Custody: Surprise Examinations (SEC 206(4)-2)

If your SEC-registered investment adviser has custody of client funds or securities, you must arrange a surprise examination by an independent public accountant at least once per calendar year, unless you properly qualify for and meet the private fund “audit alternative.” Build a custody determination, pick the correct path, contract the accountant, and retain proof that all assets were verified. (17 CFR 275.206(4)-2(a)(4))

Key takeaways:

• Custody triggers an annual surprise exam unless you meet the audit alternative requirements for pooled vehicles. (17 CFR 275.206(4)-2(a)(4))
• Multi-year failures are a recurring SEC enforcement theme; tracking and scheduling are operational, not theoretical, controls. (IA-6688; IA-6491)
• Examiners commonly test whether you verified all client assets and whether Form ADV custody disclosures match what you did in practice. (17 CFR 275.206(4)-2(a)(4); 2024-exam-priorities)

The custody rule surprise examination requirement is one of the fastest ways to turn a routine SEC exam into a deficiency letter or an enforcement referral: it is binary, time-bound (calendar-year based), and easy for exam staff to validate with a single document request. If you have “custody” because you hold client assets, can move them, or sit in roles like trustee or co-trustee with authority, you should assume the SEC will ask for proof of the annual surprise exam, the accountant engagement, and the scope of verification. (17 CFR 275.206(4)-2(a)(4); IA-6688)

Operationally, most failures are not sophisticated fraud schemes. They are breakdowns in (1) custody identification, (2) selecting the correct compliance pathway (surprise exam vs. audit alternative), and (3) project management with an independent accountant early enough to complete the work inside the calendar year. Enforcement orders show the SEC will charge long-running failures to obtain surprise examinations, even where the firm’s issue is a persistent compliance gap rather than a single bad event. (IA-6688; IA-6491)

This page is written for a CCO/GC/CCO-adjacent operator who needs to implement the custody: surprise examinations (sec 206(4)-2) requirement quickly, document it cleanly, and answer exam questions without scrambling.

Requirement summary (plain English)

If your adviser has custody of client funds or securities, an independent public accountant must conduct a surprise examination at least once per calendar year. The exam must verify client funds and securities by actual examination or by confirmation from the qualified custodian. (17 CFR 275.206(4)-2(a)(4))

Private fund advisers may have an alternative route in certain cases, typically by distributing audited financial statements within the required timeframe, but you must meet that alternative’s conditions in full. If you miss the conditions, you are exposed to a custody rule failure because you effectively completed neither path. (IA-6491)

Who it applies to

In-scope entities

• SEC-registered investment advisers (RIAs) that maintain custody of client funds or securities. (17 CFR 275.206(4)-2(a)(4))

In-scope operational contexts (common custody triggers)

Use a custody determination process that explicitly checks for:

• Adviser or supervised person ability to withdraw or transfer client cash/securities (including standing letters of authorization if they confer broad authority; treat as a legal analysis item for counsel).
• Adviser serving as trustee or co-trustee with authority over client assets, even if the adviser also provides investment advice. This fact pattern appears in SEC enforcement. (IA-6688)
• Pooled vehicles/private funds where the adviser controls fund bank or brokerage accounts, signs checks, or otherwise can move assets.

Out-of-scope (but confirm with counsel)

If you truly have no custody (and no indirect custody), the surprise examination requirement does not apply. Your burden is proof: keep the custody analysis that supports the conclusion.

Regulatory text

The rule requires that an adviser with custody “shall be subject to surprise examination by an independent public accountant at least once per calendar year” and that the exam must “verify all funds and securities” by actual examination or confirmation from the qualified custodian. (17 CFR 275.206(4)-2(a)(4))

Operator translation:

1. Decide, with documentation, whether you have custody.
2. If yes, either (a) complete a surprise exam within each calendar year, or (b) if eligible, satisfy the audit alternative requirements for pooled vehicles and keep proof you met them.
3. Keep artifacts that show the accountant was independent and that the verification covered all client assets in scope. (17 CFR 275.206(4)-2(a)(4))

What you actually need to do (step-by-step)

Step 1: Run a custody determination (make it auditable)

1. Inventory all client relationships and account types (separately managed accounts, ERISA, trusts, pooled vehicles, advisory affiliates).
2. For each, document: who can move money, who can change wiring instructions, who has check-writing authority, who is trustee/co-trustee, and what third parties (custodians, administrators) do.
3. Conclude “custody: yes/no” and cite the trigger facts (example: co-trustee authority over trust assets). (IA-6688)

Practical tip: Treat this as a living register. Custody can appear mid-year when you accept a trustee role, add bill-pay, or change account authorities.

