Nick Wright, BA JD MBA LLM (Tax)

Wright Business Law

An up-to-date and fully implemented Policies and Procedures Manual (PPM) is a cornerstone of regulatory compliance for registered firms under NI 31103 ‘Registration Requirements, Exemptions and Ongoing Registrant Obligations’ (NI 31-103). Conducting a periodic audit of your PPM is not simply prudent, it is a necessary measure to demonstrate ongoing compliance, effective governance, and preparedness for regulatory review. Failure to audit the manual can lead to gaps in controls, unclear responsibilities, outdated procedures, and heightened enforcement risk. This article sets out a structured approach to auditing a PPM, including scope determination, testing of actual practices, identification of deficiencies, and implementation of remediation.

Regulatory Framework & Sources of Law

Under NI 31-103, firms registered as dealers, advisers or investment fund managers must establish and maintain a compliance system (s. 11.1) and be able to demonstrate to regulators that policies and procedures are suitably designed, implemented, and operating effectively. The companion policy to NI 31-103 explicitly states that the PPM should reflect the registrant’s business and must include procedures that clearly identify who does what (e.g., delegation of authority, responsibility for client-assets).  Additionally, other regulatory regimes, such as the Anti-Money Laundering (AML) / Counter-Terrorist Financing (CTF) requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Canada), require documentation of review of policies and procedures. From a securities-law perspective, regulators expect that internal audits or reviews of policies and procedures are conducted periodically and that amendments to the PPM are logged, dated and retained. Accordingly, registrants must not only maintain a PPM but also conduct periodic reviews and retain evidence demonstrating that the policies and procedures are current and operating effectively.

Definitions & Thresholds

In this article, a Policies and Procedures Manual (PPM) means the written set of all firm policies, procedures, controls, processes and roles/responsibilities that govern compliance, operations, risk management and regulatory obligations of a registered firm (dealer, adviser or fund manager). An audit of the PPM refers to a systematic review of the PPM’s content, applicability, operability, documentation (including logs of amendments) and the evidence that the procedures are being followed. There is no numeric threshold for how often the PPM must be reviewed or what size it must be; rather, the adequacy is qualitative, whether the manual remains current with the business model, regulatory changes, and whether the firm can show the manual is used and effective.

Application in Practice

Conducting an audit of your PPM should be carefully structured:

1. Schedule the audit and identify the scope (e.g., annual review, or triggered by business model change).
2. Compare the current manual against the firm’s business model and regulatory framework. Identify whether new regulatory requirements (e.g., amendments to NI 31-103, changes in exempt-market rules) have been captured, whether the manual reflects new service lines, jurisdictions or product types.
3. Review the amendment log to ensure each update is dated, clearly shows what changed, and is properly communicated. The manual must be dated, and each amendment should be dated, such that the reader knows how current the PPM is.
4. Validate the operability of the PPM. Meet with relevant business heads, compliance officers, operations staff and test whether actual procedures correspond to those documented in the manual. For example, if the manual indicates that the Chief Compliance Officer (CCO) receives monthly exception reports and escalates to the board, verify those reports exist, are presented and escalated.
5. Conduct sample testing. Select transactions/events (e.g., new client onboarding, distributions, cross-jurisdiction fundraising) and assess whether the corresponding PPM procedures were followed, documented, and retained. All testing should be documented, with supporting records retained to demonstrate that procedures are operating in practice and not merely described in the manual. Identify any gaps such as missing investor KYC files, missing training logs, outdated jurisdictional references, etc.
6. Draft a report summarising findings, ranking risk areas, making recommendations (e.g., “update section 5 - multi-jurisdiction distributions”, “enhance training logs for redemptions”).
7. Implement remediation. Update the manual, communicate changes, retrain staff, and track completion in the compliance committee minutes. A ready internal audit trail will demonstrate to regulators that the firm is monitoring its compliance framework.

Grey Areas & Regulator Focus

Regulators often focus on subtle but significant issues around PPM audits. One grey area is documenting what you don’t do. A firm must not only describe procedures it follows, but also document non-activities (for example, “the firm does not accept short sales” or “does not trade derivatives”). The absence of such statements may raise questions about the manual’s comprehensiveness. If a registrant does not engage in or allow a certain activity, the policy should state so.

The PPM must function as a living document and be periodically reviewed and updated. If updates are made but not communicated or supported by staff training, regulators may view the compliance system as ineffective. The audit must look at communication of changes and staff acknowledgement/training. 

Another area of scrutiny is delegation and responsibility. The manual must clearly identify roles (e.g., UDP, CCO) and escalation paths. Lack of clarity may expose the firm to regulatory censure. Regulators look at how often procedures are reviewed or tested. A manual untouched for years suggests weak governance. 

Lastly, in the exempt-market context, the PPM must address KYC/AML, suitability, multi-jurisdiction distribution, and client-asset segregation, as there are areas where regulators are especially active in review. A manual that fails to align with the business may trigger deeper scrutiny.

