverage can be accomplished by agreeing to a statement (i.e., assertion) to be included in the Exemption Report regarding the safekeeping processes related to those activities, as the scope of work by the Registered Public Accountant is driven by the assertions. As such, the assertion should be crisply worded and vetted with the Registered Public Accountant to ensure the design of appropriate review procedures.
Exceptions
As stated earlier, Rule 17a-5(d)(4)(iii) requires that the Exemption Report include a statement that identifies any “exception during the most recent fiscal year in meeting the identified exemption provisions in [Rule] 15c3-3(k) and that briefly describes the nature of each exception and the approximate date(s) on which the exception existed.” On occasion, attorneys are consulted when exceptions are discovered. Apprehension may arise that an exception from compliance with the Rule 15c3-3(k) exemption will result in the firm being required to comply with Rule 15c3-3 generally and file a Compliance Report. As discussed below, those concerns were voiced by commentators and addressed in the 2013 Adopting Release.
The SEC’s proposal did not require a statement regarding exceptions. The exception-statement requirement in paragraph (d)(4)(iii) of Rule 17a-5 was added in the adopting release in response to comments received. For example, in its comment letter, SIFMA acknowledged that, under the proposal, the Registered Public Accountant would be required to “disclose any ‘material modifications’ that should be made to the broker-dealer’s assertion in the Exemption Report.” SIFMA then pointed out that the 2011 Proposing Release stated that “an example of a discovery that would necessitate a material modification would be a discovery that the broker-dealer failed to promptly forward any customer securities it received.” SIFMA asked for guidance on the determination of material modifications and stated that procedural errors, such as “bank errors, clerical errors or any factor outside the control of the broker-dealer,” should not warrant the material modification of a statement in the broker-dealer’s Exemption Report.
The SEC added the exception-statement requirement to
address commenters’ concerns that the proposed exemption report assertion would create an unworkable standard given the possibility that a broker-dealer might have instances of exceptions to meeting the exemption provisions in paragraph (k) of Rule 15c3-3 and that the proposed requirements with respect to the exemption report did not explicitly provide how exceptions should be treated.
… .
This modification from requiring the broker-dealer to state an absolute (i.e., that it is exempt from Rule 15c3-3) allows the broker-dealer to account for instances in which it had exceptions to meeting the exemption provisions in paragraph (k) of Rule 15c3-3 directly in the exemption report (rather than having to file the compliance report).
Conclusion
As it was adopted eighty years ago and only eight years after the creation of the SEC, Rule 17a-5 has certainly withstood the test of time. Like many SEC rules, it went through major revisions following significant events in the securities industry. Those revisions to Rule 17a-5 came in the mid-1970s following the Paper Work Crisis and more recently in 2013 after the Madoff scandal. In addition to strengthening the protections provided in the rule by requiring, for example, a compliance examination on key financial responsibility rules, the 2013 Amendments far more closely align with the auditing and attestation standards of today.
