This is the accessible text file for GAO report number GAO-08-33 
entitled 'Securities and Exchange Commission: Opportunities Exist to 
Improve Oversight of Self-Regulatory Organizations' which was released 
on December 17, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Ranking Member, Committee on Finance, U.S. Senate: 

November 2007: 

Securities And Exchange Commission: 

Opportunities Exist to Improve Oversight of Self-Regulatory 
Organizations: 

GAO-08-33: 

GAO Highlights: 

Highlights of GAO-08-33, a report to the Ranking Member, Committee on 
Finance, U.S. Senate. 

Why GAO Did This Study: 

Self-regulatory organizations (SRO) are exchanges and associations that 
operate and govern the markets, and that are subject to oversight by 
the Securities and Exchange Commission (SEC). Among other things, SROs 
monitor the markets, investigate and discipline members involved in 
improper trading, and make referrals to SEC regarding suspicious trades 
by nonmembers. For industry self-regulation to function effectively, 
SEC must ensure that SROs are fulfilling their regulatory 
responsibilities. This report (1) discusses the structure of SECís 
inspection program for SROs, (2) evaluates certain aspects of SECís 
inspection program, and (3) describes the SRO referral process and 
evaluates SECís information system for receiving SRO referrals. To 
address these objectives, GAO reviewed SEC inspection workpapers, 
analyzed SEC data on SRO referrals and related investigations, and 
interviewed SEC and SRO officials. 

What GAO Found: 

To help ensure that SROs are fulfilling their regulatory 
responsibilities, SECís Office of Compliance Inspections and 
Examinations (OCIE) conducts routine and special inspections of SRO 
regulatory programs. OCIE conducts routine inspections of key programs 
every 1 to 4 years, inspecting larger SROs more frequently, and 
conducts special inspections (which arise from tips or the need to 
follow up on prior recommendations or enforcement actions) as 
warranted. More specifically, OCIEís inspections of SRO surveillance, 
investigative, and disciplinary programs (enforcement programs) involve 
evaluating the parameters of surveillance systems, reviewing the 
adequacy of policies and procedures for handling the resulting alerts 
and investigations, and reviewing case files to determine whether SRO 
staff are complying with its policies and procedures. 

GAO identified several opportunities for SEC to enhance its oversight 
of SROs through its inspection program. First, although examiners have 
developed processes for inspecting SRO enforcement programs, OCIE has 
not documented these processes or established written policies relating 
to internal controls over these processes, such as supervisory review 
or standards for data collection. Such documentation could strengthen 
OCIEís ability to provide reasonable assurances that its inspection 
processes and products are subject to key quality controls. Second, 
OCIE officials said that they focus inspections of SRO enforcement 
programs on areas judged to be high risk. However, this risk-assessment 
process does not leverage the reviews that SRO internal and external 
auditors performed, which could result in duplication of SRO efforts or 
missed opportunities to direct examination resources to other higher-
risk or less-examined programs. OCIE officials told us that they plan 
to begin assessing SRO internal audit functions in 2008, including the 
quality of their work products, which would allow OCIE to assess the 
usefulness of these products for targeting its inspections. Finally, 
OCIE currently does not formally track the implementation status of SRO 
inspection recommendations; rather, management consults with staff to 
obtain such information as needed. Without formal tracking, OCIEís 
ability to efficiently and effectively generate and evaluate trend 
information, such as patterns in the types of deficiencies found or the 
implementation status of recommendations across SROs, or over time, may 
be limited. 

SECís Division of Enforcement uses an electronic system to receive 
referrals of potential violations from SROs. These referrals undergo 
multiple stages of review and may lead Enforcement to open an 
investigation. From fiscal years 2003 to 2006, SEC received an 
increasing number of advisories and referrals from SROs, many of which 
involved insider trading. However, SECís referral receipt and case 
tracking systems do not allow Enforcement staff to electronically 
search all advisory and referral information, which may limit SECís 
ability to monitor unusual market activity, make decisions about 
opening investigations, and allow management to assess case activities, 
among other things. 

What GAO Recommends: 

GAOís recommendations to the SEC Chairman for enhancing SRO oversight 
include, among others, establishing a written framework for conducting 
SRO inspections, expanding the use of SRO internal review products, and 
enhancing information technology to improve SECís ability to track and 
analyze SROsí implementation of inspection recommendations and SRO 
referral data. SEC agreed with the recommendations and is taking steps 
to address them. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.GAO-08-33. For more information, contact Richard 
J. Hillman at (202) 512-8678 or hillmanr@gao.gov. 

[End of section] 

Contents: 

Letter:  

Results in Brief:  

Background:  

OCIE Approach to SRO Inspections Focuses on Determining Whether SROs 
Identify Violations and Enforce and Comply with SRO Rules Effectively:  

Written Inspection Guidance, Increased Leveraging of SRO Internal Audit 
Products, and IT Improvements Could Enhance SEC Oversight of SROs:  

SRO Advisories and Referrals Have Increased, as Have Related SEC 
Investigations and Enforcement Actions, but Information Systems for 
Advisories and Referrals Have Limitations:  

Conclusions:  

Recommendations for Executive Action:  

Agency Comments and Our Evaluation:  

Appendixes: 

Appendix I: Scope and Methodology:  

Appendix II: SEC Oversight of SRO Enforcement Programs Related to 
Insider Trading:  

Appendix III: SEC Civil Enforcement Actions against SROs, January 1995- 
September 2007:  

Appendix IV: Analyses of SEC-Provided Data on Various Case Stages:  

Appendix V: Comments from the Securities and Exchange Commission:  

Appendix VI: GAO Contact and Staff Acknowledgments:  

Tables Tables:  

Table 1: Number of OCIE Staff Delegated to SRO Inspections, Fiscal 
Years 2002-2007 (September):  

Table 2: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of August 8, 1996:  

Table 3: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of June 29, 1999:  

Table 4: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of September 11, 2000:  

Table 5: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of September 30, 2003:  

Table 6: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of February 9, 2005:  

Table 7: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of April 12, 2005:  

Table 8: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of May 19, 2005:  

Table 9: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of June 1, 2006:  

Table 10: Summary of Findings, Enforcement Actions, and Outcomes 
Brought under the SEC Administrative Proceeding of March 22, 2007:  

Table 11: Summary of Findings, Enforcement Actions, and Outcomes 
Brought under the SEC Administrative Proceeding of September 5, 2007:  

Table 12: Number and Type of Advisories, Fiscal Years 2003-2006:  

Table 13: Number of Advisories, by Fiscal Year and SRO, Fiscal Years 
2003-2006:  

Table 14: Number and Type of Referrals, Fiscal Years 2003-2006:  

Table 15: Number of Referrals, by SRO and Fiscal Year, Fiscal Years 
2003-2006:  

Table 16: Number and Type of Matters Under Inquiry, Fiscal Years 2003- 
2006:  

Table 17: Numbers of Matters Under Inquiry Closed and Associated 
Reasons for Closure, Fiscal Years 2003-2006:  

Table 18: Number and Type of Investigations Resulting from SRO 
Referrals, Fiscal Years 2003-2006:  

Table 19: Average and Median Investigation Duration, by Type of 
Investigation, Fiscal Years 2003-2006:  

Table 20: Number, Type, and Duration of Investigations, Fiscal Years 
2003-2006:  

Table 21: Number and Type of Case Actions, Fiscal Years 2003-2006:  

Table 22: Number and Type of Case Outcomes, Fiscal Years 2003-2006:  

Figures Figures:  

Figure 1: Key Steps in OCIE's Inspection Process for SROs:  

Figure 2: SEC's Process and Average Time Frames for Receiving SRO 
Advisories and Referrals and Conducting Related Investigations:  

Figure 3: SRO Advisories and Referrals, and Related SEC MUIs, 
Investigations, Actions, and Outcomes, Fiscal Years 2003-2006:  

Abbreviations: 

ALJ: administrative law judge: 

ARP: Automation Review Policy: 

CATS: Case Activity Tracking System: 

FINRA: Financial Industry Regulatory Authority: 

IG: Inspectors General: 

IT: information technology: 

MUI: matter under investigation: 

NYSE: New York Stock Exchange: 

OCC: Office of the Comptroller of the Currency: 

OCIE: Office of Compliance Inspections and Examinations: 

OIT: Office of Information Technology: 

OMS: Office of Market Surveillance: 

ORSA: Options Regulatory Surveillance Authority: 

SEC: Securities and Exchange Commission: 

SRO: self-regulatory organization: 

UAF: unusual activity file:  

Letter: 

November 15, 2007: 

The Honorable Charles E. Grassley: 
Ranking Member: 
Committee on Finance: 
United States Senate: 

Dear Senator Grassley: 

Self-regulatory organizations (SRO) include, among others, national 
securities exchanges and securities associations registered with the 
Securities and Exchange Commission (SEC), such as the New York Stock 
Exchange (NYSE) and the Financial Industry Regulatory Authority 
(FINRA).[Footnote 1] At the time that the system of self-regulation was 
created, Congress, regulators, and market participants recognized that 
this structure possessed inherent conflicts of interest because of the 
dual role of SROs as both market operators and regulators. 
Nevertheless, Congress adopted self-regulation, as opposed to direct 
federal regulation of the securities markets, to prevent excessive 
government involvement in market operations, which could hinder 
competition and market innovation. Also, Congress concluded that self- 
regulation with federal oversight would be more efficient and less 
costly to taxpayers. 