Interactions with Adjacent Regimes

The PPM audit process intersects with several adjacent regulatory regimes. The firm’s AML/CTF program requires written policies and verification of processes. The PPM must address those and the audit must test those sections. The fund-raising/distribution regime (for exempt market deals) requires verification of investors, subscription handling and investor onboarding. Procedures must reference this and the audit must sample-test whether the manual’s steps are followed. The client-asset/custody, capital & working-capital regimes (for dealers) require documented procedures for segregation and reconciliation. The audit should test whether these are reflected in the manual. Moreover, data-privacy and cybersecurity obligations may not be explicitly in securities-law instruments but are increasingly expected.

Illustrative Scenarios

Scenario 1: A Toronto-based exempt market dealer refreshed its business model to include cross-provincial offerings and digital investor onboarding. The firm had last updated its PPM two years earlier. The compliance team performed an audit and found that the manual did not address digital investor-verification, did not document delegation of authority for digital account opening, and lacked an amendment log for the system. The audit report recommended drafting a new section on digital onboarding, logging amendments, and conducting staff training. The firm implemented changes, documented them, and the next internal review validated completion.

Scenario 2: A fund manager relied on an older PPM that stated, “no secondary trading permitted”. Over time, the manager introduced a redemption policy allowing transfers between qualified investors but failed to update the manual. A regulator review flagged that the manual did not reflect the actual practice, raising questions about the adequacy of review. The remedial action included revising the manual and training staff. The audit process and documented remediation supported the firm’s position and mitigated the risk of further regulatory action.

Scenario 3: An exempt market dealer conducted an annual internal audit of its PPM. It selected 10 random client-files and transaction flows. In two cases, the onboarding process deviated from the manual (specifically, missing investor acknowledgement of illiquidity risk). The audit reported this and the firm updated the forms, retrained staff and documented the retraining.

Compliance Checklist

• Map current business model, jurisdictions, product types, investor categories, and regulatory obligations
• Determine audit scope (annual review or triggered by business change)
• Secure amendment log and gather prior audit or review reports
• Review PPM line-by-line against regulatory change logs (for example, NI 31-103 amendments, exempt market rule changes, CSA Staff Notices)
• Confirm each functional segment (onboarding, marketing, client asset segregation, KYC/AML, suitability, complaints, referrals, capital) is current and operationally aligned
• Conduct interviews with key personnel to test alignment between documented procedures and actual practices
• Extract and review sample transactions to verify adherence to procedures
• Identify deficiencies and prepare findings report with risk ranking
• Assign responsibility and timelines for remediation actions
• Update the PPM and record amendments in the log
• Train staff on updates, verify completion, and retain records of training
• Document the full audit process, findings, remediation steps, and timelines
• Obtain senior management or board sign-off
• Maintain a complete audit trail to evidence a substantive governance process rather than a formalistic review

What’s Changing

Regulatory expectations continue to increase in respect of registrants’ compliance systems and their audit readiness. Under NI 31-103, firms must be able to demonstrate that policies and procedures are appropriately designed, implemented, and operating effectively. The PPM must reflect the firm’s actual business, be clearly dated, and be kept current with applicable regulatory obligations.

The expansion of digital onboarding, automated investor verification, remote distribution, and multi-jurisdiction activities introduces additional operational risk that must be reflected in both the PPM and the audit process. This includes controls over identity verification methods, reliance on third-party service providers, electronic recordkeeping, cybersecurity, and oversight of digital marketing and cross-border offerings.

Regulators are increasingly focused on evidentiary support. Firms should expect to produce version-controlled amendment logs, records of internal communication and staff training, and documented testing demonstrating that procedures are followed in practice. There is also sustained scrutiny in core areas such as KYC and suitability, conflicts of interest, referral arrangements, and client asset handling, with clear accountability assigned to the CCO and escalation to senior management or the board. Regulators expect clear documentation of responsibility, including the roles of the CCO and UDP in overseeing, reviewing, and approving the PPM and its amendments. The emphasis on governance, defined responsibility, audit trail integrity, and demonstrable periodic review continues to intensify.

Conclusion & Next Steps

Auditing your PPM is a core component of a registrant’s compliance framework and supports effective governance, regulatory defensibility, and operational alignment. The next steps for your organisation are clear: schedule your PPM audit now, engage internal or external audit resources as appropriate, map your business changes and regulatory developments, perform the review and documentation steps described above, update your manual, train your staff, track remediation, and embed the audit cycle in your governance calendar. A structured PPM audit process supports compliance with regulatory expectations and reinforces the firm’s governance and operational framework.

Book a Consultation

If you are forming or operating an Exempt Market Dealer, Investment Fund Manager or Portfolio Manager in Canada, contact us to schedule an initial consultation with Nick Wright.