cost-risk-analysis1

Accounting | July 6, 2026

Communications Audits: Is a 5% Sample Still a Reasonable Program?

For most of the past two decades, reviewing a fraction of firm communications was not a compliance shortcut. It was the only realistic option available.

Jamie Hoyle

For most of the past two decades, reviewing a fraction of firm communications was not a compliance shortcut. It was the only realistic option available.

FINRA and the SEC have always required firms to establish a reasonable supervision system. What “reasonable” looked like in practice was shaped by what was operationally possible. Examiners understood that a mid-sized broker-dealer could not read every email, message, and call record produced by its advisors. Sampling became the accepted methodology not because regulators decided it was sufficient, but because nobody could credibly argue the alternative.

The Constraint That Shaped the Standard

Supervision programs built around random sampling have never been designed to find everything. They are designed to find enough, with “enough” defined by what the technology of the time could realistically surface. A 5%-10% review rate gives examiners evidence that a firm is looking, and it gives firms a defensible methodology when questions arise. It is not, and has never been, a regulatory ceiling on what firms are expected to find.

The rules have not changed. FINRA Rule 3110 still requires firms to establish and maintain a supervisory system reasonably designed to achieve compliance. The SEC’s books and records requirements still set out what must be captured and retained. But the conditions that made sampling reasonable are shifting, and the interpretation of “reasonably designed” will shift with them.

What AI Removes From the Equation

The argument for sampling was always volume based. There is too much to review, too few reviewers to read it, and too much operational disruption in trying to close that gap. That argument held for a long time because it was accurate.

AI-powered supervision tools have changed the premise. Comprehensive review across email, mobile, and collaboration channels is now operationally viable without requiring a proportional increase in compliance headcount. Firms can review all communications, flag material issues, prioritize escalations, and do it within the same team structure that previously supported a sampling approach. The volume problem has not disappeared, but the tools available to manage it have fundamentally changed.

That change matters in the exam room. An examiner who is familiar with what current supervision technology can do will ask harder questions about a firm that is still sampling. Not because the rules require 100% review, but because the main justification for sampling is harder to make. “We can’t review everything” is a weaker position when the tools to do exactly that are now widely available.

The Risk Firms May Not Have Priced In

Enforcement trends rarely shift overnight, and there is no formal regulatory announcement that sampling programs are under scrutiny. But the conditions that produced regulatory tolerance for sampling have changed, and enforcement patterns tend to follow the operational environment over time.

The more immediate risk is an exam finding that a firm’s supervision program was not reasonably designed, in a period when comprehensive review was both available and affordable. That is a harder position to defend than it would have been five years ago. It is not hypothetical exposure. It is the kind of gap that shows up in deficiency letters when examiners can point to what firms in the same peer group were doing.

Where Examiner Expectations are Heading

Firms that are still relying on random sampling are not necessarily non-compliant today. But they are carrying risk that is worth reassessing. A supervision program built for comprehensive review, with the tooling to manage volume intelligently rather than simply increasing reviewer workload, is where the industry is heading.

The firms that move early will be in a stronger position when examiner expectations catch up with what the technology now makes possible. The ones that wait may find that the methodology they built their program around no longer reads as reasonable.

==

Jamie Hoyle is vice president of product at MirrorWeb where he leads product strategy for the company. He joined MirrorWeb as Lead Software Engineer in 2017, eventually transitioning to Product and spearheading the development of their flagshift communications supervision platform, MirrorWeb Insight.

In 2024, Jamie relocated to Austin, Texas to embed himself in the heart of the US compliance landscape and stay close to the customers shaping the future of digital communications oversight.

Sign in to get access to this free resource, and all of our whitepapers and reports.

Download this content today!

Register to get free access to this content, as well as newsletters, continuing education, podcasts, and more…

Leave a Reply