IA & BD Best Practices That Set the Tone for the Year 

Q1 Annual Testing Kickoff 

The Moment That Matters 

Q1 is not just the start of the calendar year; it is the moment regulators quietly calibrate their expectations. By the time most examinations begin, firms have already told their story through what they tested, how they documented it, and what they chose to prioritize. 

Annual testing is not a box to check. It is the clearest signal of how a firm understands its risk. 

Why Q1 Sets the Narrative 

Regulators do not view annual testing as a retrospective exercise. They view it as evidence of governance. Firms that treat Q1 testing as a rushed, backward-looking requirement often find themselves explaining gaps later, during exams, deficiency letters, or enforcement inquiries. 

By contrast, firms that use Q1 to anchor a thoughtful, risk-based testing program tend to control the narrative. Their testing aligns with real operations. Their documentation anticipates examiner questions. Their remediation is already underway before anyone asks. 

What “Good” Actually Looks Like in Practice 

Testing That Reflects How the Firm Really Operates 
Best-in-class programs test reality, not policy language. That means reviewing how fees are actually calculated, how communications are actually used, how trades are actually reviewed, and how vendors actually access data. When testing relies solely on attestations or static checklists, regulators notice. 

Clear Risk Prioritization 
Not all risks are equal, and Q1 is the time to prove the firm knows the difference. Strong programs explicitly tie testing areas to regulatory focus, business changes, prior findings, and emerging risks rather than treating every topic as interchangeable. 

Integrated IA and BD Testing Where It Matters 
For dual registrants, siloed testing is increasingly hard to defend. Regulators expect coordination, particularly around supervision, communications, conflicts, compensation, and surveillance. The strongest firms test holistically, even where rules diverge. 

Documentation That Tells a Story 
Annual testing should read like a narrative, not a spreadsheet. Why was this area tested? What was reviewed? What did the firm conclude? What changed as a result? When documentation answers those questions clearly, exams move faster and with fewer surprises. 

Areas Not to Miss 

Evergreen Risks and What’s Currently in Focus 

Every annual testing cycle includes familiar terrain, and it should. Certain risks never fall out of regulatory focus, but testing is also where firms demonstrate they are paying attention to what is changing, not just what has always been there. 

Strong programs strike that balance deliberately. 

Evergreen Testing Areas 
These are the foundational risks regulators expect to see tested every year, regardless of firm size or business model: 

• Fees and Expenses – Accuracy, consistency with disclosures, timing, and allocation. Fee testing remains one of the fastest ways regulators assess a firm’s controls and credibility. 

• Conflicts of Interest – Identification, disclosure, mitigation, and monitoring—particularly where compensation structures, affiliations, or revenue-sharing arrangements exist. 

• Best Execution and Trade Oversight – Including documentation of reviews, exception handling, and follow-up where outcomes deviate from expectations. 

• Marketing and Communications – Substantiation, recordkeeping, supervision, and adherence to current rule requirements across platforms. 

• Books and Records – Not just retention, but accessibility, completeness, and supervisory review. 

• Supervision and Escalation – Evidence that issues are identified, elevated, and resolved, not merely acknowledged. 

These areas are not “basic.” They are durable indicators of how seriously a firm approaches compliance. 

Currently in Focus 

Layered on top of evergreen risks are areas where regulators are spending more time, asking better questions, and expecting more thoughtful testing: 

• Electronic Communications and Off-Channel Risk – How firms supervise, retain, and test communications across platforms actually used by employees. 

• Annual Compliance Reviews and Testing Governance – Whether testing is risk-based, iterative, and tied to remediation—not static or recycled. 

• Vendor Oversight and Cybersecurity Controls – Particularly where service providers access nonpublic information or support critical functions. 

• Conflicts Embedded in New Products or Services – Including private funds, alternatives, rollovers, referral arrangements, and compensation changes. 

• Integrated IA/BD Supervision – For dual registrants, consistency in oversight where risks overlap, even when rules differ. 

• Use of Technology and AI Tools – How tools are selected, supervised, and tested, and whether reliance on automation is supported by governance. 

What matters most is not whether every area applies equally, but whether the firm can clearly explain why certain areas were emphasized and others were not. 

The Most Common Testing Missteps 

• Treating annual testing as a single deliverable instead of an ongoing process 

• Relying too heavily on certifications without independent verification 

• Repeating last year’s testing plan without adjusting for business or regulatory changes 

• Identifying issues without clear ownership, timelines, or escalation paths 

• Waiting until Q4 to address findings that were known in Q1 

These are not technical failures. They are governance failures, and they are exactly what regulators look for. 

The Opportunity Firms Often Miss 

Annual testing is one of the few moments each year when compliance, supervision, operations, and leadership naturally intersect. Firms that use it strategically gain more than regulatory comfort; they gain operational clarity. 

When done well, annual testing sharpens policies, informs training, strengthens surveillance, and supports better decision-making across the business. It becomes a tool, not a task. 

A More Durable Way Forward 

The firms that stand out in exams are not perfect. They are intentional. Their testing reflects judgment, not fear. Their documentation reflects thought, not repetition. And their programs evolve as the business evolves. 

That level of maturity does not happen accidentally. It comes from experience—understanding how regulators think, how firms actually function, and where risk quietly accumulates if no one is looking closely enough. 

Compliance Risk Concepts (CRC) works at that intersection: helping annual testing become a strategic advantage rather than a regulatory obligation.