For industry self-regulation to function effectively, SEC must ensure 
that SROs are fulfilling their regulatory responsibilities. As 
regulators, SROs are primarily responsible for establishing the 
standards under which their members conduct business; monitoring the 
way that business is conducted; bringing disciplinary actions against 
their members for violating applicable federal statutes, SEC's rules, 
and their own rules; and referring potential violations of nonmembers 
to SEC's Division of Enforcement (Enforcement). SEC oversees SROs 
through such actions as reviewing their rule proposals and information 
technology (IT) security through its Division of Market Regulation 
(Market Regulation), and periodically inspecting their operations 
through its Office of Compliance Inspections and Examinations (OCIE). 
OCIE inspections are intended to assess the effectiveness of SRO 
operations and often make recommendations intended to improve 
them.[Footnote 2] If OCIE finds that an SRO has failed to comply with, 
or enforce member compliance with, SRO rules or federal securities 
laws, it may refer the SRO to Enforcement for further investigation and 
potential sanctions. More recently, recognizing the role of internal 
controls in promoting compliance and effectiveness within SROs, OCIE 
has begun focusing increased attention on the activity and work 
products of the internal audit function at SROs. 

This report addresses your interest in the actions taken by SEC to 
ensure that SROs--in particular, the two largest SROs, NASD (the SRO 
that provided market oversight of the NASDAQ Stock Market and certain 
other exchanges prior to FINRA) and NYSE--are fulfilling their 
regulatory responsibilities by effectively monitoring and investigating 
suspicious trading in listed securities and, where appropriate, 
prosecuting misconduct involving member broker-dealers or referring 
potential misconduct by non-SRO members to SEC.[Footnote 3] It also 
addresses your interest in SEC's processes for managing and acting upon 
referrals received by Enforcement from SROs. Specifically, this report: 

1. discusses the overall structure of SEC's inspection program and, 
more specifically, its approach to inspections of SRO surveillance, 
investigative, and disciplinary programs (enforcement programs); 

2. evaluates certain aspects of SEC's inspection program, including 
guidance and planning, the use of SRO internal audit products, and the 
tracking of inspection recommendations; and: 

3. describes the SRO referral process to SEC's Enforcement Division and 
recent trends in referral numbers and related SEC investigations, and 
evaluates SEC's information system for advisories and referrals. 

To address our first objective, we reviewed and analyzed OCIE 
documentation of the 11 inspections completed between March 2002 and 
January 2007 of NASD and NYSE enforcement programs, an OCIE memorandum 
to the Commission describing the SRO inspection process, and our prior 
work. Furthermore, we observed a demonstration of various IT systems 
that NASD used to monitor the markets and track investigations and 
disciplinary actions. We also conducted interviews with staff from 
OCIE, NASD, and NYSE. To address our second objective, we reviewed OCIE 
inspection guidance related to the review of SRO internal audit 
reports, guidance for bank examiners from the Board of Governors of the 
Federal Reserve System (Federal Reserve) and the Office of the 
Comptroller of the Currency (OCC), inspection guidelines developed by 
the Inspectors General (IG), and our prior work. In addition, we 
reviewed SRO internal and external audits of IT security and 
interviewed staff from OCIE, Market Regulation, NASD, and NYSE. 
Furthermore, we reviewed internal control standards for the federal 
government and conducted interviews with OCIE and Enforcement officials 
on their respective procedures for ensuring that SROs implement 
inspection recommendations and remedial actions required as part of 
enforcement actions. In addition, we reviewed and summarized the 
enforcement actions brought by SEC against SROs between 1995 and 2007. 
To address our third objective, we observed a demonstration from 
Enforcement staff on the division's system for receiving SRO referrals, 
and we interviewed Enforcement, NASD, and NYSE staff to determine how 
SEC manages SRO referrals and conducts investigations. To understand 
trends in SRO referrals and SEC investigations related to these 
referrals, we requested and analyzed data from SEC's referral receipt 
system and case tracking system from fiscal years 2003 through 2006. We 
inquired about checks that SEC performs on these data and determined 
they were reliable for our purposes. 

We performed our work in Washington, D.C; New York, New York; and 
Rockville, Maryland, between September 2006 and September 2007 in 
accordance with generally accepted government auditing standards. 
Appendix I provides a more detailed description of our scope and 
methodology. 

Results in Brief: 

To help ensure that SROs are fulfilling their regulatory 
responsibilities, OCIE conducts both routine and special inspections of 
SRO regulatory programs. Routine inspections assess SRO enforcement, 
arbitration, listings, and member examination programs at regular 
intervals. Special inspections are conducted as warranted and encompass 
follow-up work on prior recommendations or enforcement actions, 
investigations of tips or reports, and sweep inspections.[Footnote 4] 
OCIE's process for conducting SRO inspections includes performing 
background research, drafting a planning memorandum, conducting on-site 
reviews, holding exit interviews, and drafting a written inspection 
report that is reviewed and approved by the Commission. Inspection 
teams consist of a lead attorney and from 2 to 6 other staff reporting 
to an OCIE branch chief. The number of staff dedicated to SRO 
inspections has fluctuated in recent years, increasing from 36 to 62 
between fiscal years 2002 and 2005 in response to an increase in SEC 
funding, but then subsequently decreasing over the following 2 years to 
46 as of June 2007. OCIE officials attributed this decline to staff 
attrition and a recent SEC-wide hiring freeze. OCIE officials told us 
that inspections of SRO enforcement programs are intended to assess the 
design and operation of the programs to determine whether they 
effectively fulfill regulatory responsibilities. In these inspections, 
OCIE assesses the parameters of SRO surveillance systems, reviews the 
adequacy of SRO policies and procedures, and reviews SRO case files to 
determine whether SRO staff handled the resulting alerts and 
investigations in compliance with its policies and procedures. OCIE 
inspections may result in recommendations that are intended to address 
any deficiencies identified and improve the effectiveness of SROs. 

While OCIE inspections have assessed and made recommendations to 
improve the effectiveness of SRO enforcement programs, we identified 
several opportunities for OCIE and Market Regulation to enhance their 
oversight of SROs by developing formal guidance, leveraging the work of 
SRO internal audit functions, and enhancing information systems. The 
following points summarize our key findings on SEC's inspection 
program: 

* Although examiners have processes for inspecting SRO enforcement 
programs, OCIE has not documented these processes in an examination 
manual or other formal guidance. According to OCIE officials, the 
uniqueness of SRO rules and surveillance systems would make it 
difficult to tailor a manual to all SROs and keep it current. However, 
other federal financial regulators that perform inspections of diverse 
and complex organizations have developed guidelines or standards that 
outline the objectives of the inspection program and functional 
approaches to meeting the objectives, and inspection standards 
developed by the IG community recommend developing and implementing 
written policies and procedures for internal controls over inspection 
processes to provide reasonable assurance over conformance with an 
organization's policies and procedures. Similar documentation by OCIE 
could help ensure uniform standards and quality controls and serve as a 
reference guide for new examiners. 

* OCIE officials said that they focus their inspection resources on 
areas judged highest risk by considering factors such as when an area 
was last inspected, the size of the program, the results of past 
inspections and consultations with other SEC offices and divisions. 
However, OCIE's risk-assessment and inspection planning processes do 
not incorporate information gathered by SRO internal audit functions. 
Our previous work has shown that SRO internal audits covered aspects of 
their regulatory programs that OCIE also inspected, and could be useful 
for OCIE's planning purposes. In contrast, risk assessments of large 
banks that federal bank examiners conduct are partly based on internal 
audit reports, and examiners may adjust their plans to avoid 
duplication of effort and minimize burden to the banks. By not 
considering internal audit information in their risk-assessment and 
planning processes, OCIE examiners may be duplicating SRO efforts or 
missing opportunities to direct examination resources to other higher- 
risk or less-examined program areas.[Footnote 5] 

* Market Regulation could also enhance SEC oversight over SROs by 
further leveraging information from SRO internal audit functions 
regarding the security of their enforcement-related databases. These 
databases contain critical information about the disciplinary and other 
regulatory history of SRO members; SEC and other regulators rely on the 
accuracy and integrity of these data for conducting their own 
investigative and enforcement efforts. While Market Regulation staff 
conduct regular security reviews of IT systems that SEC and SROs 
consider important to trading operations, in accordance with SEC 
guidance, as well as those systems used to remit regulatory fees, these 
reviews are not intended to directly address the security of 
enforcement-related systems. NASD and NYSE internal and external 
auditors regularly review the security of these systems, and have 
generally concluded that these SROs have adequate controls in place. 
However, because Market Regulation does not review these reports, it 
has little knowledge about the comprehensiveness of SRO reviews and 
cannot determine whether SROs have taken the appropriate steps to 
secure enforcement-related information or what risks a security breach 
could pose. 

