A detailed guide for CFA Level III candidates on assessing how firms align internal governance and compliance with the CFA Institute Code and Standards.
Picture this scenario: You’re visiting a firm for the very first time, maybe for a job interview or as an independent auditor. Folks are buzzing around, everyone’s busy, and there are corporate-sounding posters—things like “Integrity” and “Client First”—plastered on the walls. But how do you figure out if those posters mean anything? How do you really know whether the firm’s talk of ethics and client care translates into real, day-to-day practices?
That, in a nutshell, is what this section is about. As professionals aiming to uphold the CFA Institute Code of Ethics and Standards of Professional Conduct, we’re not just looking at our own behavior. We must also understand how a firm’s infrastructure—its practices, policies, and overall conduct—supports (or undercuts) those standards. Because even the most dedicated employees can be thwarted if the organization’s ethos is misaligned with ethical principles.
This segment of the curriculum focuses on how to evaluate firm-level policies, check for consistency with the Code and Standards, and identify potential breaches before they become costly. We’ll talk about compliance, internal governance, the importance of transparency, and more. By the time you’re done, you’ll have a framework for assessing whether a firm’s actions match its rhetoric, and you’ll be better prepared for both real-life ethical dilemmas and exam scenarios that test your understanding of organizational ethics.
Internal governance is the backbone of a firm’s ethical ecosystem. When I first started in this field—long before I’d even heard of the CFA Program—I was stunned at how different two firms could be simply based on their internal structures. One firm I visited had an ethics officer who was effectively a glorified bystander; nobody took them seriously if they raised concerns. Another firm, about the same size, had a robust governance framework that gave real teeth to the compliance team, and they integrated ethical considerations into every major decision. Guess which one recorded fewer compliance breaches?
Internal governance typically includes the following elements:
• A clear delineation of authority (an organizational chart that shows who reports to whom).
• A set of documented policies (like codes of conduct, compliance manuals, or standard operating procedures).
• Oversight mechanisms (this can be a compliance committee, a board of directors’ audit committee, or an external review process).
The key question is whether these structures are arranged in a way that encourages ethical decisions. If your compliance officer theoretically reports to the CEO but in practice constantly gets shut down by mid-level managers, that’s a warning sign. Governance should not be a formality—it’s the basis for ensuring that the firm’s everyday practices align with the lofty standards on those wall posters.
Now, compliance isn’t typically the “glamour” wing of a firm, at least not from the outside. But when done right, it’s a major pillar of integrity and trust. You might think of compliance as the firm’s immune system—it detects and fights off harmful practices that can cause damage to the organization in the long run.
An effective compliance department should:
• Have the independence to investigate issues without fear of retaliation.
• Be well-staffed with individuals who understand relevant regulations and the CFA Institute Code and Standards.
• Be empowered to recommend and enforce disciplinary actions.
• Stay up to date with changes in laws and industry best practices, constantly revising firm procedures to reduce risk exposures.
Assessing how compliance interacts with other departments, such as Research or Portfolio Management, can be illuminating. Do portfolio managers get pushback if they try to push the boundaries on personal trading policies? When new employees come on board, are they trained thoroughly on how to treat client data? If compliance only shows up once a year to do a cursory check, that’s a big red flag.
In many organizations, compliance is also supported by an internal audit function (if the firm is large enough). The internal audit team typically fosters objectivity by reporting directly to the board of directors or its audit committee. A well-run internal audit function ensures that compliance practices are not just “on paper” but truly embedded across the firm.
The CFA Institute Code of Ethics and Standards of Professional Conduct (the “Code and Standards”) serve as the gold standard of ethical conduct in our industry. When we speak of “consistency,” we’re talking about alignment between what the firm’s policies require and what the Code and Standards expect. This goes beyond bare-bones regulatory compliance—it’s about embodying the highest professional and ethical ideals.
Some of the key areas that deserve extra scrutiny include:
• Personal trading policies. Do they guard against frontrunning or insider trading? Do they require preclearance for trades?
• Client confidentiality. Are there adequate safeguards for customer data? Whistleblower procedures?
• Fair dealing. Does the firm allocate investment opportunities fairly? Are allocations done on a pro-rata basis or some method that ensures no one client is systematically favored over another?
• Conflict-of-interest management. Look for robust disclosures, especially if the firm handles proprietary accounts or large principal deals.
