Documenting IPS Supervision Under 206(4)-7: A Framework CCOs Can Defend in an Exam

Most CCOs at mid-sized RIAs can describe their IPS supervision process in a hallway conversation: the firm reviews accounts against the investment policy statement, flags drift, documents exceptions, and escalates the ones that matter. The problem shows up when an examiner asks to see it.

"We do IPS reviews" and "we can prove we did them, on this date, with this reviewer, against these thresholds, and here's what happened next" are two different firms. One has a policy. The other has investment policy statement compliance that survives contact with an SEC exam.

This post is the framework for the second firm. It covers what your WSPs must say under Rule 206(4)-7, how to define tolerance bands and reconciliation cadence, what the audit trail has to look like, how escalation and remediation should flow, and what to evaluate in IPS supervision tooling — because most of this collapses without the right system of record.

What Your WSP Must Say About IPS Supervision

Rule 206(4)-7 requires every SEC-registered adviser to adopt 206(4)-7 written policies and procedures "reasonably designed to prevent violation" of the Advisers Act. "Reasonably designed" is doing most of the work in that sentence, and it's where exam deficiencies originate. Examiners aren't checking whether your WSP mentions IPS supervision. They're checking whether the language is specific enough that a new hire could execute the process without asking you what it means.

For IPS supervision specifically, your Written Supervisory Procedures need to name, at minimum, five things:

1. Scope — which account types are subject to IPS review (discretionary, non-discretionary, rep-as-PM, model-based), and which are carved out with rationale.
2. Frequency — how often IPS adherence is reviewed (quarterly is the defensible floor for most firms; monthly if you run tighter bands or have trading authority).
3. Thresholds — the tolerance bands that trigger an exception, specified by asset class or risk bucket.
4. Reviewer designation — who performs the review, who escalates, and who signs off. Named roles, not named people.
5. Documentation standard — what is captured for every review cycle, whether or not an exception is found.

The last is where most WSPs are weakest. "The CCO reviews accounts quarterly" is a sentence, not a procedure. "The CCO reviews a 100% sample of discretionary accounts quarterly against the tolerance bands in Appendix A, logs each review in the compliance system of record, and retains the output for five years per Rule 204-2" is a procedure.

Your WSP should also cross-reference the IPS itself. If your IPS defines the thresholds, your WSP should point to it rather than duplicating numbers that will drift. If you rely on FINRA Rule 3110 for any dually-registered supervisory logic, name it — examiners appreciate specificity. For a broader regulatory walkthrough, see our ria portfolio supervision rulebook companion piece.

Defining Tolerance Bands and Reconciliation Cadence

Tolerance bands are the most contested piece of an IPS supervision framework. Too tight and you generate false-positive noise that exhausts the review team. Too wide and you can't credibly claim you're monitoring drift. The defensible approach is to tier bands by asset class risk and liquidity, and document the rationale in a memo the CCO signs.

Reconciliation cadence should match the band. Tighter bands need more frequent reconciliation; illiquid asset classes reconcile less often but require deeper review when they do. Consider the following when setting your cadence:

• Quarterly is the floor for firms with discretion over client assets.
• Monthly is standard for firms exercising full trading authority or running rep-as-PM models.
• Weekly or continuous monitoring is increasingly common for firms that have moved to an intelligence-layer approach — the topic of our portfolio supervision ria ips intelligence pillar piece.

Here's a reference table for IPS adherence threshold examples. Numbers are illustrative — yours should reflect your firm's IPS, client base, and risk appetite.

Two things worth flagging:

• The alert threshold should be tighter than the tolerance band — you want to see drift before it becomes a breach, not after.
• Every band needs a documented rationale that ties the number to the IPS model and observed drift behavior. That turns a number into a defensible policy decision.

For adjacent monitoring logic, see our guidance on trading activity thresholds ria compliance.

The SEC Exam IPS Audit Trail — What Examiners Read Between the Lines

The mistake most firms make is treating the audit trail as "the list of exceptions we found." Examiners read it the other way: the audit trail is the record of the process itself, and exceptions are a subset. If you can only produce exceptions, you've proven you caught the drift you noticed — not that you looked at everything.