* OCIE currently does not formally track the implementation status of 
inspection recommendations. Rather, according to OCIE, management 
consults with staff to obtain such information as needed. The number of 
recommendations in 11 inspection reports we reviewed ranged from 4 to 
29, although OCIE officials said some inspections resulted in as many 
as 30 or 40 recommendations. Without formal tracking, OCIE's ability to 
efficiently and effectively generate and evaluate trend information-- 
such as patterns in the types of deficiencies found or the 
implementation status of recommendations across SROs, or over time--as 
well as to develop performance measures on the effectiveness of its 
inspection program, may be limited. OCIE officials told us that OCIE is 
currently working with SEC's Office of Information Technology (OIT) to 
develop a new tracking system and software that will allow OCIE to 
generate management reports from this system in 2008. 

SRO advisories--information on suspicious trading activity that does 
not rise to the level of a referral--and referrals, which are received 
electronically in Enforcement, have increased in recent years, as have 
related SEC investigations and enforcement actions, but the information 
system SEC uses to receive advisories and referrals has limitations. 
SROs send advisories and referrals electronically to Enforcement's 
Office of Market Surveillance (OMS). The advisories and referrals, 
which may lead to an investigation and enforcement actions, undergo 
multiple reviews. OMS staff apply general criteria, such as the nature 
of the entity and the alleged market activity, to determine whether 
advisories and referrals merit further review and investigation by 
Enforcement attorneys. Our review of SEC data found that advisories 
from SROs grew significantly from 5 in fiscal year 2003 to 190 in 
fiscal year 2006. During the same period, referrals from SROs grew from 
438 to 514, or an increase of 17 percent. Numbers of SEC investigations 
and enforcement actions also showed a corresponding increase. We found 
that almost 91 percent of all advisories and almost 80 percent of SRO 
referrals sent to SEC during this period involved suspected insider 
trading activity, which Enforcement and SRO staff attribute to 
increased merger and acquisition activity. Although SEC received and 
processed an increasing number of advisories and referrals during the 
review period, its systems for receiving them and tracking the 
resulting investigations have limited capabilities for searching and 
analyzing information. For example, the SRO referral system only allows 
users to search advisories or referrals by the issuer whose stock was 
flagged by SRO surveillance, not by the names of individuals or hedge 
funds that may be associated with the suspicious trading activity. 
Furthermore, the referral and case tracking systems are not linked and 
do not allow staff to readily analyze advisory and referral trends or 
characteristics, such as the duration of SRO and SEC processes for 
receiving and responding to SRO referrals. Combined, these limitations 
may reduce the ability of Enforcement staff to manage the advisory and 
referral processes by efficiently accessing information that could help 
monitor unusual market activity and make decisions about opening 
investigations. 

This report makes three recommendations designed to strengthen SEC's 
oversight of SROs. In summary, we recommend that the SEC Chairman (1) 
establish a written framework for conducting inspections of SRO 
enforcement programs, and broaden current guidance to SRO inspection 
staff to have them consider to what extent they will use SRO internal 
audit reports when planning SRO inspections; (2) ensure that Market 
Regulation makes certain that SROs include in their periodic risk 
assessment of their IT systems a review of the security of their 
enforcement-related databases, and that Market Regulation reviews the 
comprehensiveness and completeness of the related SRO-sponsored audits 
of SRO enforcement-related databases; and (3) ensure that any software 
developed for tracking SRO inspections includes the ability to track 
SRO inspection recommendations, and consider IT improvements that would 
increase staff's ability to search for, monitor, and analyze 
information on SRO advisories and referrals. 

We provided a draft of this report to SEC, and the agency provided 
written comments that are reprinted in appendix V. In its written 
comments, SEC agreed with our recommendations. In response to our 
recommendations, SEC said that OCIE will provide its SRO inspectors 
with written guidance with respect to its risk-scoping techniques and 
compiled summary of inspection practices; will assess the quality and 
reliability of SRO internal audit programs and determine whether, and 
the extent to which, inspections can be risk-focused on the basis of 
SRO internal audit work; and is developing a database for, among other 
things, tracking the implementation status of SRO inspection 
recommendations. Furthermore, Market Regulation will implement our 
recommendation to ensure that enforcement-related databases continue to 
be periodically reviewed by SRO internal audit programs and that these 
reviews are comprehensive and complete, and Enforcement plans to 
consider the recommended system improvements. SEC also provided 
technical comments on the draft report, which were incorporated in this 
report as appropriate. 

Background: 

SROs are responsible for the surveillance of the trading activity on 
their markets.[Footnote 6] Market transactions take place on electronic 
or floor-based platforms. SROs employ electronic surveillance systems 
to monitor market participants' compliance with SRO rules and federal 
securities laws. Electronic surveillance systems are programmed to 
review trading and other data for aberrational trading patterns or 
scenarios within defined parameters. Also, SROs review trading as a 
result of complaints from the public, members, and member firms and as 
a result of required notifications, such as those concerning offerings. 
One of the key surveillance systems employed by SROs monitors the 
markets for insider trading. We discuss SRO surveillance systems and 
investigatory procedures related to insider trading in more detail in 
appendix II.[Footnote 7] 

SRO staff review alerts generated by the electronic surveillance 
systems to identify those that warrant further investigation. When SROs 
find evidence of potential violations of securities laws or SRO rules 
involving their members, they can conduct disciplinary hearings and 
impose penalties. These penalties can range from disciplinary letters 
to the imposition of monetary fines to expulsion from trading and SRO 
membership. SROs do not have jurisdiction over entities and individuals 
that are not part of their membership, and, as such, any suspected 
violations on the part of nonmembers are referred directly to 
Enforcement. SROs maintain records of their investigations and the 
resulting disciplinary actions as part of their internal case tracking 
systems. In addition, as part of their market surveillance efforts, 
SROs, such as NASD and NYSE, maintain databases with information on 
individuals and firms associated with suspicious trading activity, such 
as insider trading. NASD also maintains the Central Registration 
Depository, the securities industry online registration and licensing 
database. This database makes complaint and disciplinary information 
about registered brokers and securities firms available to the public 
and, in more detailed form, to SEC, other securities regulators, and 
law enforcement authorities. 

OCIE administers SEC's nationwide examination and inspection program. 
Within OCIE, the Office of Market Oversight primarily focuses on issues 
related to securities trading activities, with the objective of 
evaluating whether SRO enforcement programs and procedures are adequate 
for providing surveillance of the markets, investigating potential 
violations, and disciplining violators under SRO jurisdiction. OCIE 
also inspects other SRO regulatory programs, which include, among 
others, arbitration, listings, sales practice, and financial and 
operational programs. As part of the latter, OCIE coordinates the 
compliance inspections of NASD's district offices, which are 
responsible for examining broker-dealer members for compliance with SRO 
rules and federal securities laws. 

In cases where OCIE discovers potentially egregious violations of 
federal securities laws or SRO rules during an SRO inspection, it may 
refer the case to Enforcement, which is responsible for further 
investigating these potential violations; recommending Commission 
action when appropriate, either in a federal court or before an 
administrative law judge (ALJ); and negotiating settlements. 

SEC's Market Regulation administers and executes the agency's programs 
relating to the structure and operation of the securities markets, 
which include regulation of SROs and review of their proposed rule 
changes. SEC has delegated authority to Market Regulation for other 
aspects of SRO rulemaking as well, including the authority to publish 
notices of proposed rule changes and to approve proposed rule changes. 

OCIE Approach to SRO Inspections Focuses on Determining Whether SROs 
Identify Violations and Enforce and Comply with SRO Rules Effectively: 

OCIE conducts both routine and special inspections of SRO regulatory 
programs as part of its oversight efforts. We found that the SRO 
inspection process generally includes a planning phase, an on-site 
review of SRO programs, and a written report to the SRO documenting 
inspection findings and recommendations that is reviewed and approved 
by the Commission. OCIE typically staffs inspections with a lead 
attorney and from 2 to 6 other staff, who also work concurrently on at 
least 1 other SRO inspection. The number of staff dedicated to SRO 
inspections has fluctuated in recent years, but as of September 2007 
totaled 46. According to OCIE officials, inspections of SRO enforcement 
programs are intended to assess the design and operation of SRO 
enforcement programs to determine if they effectively fulfill SRO 
regulatory responsibilities. As part of these inspections, OCIE takes 
steps to assess SRO surveillance systems, reviews SRO policies and 
procedures for investigating potential violations and disciplining 
violators of rules and laws, and reviews samples of SRO case files to 
determine whether SRO staff were complying with the policies and 
procedures. 

