Supervisory Control System

Quick Answer

The FINRA internal supervisory controls requirement sits one layer above the supervisory system requirement: it requires the firm to test and verify that its WSPs actually work, then submit an annual report on supervisory controls to senior management. Risk-based methodologies and sampling are permitted. Firms with $200 million or more in gross revenue must include enhanced content in the report. The supervisory system requirement is the system; the internal supervisory controls requirement is proof the system functions.

If the supervisory system requirement is the supervisory rulebook, the internal supervisory controls requirement is the audit of that rulebook. The exam pairs the two rules constantly: a firm that has WSPs but never tests them violates the testing duty, even if the supervisory system is fully satisfied on paper.

Required Testing and Verification

Each member must establish, maintain, and enforce a system of supervisory control policies and procedures that:

  • Test and verify the firm's supervisory procedures are reasonably designed to achieve compliance with applicable laws and FINRA rules
  • Create additional or amended procedures when testing or verification identifies the need

The rule does not prescribe a specific testing methodology. Firms have flexibility to choose how the testing is done, subject to two principles:

  • Risk-based methodologies and sampling are permitted (a firm need not test every transaction or every supervisor)
  • Self-assessments, internal audits, or inspection processes may satisfy the testing requirement in whole or part if they adequately verify the WSPs

Think of it this way: The internal supervisory controls requirement lets the firm pick its testing tools but holds it accountable for the result. A bank-style internal audit program satisfies the testing duty; a small firm's quarterly compliance review of a sample of trades also satisfies it. What a firm cannot do is skip testing and assert that the WSPs work because nobody has complained.

Exam Tip: Gotchas

  • The testing duty is continuous, not a once-a-year activity. A firm that runs no testing all year and then writes one summary report at year-end has not met the rule. The testing happens through the year; the report is the documentation.

Annual Report to Senior Management

A designated principal must submit a report to the firm's senior management not less than annually. The report must detail:

  • The firm's system of supervisory controls
  • Summary of test results and significant identified exceptions
  • Additional or amended supervisory procedures created in response to testing

The report goes to senior management, not to the board (the board sees the CEO certification report, which is a different document).

Exam Tip: Gotchas

  • The internal supervisory controls report goes to senior management; the CEO certification report goes to the board. The exam will sometimes test which document goes where. Senior management gets the operational testing detail; the board gets the CEO certification of process integrity.

Enhanced Content for Larger Firms

Firms reporting $200 million or more in gross revenue on the prior calendar-year FOCUS report must include additional specified content in the internal supervisory controls report. The threshold is the trigger for the larger-firm enhanced disclosure regime; smaller firms have a streamlined report.

Examples of enhanced content for the $200 million-plus firm:

  • Additional commentary on testing for senior-officer activities
  • Detail on how the firm responded to material exceptions
  • Disclosure of supervisory control deficiencies that were not previously reported

Exam Tip: Gotchas

  • The $200 million threshold is gross revenue, not net revenue or net income. It comes from the prior calendar-year FOCUS report. A firm that crosses $200 million in any year picks up the enhanced content requirement for the following year's internal supervisory controls report.

How the Three Supervisory Layers Fit Together

The three rules form a single supervisory program. The Series 24 exam treats them as a stack:

LayerWhat It RequiresAudience
Supervisory systemThe WSPs, OSJ classification, and inspection cadenceFirm-wide
Internal supervisory controlsTesting and verification that the system works, plus annual report on resultsSenior management
CEO certificationCEO annual certification that processes are in place to establish, maintain, review, test, and modify the systemBoard of directors

Think of it this way: The supervisory system requirement builds the supervisory machine. The internal supervisory controls requirement measures whether the machine still runs. The CEO certification requirement has the CEO sign their name to the maintenance log. Each rule depends on the layer below; no one rule satisfies any other.

Exam Tip: Gotchas

  • A firm can satisfy the supervisory system rule and still violate the testing duty. Perfect WSPs that are never tested fail the testing duty. The exam favors fact patterns where the firm has the right written procedures but cannot show that anyone ever verified the procedures were followed.
  • A firm can satisfy both the supervisory system rule and the testing duty and still violate the CEO certification requirement. Even a tested supervisory system fails if the CEO never signs the annual certification or never meets with the CCO. The certification is not just paperwork; it is the rule's enforcement hook.