A defensible SEC exam IPS audit trail documents both process and results. The SEC Division of Examinations tends to ask for evidence of the following:

1. The universe reviewed — which accounts were in scope for this cycle, and which were excluded with documented rationale.
2. The criteria applied — the tolerance bands and rules that were run against the universe, with a timestamp tying them to the version of the IPS in force on that date.
3. The reviewer — the named person (or system + human overseer) who executed the review, with a signature or system attestation.
4. The findings — both exceptions and clean results. An audit trail that only shows exceptions looks like sampling, not supervision.
5. The disposition — for each exception, what happened next: rebalanced, waived with rationale, escalated, or flagged for client communication.
6. The retention — the documents, logs, and attestations held for the full Rule 204-2 window, in a location you can produce within the standard exam request turnaround.

The phrase to internalize is "supervisory process, evidenced." Examiners will accept that some drift is appropriate and not every exception requires action. What they won't accept is a story they can't reconstruct from your records. If the only evidence of a quarterly review is an email from the CCO saying "reviewed, all good," the review effectively didn't happen.

For a broader look at how the rule 206 4 7 annual review requirements rias connects to this supervisory cycle, that companion post maps the annual review back to the day-to-day evidence described here.

Escalation and Remediation Workflows

Every exception has to land somewhere. Escalation is where a lot of otherwise-solid IPS programs lose points in exams — the bands are clear, the audit trail is clean, but the workflow for "what happens after we find an exception" is vague. Examiners will trace a sample of exceptions from detection through resolution, and any break in the chain becomes a finding.

The escalation path should be defined in your portfolio supervision policies and procedures, keyed to exception type, with a named first reviewer and final decision maker. Here's a reference structure:

Remediation documentation should mirror escalation. For every resolved exception, capture:

• Who made the call and what authority they acted under.
• What the disposition was — rebalanced, waived with rationale, or escalated further.
• What action followed and when the account returned to compliance.
• Whether the client was notified, and if so, how and when.

This is especially critical for rep-as-PM compliance framework models, where the advisor both sets strategy and trades against it. The compressed oversight structure means any gap in the escalation chain is more visible — and more consequential — under exam scrutiny. WSPs should name a supervisor independent of the advisor, define a cadence tighter than the firm default, and require documented sign-off at every escalation step.

How Often Should an Investment Policy Statement Be Reviewed

This question surfaces repeatedly in exam preparation, and the answer has two layers that CCOs should distinguish clearly in their supervisory procedures:

1. Client IPS review — the IPS itself should be reviewed at least annually per client, with ad-hoc reviews triggered by material changes in the client's circumstances, objectives, or risk tolerance. This is a client-facing obligation.
2. Supervisory review against the IPS — this is the firm-level compliance cadence. Quarterly is the defensible floor for firms with discretion. Monthly is standard for firms exercising full trading authority. Weekly or continuous monitoring is increasingly feasible for firms using an intelligence layer that reduces false-positive noise.
3. Annual policy review — the 206(4)-7 annual review where the CCO evaluates whether the supervisory policy itself remains reasonably designed. This is the meta-review: not "did we follow the rules," but "are the rules still the right ones."

Each layer serves a different purpose, and each generates its own documentation. Conflating them — or documenting only one — is a common gap that examiners identify quickly. For operational detail on scaling this cadence across a growing firm, our piece on scaling 206 4 7 compliance 50 advisors addresses the staffing and workflow considerations directly.

What to Look for in IPS Supervision Tooling

Most firms in the 30–200 advisor range have outgrown spreadsheets and haven't hit the scale where a custom build makes sense. The middle is where tooling matters most — and where the wrong tool creates more exam risk than no tool at all, because it produces gaps in the audit trail that nobody notices until the exam letter arrives.

Six criteria separate the defensible from the decorative:

1. Full-universe review, not sampling. The system should evaluate every in-scope account against every IPS rule, every cycle. Sampling is not a supervisory process; it's a time-saver that becomes a finding.
2. Version-aware rule logic. Tolerance bands change. The system must timestamp which IPS version was in force when each review ran, so an exam five quarters from now can reconstruct the logic you used today.
3. Reviewer attestation with timestamps. A named reviewer — human or a human overseeing system output — signs off each cycle, and that signature is part of the permanent record.
4. Documentation of clean reviews, not just exceptions. If the tool only logs exceptions, you cannot prove you reviewed everything. This is the single most common gap.
5. Exportable audit packages. When an exam request arrives, you need the full record for a named account, for a named date range, in a format the examiner can open. If the export takes a week, the tool is a liability.
6. Integration with the actual data. Positions, trades, and IPS rules have to live in the same system — or at least reconcile automatically. Manual data-stitching between the custodian, the CRM, and a compliance spreadsheet is where drift becomes invisible.