You might want to cross-reference these policies directly with specific Standards from the CFA Program—for instance, Standard III (Duties to Clients) or Standard VI (Conflicts of Interest)—to see if there are any glaring mismatches. If it feels like the firm is paying lip service to fairness but is, in practice, funneling all the best deals to a favored client, you’ve got an alignment problem.
Evaluating a firm’s conduct can feel overwhelming. Where do you even start? A structured approach helps:
• Gather Documentation: Collect employee handbooks, policies, compliance manuals, and so forth. You also want to see things like HR training modules, conflict-of-interest disclosures, personal trading attestations, and whistleblower safeguards.
• Conduct Interviews: Talk to people at multiple levels within the organization—front-line employees, mid-level managers, compliance staff, and possibly even board members if you have the access. Look for consistency in how they view and apply ethical policies.
• Observe Operations: If possible, spend some time on the trading floor, in client meetings, or in cross-departmental project reviews. Do you see actual signs of ethical conduct, or do staffers seem to bend rules under pressure?
• Compare Behavior to Stated Principles: It’s easy to say you value transparency or fairness, but do you see that in real-life decisions about commissions, fees, or client communications?
Be especially mindful of red flags. A single policy that’s inconsistent with the Code and Standards might be a one-off error or oversight. But if you find multiple mismatches between stated values and actual behavior, that’s usually a sign of deeper systemic issues.
Ever run into a friend who is a bit cagey about their personal life? They share some details but skirt around what’s really going on. Firms can behave the same way. Transparency in corporate practices reflects how openly a firm deals with stakeholders—employees, clients, regulators, the public.
Questions to ask:
• Are disciplinary actions reported internally and promptly to relevant regulatory bodies, if required?
• Does the firm provide timely disclosures about conflicts of interest, fees, and business relationships?
• When a breach inevitably happens (no one is perfect), is it addressed head-on, or swept under the rug?
In many cases, a firm that fosters transparency has open-door policies, encourages employees to speak up about concerns, and responds consistently. This fosters a culture of ethical behavior, as opposed to a culture of hiding mistakes.
You might be thinking, “Okay, so compliance is supposed to watch over us. But who watches over compliance?” Great question. Independent oversight often involves:
• External Audits: Independent antifraud or compliance audits can highlight systemic weaknesses.
• Regulatory Reviews: Regulators conduct periodic examinations, though the scope can vary widely by jurisdiction.
• Third-Party Consultants: For specialized areas like cybersecurity or complex quantitative trading, the firm may hire external experts to evaluate the system.
The idea is that the more a firm welcomes external reviews—without foot-dragging or hostility—the more likely it’s serious about maintaining high standards. When a firm provides thorough documentation, addresses problems immediately, and shares findings with relevant stakeholders, that’s a signal that leadership truly cares about ethical alignment.
One of the old adages in compliance is: “If it’s not documented, it didn’t happen.” Proper recordkeeping is essential because it provides the paper trail that regulators and external investigators use to verify a firm’s claims.
Well-maintained records:
• Show that employees are consistently following ethical guidelines.
• Provide historical data to pinpoint patterns of noncompliance (e.g., repeated issues with a particular product line or trading desk).
• Demonstrate that the firm is serious about internal controls and accountability.
For example, if the Code and Standards require that employees receive annual compliance training, there should be sign-in sheets or digital logs of who attended and when. If employees are required to report outside business activities, there should be forms or eDisclosures verifying that. The process of maintaining these records, plus robust version control on policies, can speak volumes about a firm’s sincerity regarding compliance.
We can throw this all into a simplified diagram. Take a look:
flowchart TB
A["Firm-Level Ethical Policies <br/> and Governance"] --> B["Compliance Department"]
A --> C["Business Units <br/>(Trading, Research, etc.)"]
B --> D["Monitoring & Enforcement <br/>(Internal Audit, Controls)"]
C --> D
D --> E["Evaluation & Reporting <br/>(Stakeholders, Regulators)"]
E --> A["Feedback to <br/> Strengthen Policies"]
• The firm’s ethical policies and overall governance structure feed into both the compliance department and the various business units.
• Compliance, in conjunction with internal audit or similar functions, monitors whether those business units are following the code.
• Findings are then reported to all stakeholders or regulators, and that feedback loop returns to the firm’s top-level governance, allowing leadership to refine policies further.
