Annual Supervisory Control Report

FINRA Rule 3120(b) requires your designated principal(s) to prepare an annual Supervisory Control Report that summarizes supervisory control testing performed, significant exceptions identified, and any additional or amended supervisory procedures adopted based on those results (FINRA Rule 3120). To operationalize it, run a documented annual test plan, capture issues and remediation, update procedures, and produce a management-ready report with traceable evidence.

Key takeaways:

• The report must summarize testing, significant exceptions, and supervisory procedure changes (FINRA Rule 3120).
• “Designated principal(s)” ownership is explicit; assign accountable authorship and review/sign-off.
• Build the report from a controlled workflow: test plan → results → exceptions → remediation → procedure updates → final report package.

An annual Supervisory Control Report is not a narrative recap of your compliance year. It is a specific FINRA requirement tied to your Supervisory Control System (SCS): you must test supervisory controls, identify meaningful breakdowns, fix them, and document what changed in your supervisory procedures as a result (FINRA Rule 3120). Examiners typically look for two things: (1) evidence that testing was real (scoped, executed, and evidenced), and (2) evidence that your firm learned from the results (exceptions were triaged, remediated, and translated into supervisory procedure updates).

For a CCO, GRC lead, or supervisory principal, the fastest path is to treat the report as the final artifact produced by a repeatable annual cycle. That cycle needs defined ownership (designated principal(s)), a testing inventory mapped to your supervisory procedures, a consistent definition of “significant exception,” and a mechanism to track corrective actions through closure. If you do those pieces well, the report becomes straightforward: a structured summary with appendices that point to the underlying workpapers and updated procedures.

Regulatory text

Requirement excerpt: “The designated principal(s) must prepare, at least annually, a report summarizing the test results and significant identified exceptions, and any additional or amended supervisory procedures.” (FINRA Rule 3120)

Operator interpretation (what this means in practice):

• You must test your supervisory controls (the “supervisory control system” testing that sits behind this annual report requirement).
• Designated principal(s) must prepare the report. You can delegate drafting, but keep accountable ownership and review with the designated principal(s).
• The report must include three content elements:
  1. a summary of test results,
  2. significant identified exceptions, and
  3. additional or amended supervisory procedures adopted because of the testing (FINRA Rule 3120).
• The report is at least annual, so you need a dependable cadence and a controlled process that produces the artifact on time (FINRA Rule 3120).

Plain-English requirement (what you’re being asked to prove)

FINRA expects you to show, once each year, that you actively tested whether supervision is working, you found and escalated meaningful breakdowns, and you updated supervisory procedures when testing revealed weaknesses (FINRA Rule 3120). The report is the “boardroom translation” of the year’s supervisory control testing: concise enough for senior management, but backed by workpapers that demonstrate depth.

Who this applies to

Entity scope

• Broker-dealers subject to FINRA supervision requirements (FINRA Rule 3120).
• Registered representatives are listed in applicability data, but operationally the obligation to prepare the report sits with firm supervisory leadership through the designated principal(s) (FINRA Rule 3120).

Operational context (where this shows up)

• Firms with written supervisory procedures (WSPs) and a supervisory control system that performs periodic testing across sales practices, communications, trading, operations, AML-adjacent controls, and other supervised activities.
• Any firm where supervision relies on a mix of people, workflows, and systems. Testing should cover both manual and automated supervisory controls because both can fail.

What you actually need to do (step-by-step)

1) Assign accountable ownership to designated principal(s)

• Name the designated principal(s) who are responsible for preparing the annual report (FINRA Rule 3120).
• Document roles:
  • Accountable: designated principal(s) (final content and sign-off).
  • Responsible: compliance/testing owners who execute and draft.
  • Consulted: business supervisors, operations, risk, legal (as applicable).
  • Informed: senior management recipients.

2) Define the report scope and “significant exception” criteria

Create a short internal standard that answers:

• What testing is in-scope for the report (supervisory control testing performed during the year) (FINRA Rule 3120).
• What counts as a significant exception. Keep it operational and defensible, for example:
  • repeat issue pattern,
  • customer impact risk,
  • regulatory rule breach risk,
  • supervisory procedure gap,
  • control design failure vs. isolated execution miss. Then apply the definition consistently and retain the rationale for why items were or were not “significant.”