Step 2: Choose the compliance path (decision matrix)

Scenario	Default path	What breaks most often
Adviser has custody of SMAs/trust assets	Annual surprise exam	Misclassifying trustee/co-trustee arrangements as “not custody” (IA-6688)
Adviser to private funds with custody	Surprise exam OR audit alternative (if eligible)	Assuming audits “count” without meeting timing/distribution conditions (IA-6491)

If you choose the audit alternative, treat it like a separate control set with owners, deadlines, and evidence, because the SEC has charged firms that failed both the audit alternative and the surprise exam requirement. (IA-6491)

Step 3: Engage the independent public accountant early

1. Identify a PCAOB-registered or otherwise qualified independent public accountant experienced with custody rule surprise examinations (qualifications are a diligence item).
2. Execute an engagement letter that explicitly states the annual surprise examination scope and calendar-year requirement. (17 CFR 275.206(4)-2(a)(4))
3. Build a standing annual process so you do not “miss the year” due to availability constraints; SEC sweeps have repeatedly charged firms for custody rule failures tied to process breakdowns. (2022-156; 2023-168)

Step 4: Prepare the “surprise exam ready” package (without tipping timing)

You cannot operationally control the “surprise” timing, but you can control readiness:

• Current custody register and list of accounts/funds in scope.
• Qualified custodian contact list and authorization letters for confirmations.
• Reconciliation procedures between internal books/records and custodian statements.
• Points of contact in finance/operations who can respond quickly.

Step 5: Ensure verification covers all client assets in scope

The rule language calls for verifying all funds and securities by exam or confirmation, so design your internal prep to support a complete population. (17 CFR 275.206(4)-2(a)(4))

Common hangup: firms prepare a sample-based internal package and assume sampling is fine. The verification obligation in the excerpt is framed as “all funds and securities,” so you should expect exam staff to challenge any appearance that only part of custody assets were covered. (17 CFR 275.206(4)-2(a)(4))

Step 6: Align disclosures and governance

• Confirm Form ADV custody disclosures (commonly Item 9) are consistent with your custody determination and whether you use surprise exam vs. audit alternative. Examiners focus on accuracy of custody reporting. (2024-exam-priorities)
• Update policies and procedures to name the owner, the calendar-year tracking method, escalation steps if the exam is at risk of slipping, and evidence retention expectations. (17 CFR 275.206(4)-2(a)(4))

Step 7: Retain evidence (build an exam binder)

Create a single “Custody Rule – Surprise Exam” folder that includes the artifacts below.

Required evidence and artifacts to retain

Keep these in a form you can hand to SEC exam staff quickly:

• Custody determination memo/register (by client type/account/fund) and approvals (CCO sign-off recommended).
• Engagement letter(s) with the independent public accountant for the surprise exam. (17 CFR 275.206(4)-2(a)(4))
• Surprise examination reports and related accountant deliverables for the period(s) requested.
• Documentation supporting the verification population (account lists, custodian confirmations, reconciliation support). (17 CFR 275.206(4)-2(a)(4))
• Calendar-year tracking evidence: compliance calendar entries, task tickets, and completion confirmations.
• If using audit alternative for any pooled vehicles: audited financial statements and proof of distribution consistent with your chosen approach; enforcement shows the SEC will charge advisers that fail to satisfy the alternative. (IA-6491)

Common exam/audit questions and hangups

Expect these questions in a custody-focused exam:

1. “Explain why you believe you do or do not have custody.” Bring your custody register and the trustee/co-trustee analysis if applicable. (IA-6688)
2. “Provide surprise exam reports for the last several years and the engagement letters.” (17 CFR 275.206(4)-2(a)(4))
3. “Show that the exam occurred within each calendar year.” Your tracking artifacts matter here. (17 CFR 275.206(4)-2(a)(4))
4. “Did the accountant verify all client assets? Provide the population.” (17 CFR 275.206(4)-2(a)(4))
5. “If you claim the audit alternative, show the audited financials and proof of timely distribution.” This is a known failure point. (IA-6491)
6. “Do your Form ADV custody disclosures match what you did operationally?” (2024-exam-priorities)

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating custody as a one-time legal conclusion.
   Fix: Put custody review into onboarding, annual reviews, and any change to authority, especially trustee roles. Enforcement shows trustee/co-trustee roles can create custody. (IA-6688)

2. Mistake: No “calendar-year” control owner.
   Fix: Assign a single accountable owner (CCO or ops leader) and a compliance calendar item with escalation if the accountant is not engaged early enough to complete in-year. SEC sweeps reflect repeated failures of basic execution. (2022-156; 2023-168)

3. Mistake: Assuming the private fund audit covers you without verifying conditions.
   Fix: If you choose the audit alternative, maintain an audit-and-distribution checklist and do post-mortems after each cycle. The SEC has charged advisers that failed both the audit alternative and surprise exam requirements. (IA-6491)

