What an SEC enforcement action teaches real estate finance leaders about audit risk — and the one capability that prevents it.
A large, well-regarded private real estate investment firm had transacted with affiliated service providers for years — loan servicing, property accounting, administrative support. Routine related-party arrangements, expressly permitted by the partnership agreements, and disclosed in the funds’ audited financial statements.
Then an SEC review led to an enforcement action — not because the transactions were improper, but because the firm couldn’t show, in enough detail and on time, that they had been disclosed and approved the way its own agreements required. The substance was fine. The record wasn’t. The uncomfortable takeaway for any CFO: you can be right on every transaction and still be exposed, because what gets tested under scrutiny is the record — not whether the transaction was allowed.
Strip the case down and it reduces to one question the firm couldn’t answer in detail: what was allocated to which deal, from which related party, for which period? Captured discretely when the cost entered the books, the answer takes minutes. Commingled into a lump-sum journal entry, it may not exist at all — and you cannot un-blend it after the fact.
That capability has nothing to do with being SEC-registered. Whether the pressure comes from an auditor, a lender, or a limited partner, the test is the same: can you attribute costs to the right deal, entity, party, and period, discretely, at the transaction level? And that capability is built — or lost — upstream, in two layers of everyday process:
The thread under both layers is the same: discrete, granular detail, captured at the point of entry and actually reviewed. At a few transactions a month, diligence is enough. At thousands of invoices across dozens of entities, it becomes a technology-and-process problem — and the highest-volume entry point of all is accounts payable.
Each of these is a point where detail is either captured discretely or quietly commingled — and once it is lost, the financial statements inherit a gap no later control can fully close.
AP is the largest stream of data flowing into the ledger and the first chance to get each cost right: the right account, entity, property, and period. It is also the most granular, highest-volume step, which is exactly where commingling creeps in:
Repeated across hundreds of invoices and dozens of properties, these stop being clerical slips and become systematic misstatement — patterned, quantifiable, and hard to unwind once commingled into summary balances.
A timely reconciliation is the earliest detective control, but only when it is done at the item level. A reconciliation that nets to zero can still hide offsetting errors:
A reconciliation that is not current is a control that is not operating. Small issues then compound across periods until they are material and expensive to unwind.
Legitimate and common in real estate; the risk is traceability. These demand the most granular record of any process — and they are the trap behind the opening case. Each cost has to be tracked discretely:
Roll several deals’ affiliate costs into one allocation entry and the link between cost, deal, and party is gone. Months later, no one can reconstruct it — which is exactly what the SEC found. An untraceable allocation is a disclosure deficiency, the kind auditors and regulators escalate.
Both of these depend on the same discrete detail — you cannot review or detect what was never captured distinctly — and both fail in deceptive ways, looking strongest right when they are working least.
More reviewers feel like more control. Usually they are less: when twenty people touch a transaction, each assumes someone else did the real review, and twenty sign-offs net out to zero. Signs the workflow has become theater, not control:
The stronger model is exception management: let routine, in-pattern items flow, and surface only the few that warrant senior judgment — a new vendor, an over-threshold amount, an off-pattern code. But you can only route by exception if the data is granular enough to flag the exceptions in the first place.
The net beneath the other four: no single person should control every stage of a transaction. The gap is rarely a missing policy — it is erosion as teams change:
Independent review only catches something if the reviewer can see the detail; separation without visibility into the detail is separation in name only. SoD failures are a common contributor to material weaknesses, because when one person controls incompatible steps there is no independent chance to catch an error.
The opening case involved a regulator. For most finance teams the equivalent is the external auditor, and the worst outcome is not an SEC order but a material weakness — a combination of deficiencies that creates a reasonable possibility a misstatement will not be prevented or detected. None of the five gaps is fatal alone. But they accumulate in parallel, and the common cause is almost always the same: detail that was commingled instead of tracked discretely, with gaps in both layers at once.
Strong finance teams do not wait for an audit. They preserve discrete detail by design:
Worth asking yourself:
The hardest and highest-volume of these is AP coding: thousands of invoices a month, across entities, each needing the right account, property, and period. It is also the most automatable — which is exactly what PredictAP does. It captures and codes every invoice discretely and consistently at the point of entry, so the granular detail every downstream control depends on is there from the start, and coding no longer lives in one person’s head. Permitted is not the same as provable — and the record that protects you is built upstream, one discretely coded transaction at a time.