Let’s consider a scenario: A medium-sized asset management company, call it “Bonfire Capital,” had comprehensive compliance policies in their handbook—at least on paper. However, once you step onto the trading floor, you notice that portfolio managers regularly chat on personal phones and rarely log these conversations. The official policy states all trade-related communications with third parties should be recorded. But in practice? Not happening.
An internal audit (the firm’s first in two years) revealed staffers frequently placed trades in personal accounts ahead of client trades—a direct violation of Standard II (Integrity of Capital Markets). Although the compliance manual forbade it, there was no real enforcement, no routine pretrade approvals, and basically no monitoring. Despite the firm’s grand statements about protecting clients’ best interests, the day-to-day vibe was that folks could do whatever they liked.
In this case, the governance structure was a façade. The compliance department lacked authority, and management turned a blind eye as long as profits came rolling in. An external whistleblower eventually forced the regulatory authorities to intervene. The firm faced fines, reputational damage, and clients withdrew assets in droves.
So, how do you keep that from happening in your firm (or the firm you might evaluate)? Let’s summarize some helpful practices:
• Involve Leadership. Ethical conduct needs a top-down commitment. Senior managers and even the board must publicly endorse and fund compliance initiatives.
• Provide Adequate Resources. A compliance department can’t thrive on good intentions alone. Sufficient technology, staff, and training budgets are critical.
• Schedule Regular Training. One annual session isn’t enough. Offer bite-sized “refreshers,” especially when new regulations come out or if there’s a new product launch that changes the firm’s risk profile.
• Encourage Reporting. Foster a speak-up culture where employees can raise concerns. Whistleblower protections help employees feel safe reporting potential violations.
• Conduct Surprise Audits. Sometimes, unannounced spot checks are crucial. People behave differently when they think no one is watching.
• Document Everything. Keep thorough records of all compliance and ethics-related activities. This includes evidence of training, sign-offs on personal trading policies, and logs of compliance inquiries.
When these elements come together, a firm is well-positioned to align with the Code and Standards in a tangible, meaningful way.
Evaluating a firm’s practices, policies, and conduct might sound daunting, but it’s crucial for ensuring that the organization’s approach aligns with the Code and Standards. From personal experience, I’ve seen how firms that truly bake ethical responsibilities into their corporate DNA fare better in the long run—fewer regulatory issues, stronger client trust, and employees who are proud to be there.
The real test? Matching words to actions. Even the best-known ethics statement won’t matter unless day-to-day practices reflect ethical principles. By focusing on governance, empowering compliance, ensuring transparency, and inviting independent oversight, you’ll be on the right track to upholding the integrity that’s expected by the CFA Institute.
And if you’re sitting the exam soon, keep these concepts in mind. Often, CFA Level III will present scenario-based questions that require you to spot discrepancies between a firm’s official stance and actual behavior. Show the examiners that you get the difference between fluff and substance, that you can pinpoint where a firm is ignoring or undermining the Code and Standards, and that you know how to propose improvements. That combination of ethical insight and real-world practicality is exactly what the CFA Program aims to develop.
• Understand the Code and Standards thoroughly so you can quickly identify real-world violations.
• In constructed-response questions, be direct: refer back to specific Standards (e.g., Standard I(C) – Misrepresentation) if you suspect misstatements in corporate policies or communications.
• Offer solutions that are realistic and consistent with good governance—like recommending more robust compliance tools or external audits.
• Time management is key. Some essay questions may ask you to evaluate multiple aspects of a firm’s policies—outline your response clearly and proceed with structured paragraphs.
• If the question presents a “gray area,” leverage the principles of the Code and Standards. Indicate that further clarification or additional oversight might be needed.
• CFA Institute, “Standards of Practice Handbook.”
• Treviño, Linda K. and Katherine A. Nelson, “Managing Business Ethics: Straight Talk about How to Do It Right.”
• The IIA (Institute of Internal Auditors): www.theiia.org
Important Notice: FinancialAnalystGuide.com provides supplemental CFA study materials, including mock exams, sample exam questions, and other practice resources to aid your exam preparation. These resources are not affiliated with or endorsed by the CFA Institute. CFA® and Chartered Financial Analyst® are registered trademarks owned exclusively by CFA Institute. Our content is independent, and we do not guarantee exam success. CFA Institute does not endorse, promote, or warrant the accuracy or quality of our products.