A tabletop simulation structured around an actual SEC cybersecurity examination — the request-for-information letter, the documentation categories examiners pull, and the control evidence they expect to see. Use it to identify where your program falls short before an examiner does.
Download the PDFThe mock audit process mirrors the real-world regulatory environment. It draws from SEC Rule 206(4)-7, Regulation S-P, Regulation S-ID, and FINRA supervisory rules — the same authority that governs actual SEC examinations of registered investment advisers.
The exercise begins with a Request for Information letter modeled after actual examination notices. Your team responds as if the SEC had sent it. That process surfaces documentation gaps, control weaknesses, and evidence deficiencies in a controlled setting — with time to remediate before regulators arrive.
The mock audit covers incident response, access controls, training records, cybersecurity hygiene, and third-party risk management — the categories that appear in every examination request list. It is equally useful as an internal compliance exercise and as a structured engagement run by an outside adviser.
The exercise begins with a Request for Information letter structured like an actual SEC examination notice, covering fourteen documentation categories.
Treat the RFI as real. Pull the documents, assemble the evidence, and note every category where documentation is missing, outdated, or incomplete.
Every item you cannot produce is a potential deficiency finding. The gap list becomes your remediation roadmap — addressed on your timeline, not the examiner's.
The following is the examination information request letter as structured in the mock audit. Categories are drawn directly from actual SEC examination request lists. The complete letter, including the examination notice format, is in the downloadable PDF.
"The staff of the U.S. Securities and Exchange Commission is conducting an examination of the Adviser pursuant to Section 204 of the Investment Advisers Act of 1940. The aim is to assess the Adviser's compliance with the Advisers Act and its rules, with a particular focus on cybersecurity practices and protections. Please provide the following documentation and records pertaining to the period from January 1, 2022 through [examination date]."
| Category | What the examiner wants | Common gap |
|---|---|---|
| Policies & Procedures Manual | Most recent version including amendments related to cybersecurity and client data protection, with dates of all updates | Policies exist but revision history is not documented; Reg S-P 2024 amendments not incorporated |
| Employee Technology Usage Agreements | Signed agreements for all employees and contractors with system access | Agreements exist but not all staff have signed; no version tracking |
| Cyber Incident Response Logs | Records of all incidents during the examination period — dates, nature, and response actions taken | No formal incident log; incidents addressed but not documented |
| User Access Rights Documentation | Current access lists plus history of changes with authorization records | Current state documented but change history is absent |
| Cybersecurity Infrastructure Outline | Overview of cybersecurity tools, processes, teams, and architecture | MSP manages infrastructure but firm has no written summary it can produce |
| Risk Assessment Reports | Most recent formal risk assessment with findings, ratings, and remediation status | Risk assessment was conducted verbally or informally; nothing in writing |
| Training Records | Completion records, dates, topics, and participant groups for all training events | Training occurred but completion records were not retained |
| Vendor Management Policies | Policies for managing third-party vendors, cybersecurity requirements, and due diligence process | Policy exists but vendor inventory is incomplete; not all vendors have executed contracts |
| Incident Response Plan | Current written IRP with named roles, decision triggers, and notification steps | IRP exists but has not been tested; tabletop records absent |
| Audit Logs | Samples of logs tracking user activities, access changes, and system events | Logs exist in cloud platforms but firm does not know how to retrieve them |
| Client Data Privacy Policies | Policies for safeguarding client NPI, including Reg S-P notice procedures | Privacy notice exists but safeguards policy is not a distinct document |
| Business Continuity & DR Plans | Current plans addressing restoration of operations following a cyber incident | General BCP exists but does not address cybersecurity incident recovery specifically |
| Data Retention & Destruction Policies | Policies for how client data is stored, archived, and securely deleted | Retention schedule exists for records purposes but does not address NPI deletion |
| Patch Management Documentation | Records demonstrating timely application of security patches and updates | MSP handles patching but firm has no documentation it can produce as evidence |
Most cybersecurity deficiency findings at RIAs do not result from sophisticated attacks or technical failures. They result from documentation gaps — policies that exist in practice but are not written down, controls that are in place but have no evidence trail, and processes that were designed but never tested.
The most common patterns across examination deficiencies:
Each of these is a solvable problem — but only if it is identified before the examination begins. That is what the mock audit is for.
Running the mock audit tells you where the gaps are. What happens next depends on how significant the gaps are and how much runway you have before an examination.
Firms with significant documentation gaps or limited internal capacity typically engage MTradecraft's Cyber Compliance Consultant service — which delivers the remediation work itself rather than a list of recommendations. The onboarding CRVT in the first quarter covers the same ground as the mock audit, but produces the deliverables rather than identifying their absence.
Firms that prefer to build internally use the gap list as a project plan, often pairing it with BrainTrust Premium for the policy templates, the annual review template, and the mock audit scoring guide.
View services → View BrainTrust →The full examination notice, information request letter, and gap-scoring guide are in the PDF. Enter your email to download. The same address subscribes you to BrainTrust Free.
Get the PDF via BrainTrust Free