How StratiFi Supports Investment Policy Statement Compliance

StratiFi's ComplianceIQ is built around those six criteria as an intelligence layer — sitting on top of your existing custodian and CRM data to surface IPS drift, document the review cycle, and produce the audit package on demand. It is not a rebalancer and not a checklist tool; it's a system of record CCOs use when they need investment policy statement compliance that holds up in an exam.

Key capabilities that map to the framework above:

• Full-universe surveillance — every in-scope account is evaluated against its IPS rules each cycle, with clean results documented alongside exceptions.
• Timestamped rule versioning — tolerance bands and IPS parameters are versioned, so any historical review can be reconstructed against the rules that were in force at the time.
• Reviewer attestation and escalation tracking — sign-off, disposition, and remediation are captured in a single audit thread per exception.
• On-demand exam packages — exportable records by account, date range, or advisor, ready for the standard exam request turnaround.

StratiFi's AdvisorIQ complements this by giving advisors direct visibility into their own portfolios' risk posture — so drift is surfaced to the person who can act on it first, before it becomes a compliance exception. The intelligence compounds: advisors make better-informed decisions, and the CCO's supervisory record reflects a firm where oversight and advice reinforce each other.

For firms navigating share-class-level oversight alongside IPS supervision, our mutual fund share classes guide rias covers an adjacent pattern. And for the broader case for moving from reactive to proactive compliance posture, see proactive compliance the new standard for rias.

Frequently Asked Questions

How does a CCO document Rule 206(4)-7 IPS supervision?

Document three layers. First, the policy itself — a WSP section naming scope, frequency, thresholds, reviewers, and retention. Second, evidence of each review cycle — universe reviewed, rules applied, reviewer, findings including clean results, and disposition of exceptions. Third, the annual 206(4)-7 review where the CCO evaluates whether the policy is still reasonably designed. All three should be retained per Rule 204-2.

How often should an investment policy statement be reviewed?

The IPS should be reviewed at least annually per client, with ad-hoc reviews triggered by material changes in the client's circumstances or objectives. Supervision against the IPS is a separate cadence — quarterly is the defensible floor for firms with discretion, with many firms moving to monthly or continuous monitoring as tooling has reduced the cost of doing so without false-positive noise.

What does "reasonably designed" mean in Rule 206(4)-7?

Reasonably designed means the policies address the actual compliance risks of your specific business, are specific enough to be executable by the people named in them, and are backed by evidence of being followed. The SEC does not prescribe particular controls — it requires that whatever you do is defensible given the size, complexity, and risk profile of your firm.

What audit trail does the SEC expect for portfolio supervision?

A complete record of the supervisory process, not just a log of exceptions: universe reviewed, criteria applied, reviewer, findings (both clean and exception), disposition of each exception, and retention for the full Rule 204-2 window. The audit trail should let an outside reviewer reconstruct what happened without narration from the CCO.

How should a rep-as-PM supervisory process be documented?

Rep-as-PM needs heightened supervision because the advisor sets strategy and trades against it, compressing the checks a centralized PM model provides. WSPs should name a supervisor independent of the advisor, define a cadence tighter than the firm default, specify what the supervisor evaluates (drift, concentration, trading patterns, IPS adherence), and require documented sign-off. Exam deficiencies most often trace to vague or unexecuted supervisor designation.

What should Form ADV Part 2A say about IPS supervision?

Part 2A should describe how the firm supervises portfolios against client objectives and constraints at a level of detail consistent with your WSP. Disclose who reviews accounts, how often, and what happens when accounts drift. Avoid language that promises tighter supervision than your procedures actually deliver — inconsistency between the brochure and the WSP is a common exam finding. Refer to the Form ADV Part 2A instructions for current disclosure requirements.

Ready to move your IPS supervision program from "we do reviews" to "we can prove it"? The difference is a system of record that documents the full supervisory cycle — not just the exceptions, but the process, the reviewer, and the disposition — and produces it on demand when the exam letter arrives.