Overall Structure of OCIE Program Encompasses Routine Inspections of 
Key Regulatory Programs at SROs as Well as Special Inspections: 

As part of its SRO oversight responsibilities, OCIE conducts both 
routine and special inspections of SRO regulatory programs. At regular 
intervals, OCIE conducts routine inspections of key regulatory 
programs, such as SRO enforcement, arbitration, examination, and 
listings programs.[Footnote 8] The inspection cycles are based on the 
size of the SRO market and the type of regulatory program, with key 
programs of larger SROs, such as NYSE and NASD, being inspected from 
every 1 to 2 years, and smaller regional SROs from every 3 to 4 
years.[Footnote 9] Inspection of enforcement programs typically include 
a review of SRO surveillance programs for identifying potential 
violations of trading rules or laws, investigating those potential 
violations, and disciplining those who violate the rule or law. While 
sometimes OCIE conducts a comprehensive review of these programs, 
especially at the smaller SROs, often these inspections focus on a 
specific aspect of the programs, such as fixed income. We discuss 
OCIE's process for targeting their routine inspections later in this 
report. OCIE also conducts special inspections of SRO regulatory 
programs, as warranted. Special inspections typically originate from a 
tip or need to follow up on past inspection findings and 
recommendations. Special inspections also can include sweep 
inspections, where OCIE probes specific activities of all SROs or a 
sample of them to identify emerging compliance issues. According to 
OCIE officials, some aspect of every SRO is generally examined every 
year through a routine examination of a specific regulatory program or 
through a special inspection. 

OCIE's inspection process for SROs generally includes a planning phase, 
an on-site review and analysis, and a final inspection report to the 
SRO (see fig. 1). During inspection planning, OCIE identifies the SRO 
program to be inspected and assigns staff who conduct initial research 
on the program, prepare materials for each individual inspection on the 
basis of the inspection's focus, and draft a planning memorandum. In 
preparation for the on-site inspection, OCIE typically sends an initial 
document request to the SRO, asking for general program information 
such as organizational charts and copies of SRO policies and procedures 
or, if OCIE is reviewing a surveillance program, logs of alerts and the 
resulting investigations. We discuss OCIE's review of enforcement 
programs in more detail later in this section. After reviewing the 
documents provided, staff plan the on-site phase of the inspection, 
which can include additional requests for specific documents, such as 
case files, to be made available for review while on-site. OCIE staff 
typically spends 1 week on-site interviewing SRO staff and reviewing 
SRO case files and other documentation. After the on-site visit, OCIE 
staff continue their analysis in the home office; conduct follow-up 
interviews or request additional documentation, as needed; and begin 
drafting the inspection report. Staff present their initial inspection 
findings and recommendations to the SRO in an exit interview and 
incorporate initial SRO responses into the draft inspection report. 
Once the report is drafted, staff then circulate it to other interested 
SEC divisions and offices--such as the Office of General Counsel, 
Market Regulation, or Enforcement--for their review and comment, and 
then submit the report to the Commission for review. Following 
Commission consideration and authorization, staff issue a nonpublic 
report to the SRO and request that the SRO respond in writing within a 
specified time frame, typically 30 days.[Footnote 10] 

Figure 1: Key Steps in OCIE's Inspection Process for SROs: 

This figure is a flow chart with illustrations showing key step in 
OCIE's inspection process for SROs. 

1: Inspection planning; 
2: Inspection; 
3: Report Writing; 
4: Report approval. 

[See PDF for image] 

Source: GAO (data); Art Explosion (images)

[End of figure] 

According to OCIE officials, they staff SRO inspections with a lead 
attorney and from 2 to 6 other staff reporting to an OCIE branch chief. 
These individuals are typically staffed concurrently on at least 1 
other SRO inspection. As shown in table 1, as of September 2007, the 
SRO inspection group consisted of 46 staff, including 14 managers, 29 
examiners, and 3 other support staff. Of the 32 examiners and support 
staff, 16 are dedicated to market oversight inspections.[Footnote 11] 

Table 1: Number of OCIE Staff Delegated to SRO Inspections, Fiscal 
Years 2002-2007 (September): 

Fiscal year: 2002; 
Managers: Senior officer: 2; 
Managers: Assistant director: 2; 
Managers: Branch chief: 4; 
Staff: Professional: 25; 
Staff: Support: 3; 
Year total: 36. 

Fiscal year: 2003; 
Managers: Senior officer: 2; 
Managers: Assistant director: 2; 
Managers: Branch chief: 6; 
Staff: Professional: 27; 
Staff: Support: 3; 
Year total: 40. 

Fiscal year: 2004; 
Managers: Senior officer: 2; 
Managers: Assistant director: 3; 
Managers: Branch chief: 9; 
Staff: Professional: 41; 
Staff: Support: 4; 
Year total: 59. 

Fiscal year: 2005; 
Managers: Senior officer: 2; 
Managers: Assistant director: 4; 
Managers: Branch chief: 9; 
Staff: Professional: 43; 
Staff: Support: 4; 
Year total: 62. 

Fiscal year: 2006; 
Managers: Senior officer: 2; 
Managers: Assistant director: 3; 
Managers: Branch chief: 9; 
Staff: Professional: 29; 
Staff: Support: 4; 
Year total: 47. 

Fiscal year: 2007 (through Sept. 2007); 
Managers: Senior officer: 2; 
Managers: Assistant director: 4; 
Managers: Branch chief: 8; 
Staff: Professional: 29; 
Staff: Support: 3; 
Year total: 46. 

Source: OCIE. 

[End of table] 

Table 1 shows that between fiscal years 2002 and 2005, SRO inspection 
staffing increased from 36 to 62, or 72 percent. OCIE staff said that 
this increase was largely due to the increase in funding SEC received 
as a result of the Sarbanes-Oxley Act of 2002.[Footnote 12] Since then, 
SRO inspection staffing has declined from 62 to 46, or 26 percent, 
which OCIE officials attributed to staff attrition and the inability of 
OCIE to hire replacements during a SEC-wide hiring freeze that occurred 
from May 2005 to October 2006. OCIE officials stated that despite the 
decrease in staff numbers, they have continued to conduct routine 
inspections on schedule, although the inspections may last longer than 
usual. Also, they said that they have not been able to do as many 
special inspections as they otherwise would have conducted. OCIE 
officials told us that the SRO inspection group recently received 6 
additional professional staff positions, which it is now in the process 
of filling.[Footnote 13] 

OCIE Assesses Design and Operation of SRO Enforcement Programs to 
Determine Whether SROs Effectively Fulfill Their Regulatory 
Responsibilities: 

According to OCIE officials, inspections of SRO enforcement programs 
are intended to assess the design and operation of SRO enforcement 
programs to determine whether they effectively identify violations, 
enforce compliance among members, and follow their own procedures. More 
specifically, OCIE officials said that when inspecting SRO surveillance 
programs, their objectives are to determine whether (1) the parameters 
of SRO electronic surveillance systems are appropriately designed to 
generate exceptions that identify potential instances of noncompliance 
with SRO rules and federal securities laws and (2) the systems are 
effectively detecting such activity. When reviewing SRO surveillance 
systems, OCIE begins by asking the SRO for copies of the exchange rules 
that it is required to enforce, a description of the coding behind the 
surveillance systems designed to monitor the markets for compliance 
with these rules, and logs of the alerts that these systems generated. 
OCIE staff then review this information to determine whether the system 
is appropriately designed to identify noncompliance and whether it is 
functioning as designed. For example, as part of one inspection, OCIE 
staff found that the parameters of a specific surveillance system were 
too restrictive, after observing that the system did not generate any 
alerts over the inspection period. Conversely, OCIE staff said that if 
in reviewing a surveillance system, the inspection team saw that the 
system generated 10,000 alerts every quarter, they would follow up with 
the SRO to determine whether the indications of numerous rule 
violations were plausible or whether the parameters of the system were 
set appropriately. Either way, they said that the inspection team would 
dedicate resources to looking at that system. 