3) Build and approve an annual supervisory control testing plan

Your testing plan is the spine of the report. At minimum, maintain:

• Testing inventory (test name, control/procedure tested, owner, timing, population/source).
• Test steps and expected evidence.
• Documentation standards (how results and exceptions are recorded).
• Escalation path for significant exceptions.

If you already run periodic testing throughout the year, consolidate it into a single plan register so the annual report can reference “what we planned vs. what we executed.”

4) Execute testing and capture workpapers in a controlled repository

For each test, retain:

• population selection logic,
• samples and results,
• reviewer notes,
• identified exceptions,
• severity classification (including whether “significant” and why),
• corrective action tickets and status.

This is where tools can help. Many firms use a GRC workflow so exceptions, action plans, and procedure updates are linked. If you run Daydream for compliance operations, set it up so each test has a record, attachments, an exception log, and mapped procedure references; the annual report becomes a generated management summary plus linked evidence.

5) Triage exceptions and document remediation through closure

FINRA’s text requires that you summarize significant exceptions (FINRA Rule 3120). Practically, your exception workflow should answer:

• What happened?
• Root cause (design gap, training gap, monitoring gap, tooling gap).
• Interim risk decision (e.g., heightened review, temporary restriction).
• Corrective action owner and due date (firm-defined).
• Validation testing or confirmation method.

Avoid closing actions on “policy updated” alone. If a procedure changed, capture how you verified the new procedure is operating as intended (for example, follow-up sample review).

6) Update supervisory procedures and show the linkage to testing

The rule explicitly calls out “any additional or amended supervisory procedures” (FINRA Rule 3120). Your report should not just attach revised WSPs; it should explain:

• which testing results drove each update,
• what changed (supervision step, surveillance parameter, escalation threshold, documentation requirement),
• effective date and training/communication approach.

Create a simple crosswalk table: Exception → Remediation → Procedure update → Evidence.

7) Draft the Annual Supervisory Control Report (management-ready format)

A practical structure that aligns to the requirement language (FINRA Rule 3120):

1. Executive summary
   • overview of testing performed
   • themes and top risks observed
2. Testing performed
   • list of tests, dates, owners, high-level outcomes
3. Significant exceptions
   • description, impact/risk, root cause, corrective actions, status
4. Supervisory procedure changes
   • additions/amendments made due to testing, with references to updated WSP sections
5. Appendices
   • testing plan register
   • detailed workpaper index
   • action plan log
   • copies or redlines of updated procedures (or controlled references)

8) Deliver, attest, and retain the full report package

FINRA’s provided summary indicates the annual report must be prepared and submitted to senior management (FINRA Rule 3120). Treat submission as a controlled event:

• management recipients list,
• meeting agenda/minutes reference (if applicable),
• sign-off/attestation by designated principal(s),
• retention in your books-and-records repository with access controls.

Required evidence and artifacts to retain

Keep a “report package” that can survive examiner scrutiny:

• Final Annual Supervisory Control Report with version history (FINRA Rule 3120).
• Evidence of designated principal(s) preparation/review (signature page, approval workflow record) (FINRA Rule 3120).
• Annual testing plan register and any mid-year changes.
• Workpapers per test (inputs, samples, outputs, reviewer notes).
• Exceptions log with significance determinations and rationale.
• Corrective action plans and closure evidence.
• Updated supervisory procedures (WSP updates), with cross-references to the exceptions/testing that prompted them (FINRA Rule 3120).
• Evidence of submission to senior management (distribution list, email record, portal upload record, meeting minutes reference) (FINRA Rule 3120).

