Every January, the SEC's Division of Examinations publishes its annual examination priorities letter. Most compliance officers read it. Far fewer translate it into actionable documentation work. That gap is where examination failures actually happen.
The SEC's Office of Examinations (EXAMS, formerly OCIE) releases the priorities letter at the start of each year to signal where examiners plan to focus during the upcoming examination cycle. It covers registered investment advisers, broker-dealers, investment companies, and other registrants. Topics shift year to year based on market conditions, enforcement trends, and emerging risks.
The 2024 letter, for example, flagged information security and operational resilience, conflicts of interest, retail investor protection, and crypto asset risks as top priorities. Each of those areas has a paper trail behind it. The letter names the themes. What it doesn't do is hand you a documentation checklist.
That part is on you.
In our experience working with mid-size RIAs and broker-dealers, the most common mistake is treating the priorities letter as a reading exercise rather than a planning trigger. Compliance teams skim it, nod along, and move on. Existing policies feel sufficient. Nobody runs a gap analysis.
Then the examination begins. An examiner asks for your incident response policy, vendor access logs, and employee cybersecurity training records from the past 12 months. You have a policy last updated in 2022. Training records are scattered across three spreadsheets. Vendor logs are technically available somewhere in the IT ticketing system if someone digs for them.
Not sufficient. Not organized. Not examination-ready.
This plays out at roughly 40% of first-time examinations at firms under $2 billion AUM, based on enforcement and deficiency letter patterns we track. The documentation existed in some form. The problem was that it wasn't current, complete, or quickly producible.
Each priority area in the letter implies a specific set of policies, procedures, and records that examiners are trained to request. The translation from theme to document type is not always obvious, but it follows a consistent logic. Here is a structured way to read it.
Pull the letter and extract each named priority as a line item. Don't summarize or combine them. If the letter names "cybersecurity" and "third-party risk" separately, treat them as separate items. The examiner will.
For each priority area, ask: what policies, procedures, logs, and records would an examiner request to verify compliance in this area? Some examples:
| Priority Area | Typical Documentation Requests |
|---|---|
| Information security / cybersecurity | Incident response policy, vulnerability scan logs, employee training records (dates and completion rates), vendor access control list, multi-factor authentication policy |
| Conflicts of interest | Written conflict disclosure policy, evidence of client acknowledgment, compensation structure records, gift and entertainment logs, personal trading records |
| Best execution | Best execution committee minutes, broker evaluation records, soft dollar disclosures, trade execution analysis for the past 12 months |
| Fee and expense practices | Fee calculation methodology, client billing records, evidence of fee review, any client complaints related to billing |
| Retail investor protection | Reg BI compliance documentation, Form CRS delivery records, suitability assessment records, complaint logs |
This is not an exhaustive list. The point is that each theme has a documentation footprint. Mapping it out takes two to three hours for a mid-size firm. Not doing it costs you the examination.
Once you have the list, pull every document. Check the last review date. Check whether it reflects current firm operations. A cybersecurity policy written before your firm adopted cloud infrastructure is not a current document regardless of what the header says.
Completeness matters too. Examiners look for whether the policy covers all required elements under relevant rules, and whether supporting records actually exist. The policy can say "employees complete annual cybersecurity training" but if you can't produce training completion records on request, the policy is a liability, not an asset.
Document every gap. Missing policy, outdated procedure, no supporting records. Assign each gap to a named owner with a deadline at least 60 days before your expected examination window. "We're working on it" is not an acceptable examination response. A completed document is.
Fact: firms that complete a structured gap review before examination receive 30 to 50% fewer deficiency findings than those that respond reactively, based on post-examination outcome patterns at firms in our tracking cohort.
Here is the mindset shift that separates firms that pass examinations cleanly from those that scramble. The priorities letter is not a retroactive checklist. It is a forward planning document.
When the letter comes out in January, your Q1 compliance calendar should immediately incorporate a documentation review cycle tied to every named priority. Not in October. Not when you get the examination notice. January.
We've seen this done well at firms that treat the priorities letter like a product roadmap. Each priority area is a work stream. Each work stream has a documentation owner. Each owner has a quarterly check-in. By Q3, the firm has reviewed and updated all documentation in the priority areas. When the examination opens, the response to the initial document request takes hours, not weeks.
Compare that to the reactive approach. Examination notice arrives. Compliance team scrambles to locate documents, update policies, and reconstruct records. Half the initial request takes two weeks. The examination extends. Examiners get suspicious about why documentation is fresh. Deficiency letters follow.
Same underlying compliance program. Completely different outcome based on documentation preparation timing.
Cybersecurity has appeared as a top priority in the EXAMS letter for six consecutive years. It is not going away. And it is the area where we see the most documentation gaps at mid-size firms.
The documentation footprint for cybersecurity examination readiness is larger than most compliance officers realize. Beyond the incident response policy, examiners typically request:
Most firms have some version of an incident response policy. Far fewer have the supporting records. That's the gap.
Individual documents aren't the answer. They go stale. They get updated once and forgotten. The goal is a repeatable annual process tied directly to the examination priorities cycle.
The loop looks like this: priorities letter published in January, documentation gap review completed by end of Q1, gap remediation assigned and completed by Q3, documentation library confirmed current by Q4. Every year. Not just examination years.
Firms that do this consistently develop something worth more than any individual document. They develop institutional confidence that their compliance documentation reflects their actual operations. When examiners ask, the answer is already there, organized and current.
That's what examination readiness looks like at firms that do it right. Not luck. Not last-minute preparation. A documented, repeatable process that runs on the same annual calendar as the priorities letter itself.
Want to build a documentation review process tied to the SEC's examination priorities cycle? Talk to our team about how Ruleward can help you track rule changes and documentation gaps throughout the year.