Similarly, when evaluating SRO programs for investigating potential 
violations of SRO rules or federal securities laws and disciplining 
broker-dealer members, OCIE officials stated that their objective is to 
determine whether (1) SRO policies and procedures are appropriately 
designed to uncover violations of SRO rules and federal securities laws 
and to administer the appropriate disciplinary measures and (2) the SRO 
is complying with these policies and procedures. OCIE staff first 
request copies of the relevant policies and procedures for 
investigating surveillance alerts and for disciplining members found to 
be in violation of SRO rules and federal securities laws. They also ask 
for lists of the resulting investigations and enforcement actions, 
including referrals on nonmembers to SEC. OCIE staff then analyze this 
information to assess the extent to which SRO policies and procedures 
direct the SRO staff to conduct thorough reviews and investigations 
and, when applicable, to take appropriate disciplinary action. For 
example, during a recently completed sweep inspection of SRO 
surveillance and investigative programs related to insider trading, 
OCIE evaluated related SRO policies and procedures for reviewing alerts 
and opening investigations to determine whether they directed staff to 
coordinate appropriately with other SROs. We discuss the results of 
this sweep inspection--including a plan that the options SROs submitted 
to SEC to create a more uniform and coordinated method for the 
regulation, surveillance, investigation, and detection of insider 
trading--in appendix II. As part of another inspection we reviewed, 
OCIE found that an SRO had not yet developed formal procedures for its 
analysts to review alerts that were generated by a recently implemented 
surveillance system. OCIE recommended that the SRO develop such 
procedures. 

When reviewing SRO enforcement programs, OCIE also assesses whether the 
SRO is in compliance with its own policies and procedures. To 
accomplish this objective, OCIE staff select and review case files 
pertaining to a sample of alerts, investigations, and disciplinary 
files from the lists that they have asked the SRO to generate. OCIE 
staff said when reviewing these files, they pay particular attention to 
the strength of the evidence upon which the SRO analyst relied in 
determining whether to close an alert or an investigation or to refer 
the case to SRO enforcement, SEC, or other appropriate regulators. In 
this way, OCIE staff said they can evaluate whether the SRO is 
enforcing its rules and federal securities laws consistently among its 
members and, in the case of certain federal laws such as those 
prohibiting insider-trading, between members and nonmembers. For 
example, in one inspection we reviewed, OCIE found that the SRO used 
its informal disciplinary measures inappropriately when disciplining 
its members, and recommended that formal disciplinary actions be taken 
when informal actions had already occurred. 

OCIE inspections may result in recommendations to SROs that are 
intended to address any deficiencies identified and to improve SRO 
effectiveness. OCIE officials said that for SRO enforcement programs, 
they tend to make recommendations flexible enough to allow SROs to 
implement them in a manner that best fits their unique business models 
and surveillance systems. As we have previously discussed, if OCIE 
finds serious deficiencies at an SRO, it can refer the case to 
Enforcement. Such referrals are relatively infrequent--between January 
1995 and September 2007, SEC brought and settled 10 enforcement actions 
against SROs (see app. III). According to OCIE officials, 
recommendation follow-up is primarily the responsibility of the 
examination team, under the supervision of the assistant director 
assigned to the inspection. Inspection follow-up begins with evaluating 
written responses by SROs to the inspection report and obtaining 
documentation of SRO efforts to address the recommendations, and can 
continue for several years, depending on the complexity of the 
recommendation. For example, OCIE officials said that some 
recommendations, such as those that involve the design and 
implementation of new information technology, may require continued 
dialogue with the SRO over several years before the recommendation is 
fully implemented. OCIE also may follow up on inspection 
recommendations during a subsequent inspection of the SRO. OCIE 
officials said that in the event the SRO does not take steps to address 
a recommendation that staff believe is critical, they can elevate the 
matter to OCIE management or the Commission, although they said that 
this happens infrequently. We discuss the tracking of inspection 
recommendations later in this report. 

Written Inspection Guidance, Increased Leveraging of SRO Internal Audit 
Products, and IT Improvements Could Enhance SEC Oversight of SROs: 

We identified several opportunities for OCIE and Market Regulation to 
enhance their oversight of SROs by developing formal guidance, 
leveraging the work of SRO internal audit functions, and enhancing 
information systems. First, although OCIE has developed a general 
process for inspecting SRO enforcement programs, it has not developed 
an examination manual or other formal guidance for examiners to use 
when conducting inspections, as it has for examinations of other market 
participants. Such guidance could help OCIE ensure that its inspection 
procedures and products are subject to uniform standards and quality 
controls. Second, OCIE has recently expanded the use of the SRO 
internal and external audit reports while on-site at the SRO; however, 
OCIE does not leverage this work in the planning process, which could 
result in duplication of effort and missed opportunities to better 
target inspection resources. Third, in accordance with SEC policy, 
Market Regulation regularly inspects SRO IT systems related to market 
operations for adequate security controls and reviews related to SRO 
internal audit reports. However, this review does not target SRO 
enforcement-related databases, which contain investigative and 
disciplinary information that SROs maintain and upon which other 
regulators rely. Finally, OCIE currently does not formally track the 
implementation status of inspection recommendations, which ranged as 
high as 29 in the inspections that we reviewed. The lack of formal 
tracking may reduce OCIE's ability to efficiently and effectively 
generate and evaluate trend information, such as patterns in the types 
of deficiencies found or the implementation status of recommendations 
across SROs, or over time. 

Lack of Formal Guidance for Inspections of SRO Enforcement Programs 
Could Limit OCIE's Ability to Ensure Staff Compliance with Internal 
Controls: 

Our interviews with OCIE officials and reviews of selected inspection 
workpapers indicated that OCIE examiners typically follow a general 
process when conducting reviews of SRO enforcement programs. This 
process begins with examination planning, is followed by data 
gathering, and ends with reporting. However, OCIE has not developed an 
examination manual or other formal guidance for its examiners to use 
when conducting inspections of SRO enforcement programs. According to 
OCIE officials, because SRO rules and corresponding surveillance 
systems are unique and constantly evolving, it would be difficult to 
develop a detailed inspection manual that could be tailored to all SROs 
and also remain current. These officials said that an examination 
manual is not necessary to ensure consistency among SRO inspections 
because the SRO inspection group is a relatively small group within 
OCIE, and all of the staff are centralized in headquarters. On the 
other hand, they said that because OCIE's inspection program for 
investment companies, investment advisers, and broker-dealers has 
hundreds of examiners across SEC headquarters and its regional offices 
who are responsible for examining thousands of firms, OCIE has 
developed detailed inspection manuals to ensure consistency across 
examinations of these firms. Similarly, OCIE officials said that they 
have developed guidelines for SRO examiners conducting oversight 
inspections of NASD's district offices because OCIE relies on 
examination staff in the SEC regional offices to assist them in 
conducting these inspections. 

In contrast to OCIE, federal banking regulators, such as the Federal 
Reserve and OCC, have developed written guidance for the examination of 
large banks--also highly complex and diverse institutions--that 
outlines the objectives of the program and describes the processes and 
functional approaches used to meet those objectives. By not 
establishing written guidance for conducting inspections of SRO 
enforcement and other regulatory programs, OCIE may be limiting its 
ability to ensure that its inspection processes and products are 
subject to basic quality controls in such areas as examination 
planning, data collection, and report review. For example, in several 
of the inspections we reviewed, we did not find evidence of supervisory 
review, which is a key aspect of inspection quality control. According 
to OCIE officials, the team leader is expected to review the work of 
team members. However, without written policies and procedures 
specifying how and when this review is to be conducted and documented, 
it is difficult to establish whether the team leaders comply with this 
quality control. According to inspection standards developed by the IG 
community, each organization that conducts inspections should develop 
and implement written policies and procedures for internal controls 
over its inspection processes to provide reasonable assurance over 
conformance with organizational policies and procedures. As another 
example, when conducting inspections of SRO enforcement programs, OCIE 
officials said that team leaders often require their teams to use data 
collection instruments, such as checklists, when reviewing SRO files to 
ensure a consistent and complete review of all of the files selected, 
particularly when there are inexperienced staff on the team. While 
potentially an effective means of collecting data, according to OCIE 
officials, the decision to use these tools is up to the individual team 
leader, and not all teams employ them. According to IG inspection 
standards, evidence developed under an effective system of internal 
controls generally is more reliable than evidence obtained where such 
controls are lacking. By not establishing standards addressing quality 
controls in data collection, OCIE's ability to ensure the consistency 
and reliability of data collected across its SRO inspection teams may 
be limited. Furthermore, without written guidelines, new examiners lack 
a reference tool that could facilitate their orientation in the 
inspection program. 