Common exam/audit questions and hangups

Expect these lines of inquiry:

• “Show me the annual report and who prepared it.” Examiners will look for designated principal(s) ownership (FINRA Rule 3120).
• “Walk me from a significant exception to remediation to WSP change.” They want traceability to “additional or amended supervisory procedures” (FINRA Rule 3120).
• “How did you decide what was significant?” If you can’t explain severity criteria, your report reads like selective disclosure.
• “Did you complete the testing you said you would?” Gaps between the plan and execution need documented rationale and rescheduling.
• “Where is the evidence for this summary statement?” Every high-level claim in the report should point to a workpaper or log entry.

Frequent implementation mistakes (and how to avoid them)

1. Writing the report from memory at year-end.
   Fix: run a living test register and exception log all year, then compile.

2. No definition of “significant identified exceptions.”
   Fix: adopt criteria, document it, and apply it consistently (FINRA Rule 3120).

3. Reporting exceptions without closure mechanics.
   Fix: require owner, corrective action, validation approach, and closure evidence in the exception log.

4. Updating WSPs without connecting updates to test results.
   Fix: add a crosswalk section that ties testing outcomes to procedure amendments (FINRA Rule 3120).

5. Delegation without designated principal(s) accountability.
   Fix: allow drafting support, but keep approval workflow and attestations with the designated principal(s) (FINRA Rule 3120).

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so this page does not cite specific cases. Practically, weak annual reporting creates two risks: (1) you cannot demonstrate a functioning supervisory control system to FINRA, and (2) known issues can repeat because procedure updates and remediation validation were not governed and evidenced (FINRA Rule 3120).

Practical 30/60/90-day execution plan

Days 1–30: Stabilize ownership, scope, and data

• Confirm designated principal(s) and approval workflow for the annual report (FINRA Rule 3120).
• Write “significant exception” criteria and a standard exception record template.
• Inventory what supervisory control testing you already perform and consolidate into a single register.
• Choose the system of record for workpapers and action tracking (GRC tool, controlled repository, or Daydream workflow).

Days 31–60: Run testing to the standard and fix traceability

• Standardize test workpapers and naming conventions so summaries can be evidenced quickly.
• Begin/continue testing using the consolidated plan; log results and exceptions.
• Establish a corrective action workflow with documented closure evidence.
• Start a WSP change log that captures “why” for every update tied to testing results (FINRA Rule 3120).

Days 61–90: Produce the report package and rehearse for exam questions

• Draft the annual report using the required sections: test results, significant exceptions, and procedure amendments (FINRA Rule 3120).
• Build the crosswalk: exception → remediation → WSP update → evidence link.
• Run an internal challenge session: have someone uninvolved ask examiner-style questions and verify you can produce evidence fast.
• Finalize submission mechanics to senior management and retain delivery evidence (FINRA Rule 3120).

Frequently Asked Questions

Who exactly has to write the Annual Supervisory Control Report?

FINRA Rule 3120(b) assigns responsibility to the designated principal(s) to prepare the report (FINRA Rule 3120). Drafting can be supported by compliance staff, but keep documented principal review and approval.

What must be included in the report?

The report must summarize test results, significant identified exceptions, and any additional or amended supervisory procedures (FINRA Rule 3120). Build it so every summary statement can be traced to a workpaper, exception log entry, or WSP update record.

What qualifies as a “significant” exception?

FINRA Rule 3120(b) requires “significant identified exceptions” but does not define “significant” in the provided excerpt (FINRA Rule 3120). Define criteria internally, apply them consistently, and retain the rationale for each classification decision.

Do we need to show remediation in the report?

The provided plain-language summary states the report should include remedial actions taken and modifications implemented as a result of testing (FINRA Rule 3120). Even if remediation detail is summarized at a high level, keep the action plan log and closure evidence in the report package.

Can we submit a slide deck instead of a narrative report?

The rule requires a “report” that summarizes specific elements (FINRA Rule 3120). A slide deck can work if it clearly covers required content and you retain appendices/workpapers that substantiate it.

How should we retain evidence so it’s exam-ready?

Store the final report with an index that links to the testing register, workpapers, exception log, corrective actions, and WSP redlines or controlled references (FINRA Rule 3120). The goal is fast traceability from report line-items to underlying evidence.