4. Mistake: Mismatched disclosures (ADV says one thing; reality is another).
   Fix: Tie your custody register to your annual ADV update workflow, with a required reconciliation step. SEC exam priorities explicitly include accurate reporting tied to custody. (2024-exam-priorities)

Public enforcement cases

Use these cases as “what the SEC will actually charge” examples:

• In the Matter of Farnham Fisher Collins d/b/a Collins Capital Management (IA-6688): The SEC charged custody rule violations involving failure to obtain annual surprise examinations where the firm served as co-trustee and investment adviser for trusts. (IA-6688)
• In the Matter of Eagan Capital Management, LLC (IA-6491): The SEC charged custody rule failures involving private funds and described failures tied to surprise examinations and the audit alternative approach. (IA-6491)
• SEC sweep announcements: The SEC announced multiple actions for custody rule violations in September 2022 and September 2023, reflecting recurring enforcement attention to basic custody compliance execution. (2022-156; 2023-168)

Enforcement context and risk implications

This requirement is “medium severity” in many compliance risk models because it is procedural, but the enforcement record shows the SEC will charge it, especially for multi-year gaps. Two recent SEC administrative orders cited penalties of a material amount and a material amount for custody rule-related failures that included surprise exam issues. (IA-6491; IA-6688) The operational implication is straightforward: if you miss the annual exam, remediation is not just scheduling the next one; you may need counsel-led analysis, disclosure fixes, and broader custody program repairs.

Practical 30/60/90-day execution plan

First a defined days (stabilize and choose the path)

• Complete a custody determination register across all client types, including trustee/co-trustee relationships. (IA-6688)
• Decide, per private fund/vehicle, whether you will run surprise examinations or rely on the audit alternative; document the decision and owner. (IA-6491)
• Draft or update written procedures that define: annual cadence, ownership, escalation, and required evidence. (17 CFR 275.206(4)-2(a)(4))

Days 31–60 (contract and design evidence flow)

• Engage an independent public accountant and execute an engagement letter for the surprise exam where required. (17 CFR 275.206(4)-2(a)(4))
• Build the “surprise exam ready” package: account populations, custodian contacts, reconciliation support. (17 CFR 275.206(4)-2(a)(4))
• Reconcile Form ADV custody disclosures to your custody register and chosen path; queue amendments if needed. (2024-exam-priorities)

Days 61–90 (test readiness and lock ongoing controls)

• Run a tabletop exercise: respond to a mock SEC request for surprise exam reports, engagement letters, and evidence of verification scope.
• Validate that your evidence shows coverage of all custody assets in scope (population completeness). (17 CFR 275.206(4)-2(a)(4))
• Operationalize tracking: assign tasks in your GRC system and set recurring reviews tied to calendar year.

Where Daydream fits: Many teams fail on tracking and evidence retrieval, not policy drafting. Daydream can run the custody register as a controlled inventory, attach accountant deliverables, and keep calendar-year tasks and escalations from getting lost between compliance, finance, and operations.

Frequently Asked Questions

Do we need a surprise examination if all client assets are held at a qualified custodian?

Possibly, yes. The trigger is whether you have custody, not whether a qualified custodian exists; the rule excerpt requires a surprise exam at least once per calendar year for advisers with custody. (17 CFR 275.206(4)-2(a)(4))

We act as co-trustee for a client trust but only provide investment advice. Does that create custody?

Co-trustee authority can create custody exposure depending on the powers you hold. The SEC charged a firm for failing to obtain surprise examinations in a co-trustee context. (IA-6688)

Can a private fund adviser avoid the surprise exam by relying on audited financial statements?

In some cases, pooled vehicles may use an audit alternative, but you must meet that alternative’s conditions in full. The SEC has charged advisers that failed both the surprise exam requirement and the audit alternative approach. (IA-6491)

What is the single artifact examiners ask for first?

The surprise examination report(s) and the engagement letter with the independent public accountant are common first requests. You should be able to produce them immediately for the relevant years. (17 CFR 275.206(4)-2(a)(4))

How do SEC exams test “surprise exam” compliance beyond the report itself?

They often test population completeness (did you cover all custody assets) and whether disclosures match actual practice. SEC exam priorities explicitly call out custody compliance and accurate reporting for private fund audits and distribution. (17 CFR 275.206(4)-2(a)(4); 2024-exam-priorities)

What if we missed prior years’ surprise examinations?

Treat it as a compliance incident: involve counsel, document root cause, fix disclosures where needed, and implement controls that prevent another calendar-year miss. Enforcement actions include multi-year failures. (IA-6688; IA-6491)