OCIE's Limited Use of SRO Internal Audit Reports in Inspection Planning 
May Diminish Opportunities to Better Target Inspection Resources: 

While OCIE employs a risk-based approach to conducting SRO inspections, 
OCIE's risk-assessment and inspection planning processes do not 
incorporate information gathered through SRO internal audits. According 
to OCIE officials, OCIE tailors inspections of SRO programs 
(particularly at the two largest SROs) to focus on those areas judged 
to pose the greatest risk to the SRO or the general market. In 
determining which areas present the highest risk, OCIE officials said 
they consider such factors as the amount of time that has passed since 
a particular area was last inspected, the size of the area, the results 
of past inspections, and consultations with other SEC offices and 
divisions. For example, because the enforcement programs at NASD and 
NYSE encompass hundreds of surveillance systems, OCIE officials said 
examiners cannot review all systems as part of one inspection. As a 
result, OCIE officials said examiners first conduct a preliminary 
analysis of requested documents and focus inspection resources on those 
systems or areas that are judged to pose the greatest risk. According 
to OCIE officials, because the regional SROs have smaller programs, 
OCIE staff typically are able to conduct a more comprehensive review of 
the entire enforcement program during a single inspection. 

We previously recommended that OCIE develop and implement a policy 
requiring examiners to routinely use SRO internal review reports in 
planning and conducting SRO inspections.[Footnote 14] Prior to October 
2006, OCIE's practice was to request SRO internal audit reports only 
when OCIE believed specific problems existed at an SRO. In October 
2006, OCIE issued a memorandum broadening the circumstances in which 
OCIE would request and use these reports. The memorandum directs 
examiners to request that SROs make all internal audit reports related 
to the program area under inspection available for the staff's on-site 
review, including workpapers or any reviews conducted by any regulatory 
quality review unit of the SRO or an outside auditor. According to the 
memorandum, on-site review of these reports may be useful in 
determining whether the SRO has identified particular areas of concern 
in a program area and adequately addressed those problems, assessing 
whether an SRO addressed prior inspection findings and recommendations, 
and helping staff determine whether they should limit or expand their 
review of particular issues during an inspection. 

OCIE staff said that in fiscal year 2008, they also plan to begin 
reviewing the internal audit functions of SROs, with the goal of 
determining whether SRO internal audit functions are effective. For 
example, OCIE officials said that they plan to evaluate whether the 
internal audit functions are independent of SRO management, conduct 
thorough reviews of all relevant areas (particularly, regulatory 
programs), and have sufficient staffing levels. OCIE officials said 
that as part of their reviews, they also plan to assess the quality and 
reliability of SRO internal audit reports and assess whether SROs have 
implemented the recommendations resulting from these reports. OCIE 
officials told us that they are in the planning phase of this review, 
and, as such, they have not yet developed written guidance for their 
examiners in conducting these reviews.[Footnote 15] 

While OCIE's October 2006 memorandum broadened the use of SRO internal 
audit reports to encompass on-site reviews during inspections, it did 
not address the use of internal audit reports for planning purposes, as 
we had recommended. In contrast, the risk assessments of large banks 
that federal bank examiners conduct during the planning phase are 
based, in part, on internal audit reports, and examiners may adjust 
their examination plans to avoid duplication of effort and minimize 
burden to the bank. For example, according to examination guidance that 
the Federal Reserve issued, to avoid duplication of effort and burden 
to the institution, examiners may consider using these workpapers and 
conclusions to the extent that examiners test the work performed by the 
internal or external auditors and determine it is reliable. Similarly, 
examination guidance issued by OCC states that examiners' assessments 
of a bank's audit and control functions help leverage OCC resources, 
establish the scope of current and future supervisory activities, and 
assess the quality of risk management. 

By not considering the work and work products of SRO internal audit 
functions in its inspection planning process, OCIE examiners may be 
duplicating SRO efforts, causing regulatory burden, or missing 
opportunities to direct examination resources to other higher-risk or 
less-examined program areas. For example, our previous work, which 
focused on the listing programs of SROs, showed that SRO internal audit 
functions had examined or were in the process of examining aspects of 
their listing programs that OCIE had covered in its most recent 
inspections, and that resulting reports could be useful to OCIE in 
planning as well as conducting inspections.[Footnote 16] As OCIE begins 
to assess the quality of SRO internal audit functions and work 
products, the opportunity exists for OCIE to further leverage these 
products in targeting its own inspection efforts. OCIE officials said 
that as part of their upcoming reviews of SRO internal audit functions, 
they will assess whether SRO internal audit products may be helpful in 
assisting them in targeting inspections of particular SRO functions. 

OCIE could also further leverage the work performed by SRO internal and 
external auditors to monitor a particular regulatory program between 
inspections. In our review of OCIE inspections of NASD and NYSE 
enforcement programs, as many as 8 years passed between inspections of 
a particular surveillance system and related investigations and 
disciplinary actions. Moreover, as OCIE officials noted, the recent 
decline in SRO inspection staff has lengthened the time it takes to 
complete a routine SRO inspection and limited their ability to conduct 
additional special inspections. Unless OCIE regularly informed itself 
of the results of SRO efforts to review these systems, it may not know 
of emerging or resurgent issues until the next inspection.[Footnote 17] 

SEC Does Not Obtain Information on the Security of SRO Enforcement- 
Related Systems and Databases: 

As we have previously discussed, SROs conduct surveillance of trading 
activity on their markets; carry out investigations; and bring 
disciplinary proceedings involving their own members or, when 
appropriate, make referrals to SEC when the suspicious activity 
involves nonmembers. However, SEC's Market Regulation does not obtain 
information on the security of SRO enforcement-related databases--IT 
applications for storing data about SRO investigations and disciplinary 
actions taken against SRO members--when conducting reviews of IT 
security at SROs. Under SEC's Automation Review Policy (ARP), Market 
Regulation conducts on-site reviews of SRO trading systems, information 
dissemination systems, clearance and settlement systems, and electronic 
communications networks and makes recommendations for improvements when
necessary.[Footnote 18] Market Regulation also conducts reviews of SRO 
general and application controls over the collection of fees under 
section 31 of the Securities Exchange Act of 1934.[Footnote 19] These 
are IT systems designated for remitting fees to SEC as part of the 
section 31 program, which ensures that the data produced by these 
systems are authorized, and completely and accurately processed and 
reported. 

Market Regulation officials said that they do not target enforcement- 
related databases for specific review, since the ARP policy statement 
is specifically intended to oversee systems essential to market 
operations. These officials said that Market Regulation could include a 
review of the security of enforcement-related databases both in their 
general assessments of SRO IT infrastructure security within the ARP 
and in section 31 reviews. They explained that both of these reviews 
include testing of components and evaluations of general access 
controls and changes made within SRO organizationwide network 
structures in their routine reviews of specific IT programs and 
systems, such as SRO computer operations, security assessments, 
internal and external audit IT coverage, and systems outage 
notification procedures and systems change notifications. However, 
these general assessments by Market Regulation would not necessarily 
provide SEC with information on potential risks specific to the 
security of the data contained in enforcement-related databases. 

NASD and NYSE officials told us that they conduct their own regular 
internal inspections of security of IT systems, which include reviews 
of enforcement-related databases. In addition, both SROs contract with 
external companies that regularly conduct reviews of the security 
controls of their technology systems. We reviewed several of these 
internal and external audits, which include reviews of SRO enforcement- 
related systems and databases conducted from fiscal years 2002 through 
2006. These reviews generally concluded that NASD and NYSE have 
adequate controls in place to protect sensitive enforcement-related 
data. 

The internal and external audit reports of NYSE and NASD that we 
reviewed showed that these reports could be a valuable source of 
information for Market Regulation on specific risks to enforcement- 
related databases. Market Regulation officials said that in conducting 
ARP-related inspections, they review SRO internal and external audit 
reports related to the infrastructure of SRO IT systems; however, they 
do not specifically look for information related to the assessment of 
security of enforcement-related databases. In addition, SEC staff said 
that although they generally receive all the internal and external 
audit reports done of SRO systems relating to trading and clearing 
functions, they may not always receive such reports relating to other 
systems, including enforcement-related databases, from all SROs. 

Since SROs, SEC, and other regulators rely on the accuracy and 
integrity of the data in SRO enforcement-related databases in 
fulfilling their own regulatory responsibilities, protecting this 
information from unauthorized access is critical to regulatory efforts. 
For example, as we discuss later in this report, SEC uses SRO 
surveillance data in carrying out its own enforcement efforts related 
to securities trading. Furthermore, SROs are responsible for 
maintaining complaint and disciplinary data on their members-- 
information that is essential for identifying recidivists. By not 
periodically obtaining information to ensure that the SRO risk- 
assessment process and SRO-sponsored audits continue to be included in 
SRO assessment cycles and that the audits are comprehensive and 
complete, Market Regulation cannot assess whether SROs have taken the 
appropriate steps to ensure the security of sensitive enforcement- 
related information, or the level of risk that a data breach could 
pose. 

Lack of Formal Tracking System May Limit OCIE's Ability to Effectively 
Assess SRO Implementation of Inspection Recommendations: 

Although OCIE officials said that they have worked with SROs to address 
the intent of recent inspection recommendations, we were not able to 
readily verify the status of the recommendations in the inspections we 
reviewed because OCIE does not formally track inspection 
recommendations or the status of their implementation. OCIE officials 
said that when OCIE management is interested in obtaining an update on 
the recommendations resulting from an inspection, they consult directly 
with the examination team assigned to the SRO inspection. OCIE 
officials also said that they do not consider the lack of a formal 
tracking system to have affected their ability to manage any follow-up 
of inspection recommendations because there are relatively few SROs, 
and OCIE staff is in frequent contact with them. OCIE's informal 
methods for tracking inspection recommendations contrast with the 
expectations set by federal internal control standards for ensuring 
that management has relevant, reliable, and timely information 
regarding key agency activities.[Footnote 20] These standards state 
that key information on agency operations should be recorded and 
communicated to management and others within the entity and within a 
time frame that enables management to carry out its internal control 
and other responsibilities. 

Without a formal tracking system, the ability of OCIE management to 
effectively and efficiently monitor the implementation of SRO 
inspection recommendations and conduct programwide analyses may be 
limited. Of the 11 inspections of NASD and NYSE enforcement programs we 
reviewed, the number of recommendations OCIE made ranged from 4 to 29, 
with an average of 11.[Footnote 21] They also ranged in complexity, 
from asking the SRO to update its policies and procedures to 
recommending that an SRO implement an entire surveillance program. For 
example, we observed recommendations calling for, among other things, 
improving case file documentation, changing the parameters of a 
surveillance system, implementing an automated tracking system, and 
improving SRO member education. OCIE officials said that some 
inspections resulted in as many as 30 or 40 recommendations. Without a 
formal tracking system, OCIE management must rely on staff's 
availability and ability to recall recommendation-related information, 
which may be reliable when discussing an individual inspection, but may 
limit OCIE management's ability to efficiently generate and evaluate 
trend information, such as patterns in the types of deficiencies found 
or the implementation status of recommendations across SROs, or over 
time. Implementing a formal tracking system would not only allow 
management to more robustly assess the recommendations to SROs and 
their progress in implementing them, but would allow it to develop 
performance measures that could assist management in evaluating the 
effectiveness of its inspection program. 

According to OCIE and SEC's OIT officials, OCIE recently began working 
with OIT to develop a new examination tracking system that will include 
the capability to track SRO responses and implementation status of OCIE 
recommendations. OCIE officials said that planned requirements for the 
system includes a field to enter the recommendation, a field for OCIE 
inspectors to broadly categorize the status of its implementation, and 
a text box for inspectors to elaborate on the recommendation and its 
implementation status. OCIE officials also said that they expect that 
the system will be able to trace the history of a recommendation. OIT 
officials told us that they are developing separate software that will 
allow OCIE to generate management reports using data from the tracking 
systems as well as other database; however, the requirements for any 
management reports OCIE would receive have yet to be determined. 
According to an OCIE official, the recommendation tracking system and 
reporting capabilities may be an effective way to provide OCIE 
management with a high-level characterization of implementation status. 
OCIE officials said that in response to our concerns, they plan to 
deploy an interim, stand-alone recommendation tracking system that will 
provide a management report, in the form of a spreadsheet, that 
contains all open recommendations to SROs resulting from SRO 
inspections and the current status of SRO efforts to implement them. 
These officials said that they expect to use this spreadsheet until the 
previously described OIT projects are implemented in 2008. 

SRO Advisories and Referrals Have Increased, as Have Related SEC 
Investigations and Enforcement Actions, but Information Systems for 
Advisories and Referrals Have Limitations: 

Enforcement receives advisories and referrals, which undergo multiple 
stages of review and may lead to opening an investigation, through an 
electronic system in OMS. After opening investigations, Enforcement 
further reviews the evidence gathered to decide whether to pursue civil 
or administrative actions, or both. From fiscal years 2003 to 2006, OMS 
received an increasing number of advisories and referrals from SROs, 
such as NYSE and NASD, most of which involved insider trading. However, 
limited search capabilities of the SRO system and the lack of a link 
between the SRO and case activity tracking systems have limited 
Enforcement staff's ability to electronically search advisory and 
referral information, monitor unusual market activity, make decisions 
about opening matters under inquiry (MUI) and investigations, and 
assess case activities. 

OMS Uses a Multistep Process to Review SRO Referral Information That 
Can Lead to Opening Investigations and Subsequent Enforcement Actions: 

Upon receipt of SRO information in its Web-based SRO Referral Receipt 
System (SRO system), OMS makes initial decisions on referrals and 
forwards selected referral materials to investigative attorneys. After 
initial reviews by OMS staff, Enforcement may decide to open 
investigations if it determines evidence garnered during its inquiry 
period warrants doing so and staff and financial resources are 
available. If investigation evidence merits, staff may pursue 
administrative or civil actions and seek remedies, such as cease-and- 
desist orders and civil monetary penalties. 

Enforcement Receives Advisories and Referrals from SROs about Unusual 
Market Activity through a Web-Based System: 

The referral process begins when OMS staff receive SRO advisories and 
referrals on unusual market activity through a secure Web-based 
electronic system called the SRO system. SEC officials noted that SRO 
referrals help SEC identify and respond to unusual market activity by 
those who are not members of SROs, investigate those suspected of 
potentially illegal behavior, and take action when the circumstances of 
cases and evidence are appropriate. OMS branch chiefs, who are 
responsible for reviewing advisories and referrals, access the SRO 
system on a weekly basis to review all SRO-submitted advisories and 
referrals. 

SRO advisories and referrals usually consist of a short form with basic 
background information on the suspected unusual market activity by SRO 
nonmembers that includes the name of the security issuer, date of the 
unusual activity, and a description of the market activity identified 
by the SRO. The materials also contain a text attachment, which 
includes more detailed narrative information, such as a chronology of 
unusual activity and specific information about issuers and individuals 
potentially associated with that activity. SEC does not receive 
information electronically or otherwise on unusual market activity by 
SRO members or related investigations by SROs of the unusual member 
activity. 

OMS Reviews Both Advisories and Referrals, and Forwards Referrals to 
Enforcement Attorneys for Possible Investigatory Action: 

After reading advisories and referrals, OMS branch chiefs use SEC's 
National Relationship Search Index, an electronic system that connects 
to and works with a range of other SEC systems, such as the Case 
Activity Tracking System (CATS), to determine whether existing SEC 
investigations involve the issuer noted in the SRO advisory or 
referral.[Footnote 22] If an investigation already exists that involves 
the issuer noted in the advisory or referral, the branch chiefs will 
forward the advisory or referral to the Enforcement attorney conducting 
that investigation for review and incorporation into his or her case. 

If Enforcement has not already opened an investigation on a particular 
issuer, OMS staff store advisories in the SRO system, but do not 
investigate them because they do not contain information as detailed as 
that found in referrals in the SRO system.[Footnote 23] However, SROs 
may continue their market surveillance efforts on an advisory, further 
develop information on the unusual market activity, and submit all 
information later as a referral for potential action by SEC. For 
referrals, branch chiefs apply criteria--such as (1) the nature of the 
unusual market activity, (2) the persons involved and their employment 
positions, (3) the dollar value of the unusual activity in question, 
(4) potential harm to the financial markets and individual investors, 
and (5) any other information branch chiefs may have obtained through 
conversations with SRO staff--to make initial decisions about the merit 
of forwarding the referrals to Enforcement management and attorneys for 
possible SEC investigation. Enforcement associate directors review and 
either approve or disapprove branch chiefs' recommendations about the 
referrals. Referrals not recommended by branch chiefs for approval are 
stored in the SRO system and may be accessed as needed. 

If approved, OMS branch chiefs open an MUI, a 60-day initial inquiry 
period, and electronically forward all referral information to SEC 
headquarters or the appropriate regional office, where investigative 
attorneys and management have up to 60 days to review all available 
case information and consider staff and financial resources to decide 
whether to proceed with a full investigation. Once the MUI has been 
opened, Enforcement staff assigns the MUI a CATS case number, and staff 
use CATS to track all components of the case until it is 
closed.[Footnote 24] Figure 2 outlines SEC's process and average time 
frames for receiving, processing, and investigating unusual market 
activity identified by SROs. 

Figure 2: SEC's Process and Average Time Frames for Receiving SRO 
Advisories and Referrals and Conducting Related Investigations: 

This figure is a flow chart showing SEC's process and average time 
frames for receiving SRA advisories and referrals and conducting 
related investigations. 

[See PDF for image] 

Source: GAO. 

[End of figure]  

Enforcement staff at headquarters or the regional offices use criteria 
that are similar to those used by OMS staff during their initial 
review, but also consider the level of financial resources available 
for investigations and the availability of Enforcement staff to 
determine whether to close the MUI or open an investigation. If 
Enforcement staff do not open an investigation, the MUI is closed in 
CATS and staff document the reason(s) for closure, which may include 
insufficient evidence, resource limitations, or a newly opened case 
being merged with an existing case. 

When Evidence from Investigation Merits, Enforcement Division Can 
Pursue Civil and Administrative Actions: 

If the Enforcement Division develops evidence it deems sufficient for 
moving forward, SEC may institute civil or administrative enforcement 
actions, or both. When determining how to proceed, Enforcement staff 
consider such factors as the seriousness of the wrongdoing, the 
technical nature of the matter under investigation, and the type of 
sanction or relief sought. When the misconduct warrants it, SEC will 
bring both types of proceedings. With civil actions, SEC files a 
complaint with a federal district court that describes the misconduct, 
identifies the laws and rules violated, and identifies the sanction or 
remedial action that is sought. For example, SEC often seeks civil 
monetary penalties and the return of illegal profits, known as 
disgorgement. The courts also may bar or suspend an individual from 
serving as a corporate officer or director (see fig. 2). 

SEC can seek a variety of sanctions through administrative enforcement 
proceedings as well. An ALJ, who is independent of SEC, presides over a 
hearing and considers the evidence presented by the Enforcement staff 
as well as any evidence submitted by the subject of the proceeding. 
Following the hearing, the ALJ issues an initial decision, which 
contains a recommended sanction. Administrative sanctions or outcomes 
include cease-and-desist orders, suspension or revocation of broker- 
dealer and investment adviser registration, censures, bars from 
association with certain persons or entities in the securities 
industry, payment of civil monetary penalties, and return of illegal 
profits. Both Enforcement staff and the defendant may appeal all or any 
portion of the initial decision to SEC Commissioners, who may affirm 
the decision of the ALJ, reverse the decision, or remand it for 
additional hearings. An SRO may also agree to undertake other remedial 
actions in a settlement agreement with SEC. 

Once civil or administrative proceedings have concluded and all 
outcomes are finalized, SEC closes the investigation and terminates the 
case in CATS.[Footnote 25] 

Figure 2 also provides data on the durations involved with referral and 
investigation processes and shows that stages of the process--from SRO 
identification of unusual market activity to the closure of 
investigations--vary in their duration. We analyzed data SEC provided 
from its referral and case tracking systems from fiscal years 2003 to 
2006. For those cases for which the data had open and close dates for 
the investigation stage of the process, it took an average of 726 days 
or almost 2 years from the point that SROs identify unusual market 
activity and send SEC referrals to the time that SEC completely 
investigates and concludes cases.[Footnote 26] Of this total time, it 
took, on average, 192 days for the first three steps in the process, 
which include SROs identifying unusual market activity and referring it 
to SEC and SEC opening an MUI to conduct its initial inquiry on 
referrals.[Footnote 27] It took, on average, another 534 days for SEC 
to investigate that unusual market activity; institute administrative 
or civil enforcement proceedings; administer outcomes, such as issuing 
and collecting fines; and completely close investigations.[Footnote 28] 

From Fiscal Years 2003 through 2006, the Number of SRO Advisories and 
Referrals and SEC Investigations and Enforcement Actions Significantly 
Increased: 

Data we reviewed from SEC's SRO system and CATS showed that the number 
of advisories, referrals, and investigations significantly increased 
from fiscal years 2003 through 2006. More specifically, advisories 
increased from 5 in fiscal year 2003 to 190 in fiscal year 2006 and 
totaled 390 for the period. Of the 4-year total, 354, or 91 percent, 
were insider trading advisories, and an additional 3 percent involved 
market manipulation issues. Data from SEC's SRO system on 1,640 
referrals showed that the number of referrals SEC received from SROs 
grew from 438 in fiscal year 2003 to 514 in fiscal year 2006, an 
increase of 17 percent. Of the total number of referrals, almost 80 
percent involved suspected insider trading activities. In addition, 
NYSE and NASD submitted 1,095, or almost 70 percent, of the total 
number of referrals. SEC and SRO officials attributed the increase to 
more merger and acquisition activity in the marketplace. 

Data SEC provided to us from its case tracking system showed a 
corresponding increase in the number of investigations SEC opened from 
SRO referrals over the same period. The number of investigations rose 
from 82 in fiscal year 2003 to 208 in fiscal year 2006, an increase of 
154 percent. Case actions, which follow SEC's determination of whether 
to file a case as an administrative proceeding or a civil action, also 
increased. The number of case actions rose from 2 in fiscal year 2003 
to 29 in fiscal year 2006. SEC actions result in case outcomes such as 
permanent injunctions, preliminary injunctions, restraining orders, 
administrative proceeding orders, and emergency actions. These case 
outcomes rose from 3 in fiscal year 2003 to 82 in fiscal year 2006. 
Case outcomes also may include "relief," such as disgorgement, payment 
of prejudgment interest and other monetary penalties, asset freezes, 
and officer and director bans. For example, in 2003, NYSE referred 
unusual market activity to SEC after suspecting potential insider 
trading activity. After opening an MUI and investigating the activity, 
the case resulted in an administrative proceeding and a civil action. 
The case resulted in a range of outcomes against 6 individuals. The 
administrative proceeding specifically resulted in an order barring 
individuals alleged in the case from associating with one another on 
trading. The civil action resulted in permanent injunctions to stop the 
suspected use of material, nonpublic information and in financial 
penalties that included disgorgement. 

Figure 3 illustrates the upward trend in the numbers of advisories, 
referrals, MUIs, investigations, case actions, and case outcomes for 
the period we reviewed.[Footnote 29] The figure also shows that more 
than three quarters of the referrals were made for insider trading. 
Market manipulation and "other" activity, including activity associated 
with issuer reporting and financial disclosure and initial securities 
offerings, constituted the other major categories of referrals. 
Appendix IV provides additional data on these trends by fiscal year. 

Figure 3: SRO Advisories and Referrals, and Related SEC MUIs, 
Investigations, Actions, and Outcomes, Fiscal Years 2003-2006: 

This figure is a bar graph showing SRO advisories and referrals, and 
related SEC MUIs, investigations, actions, and outcomes, fiscal years 
2003-2006. 

[See PDF for image] 

Source: GAO. 

[End of figure] 

Limited Search Capabilities of the SRO System and Lack of Linkage to 
Case Tracking System May Limit Management of Process and Staff 
Analysis: 

SEC's SRO system featured limited capability to electronically search 
information on advisories and referrals and may limit Enforcement 
staff's ability to efficiently monitor unusual market activity, make 
subsequent decisions about opening MUIs and investigations, and manage 
the SRO advisory and referral process. As we have previously discussed, 
federal internal control standards state that management needs 
relevant, reliable, and timely communications relating to internal and 
external events. In addition, these standards state that the 
information should be distributed in a form and time frame that permits 
management and others who need it to perform their duties efficiently. 

SEC developed the SRO system to receive and store advisory and referral 
information from SROs and enable SEC staff to make initial decisions 
about which SRO-identified market activities to investigate. The system 
primarily receives information on unusual market activity based on SRO 
surveillance of trades among stock issuers. This information includes 
the name of the security issuer; the date of the unusual activity; and 
a description of the type of activity, among other data. The SRO system 
also stores narrative attachments, which the SROs provide to SEC, that 
contain additional information about individuals or entities, such as 
investment advisers or hedge funds, associated with unusual market 
activity. While the system allows OMS staff to search by issuer, the 
narrative information cannot be easily searched in the system; instead, 
the attachments must be individually opened and read. An Enforcement 
branch chief noted that narrative information can help establish 
patterns of behavior that are critical when SEC tries to investigate 
potentially fraudulent activity, such as market manipulation and 
insider trading. Furthermore, only OMS branch chiefs have access to the 
SRO system, so attorneys who need that information have to consult with 
OMS branch chiefs or contact SRO staff directly, rather than access 
that information electronically. In addition, since the referral 
receipt and case tracking systems are not linked, management is unable 
to readily assess the efficiency and effectiveness of the referral and 
investigation processes. For example, SEC is unable to extract 
information from a single source on how long it takes both SROs and SEC 
to work through different stages of cases over time, from referral 
receipt (SRO system) to opening MUIs and conducting investigations 
(case tracking system).[Footnote 30] SEC headquarters and regional 
office officials noted that receiving information in a timely manner is 
critical to the investigative steps of assembling the facts of the case 
and collecting evidence on those potentially involved with unusual 
market activity. To obtain this information and customized reports and 
statistics on Enforcement operations, division officials said they must 
submit requests to SEC's OIT and then wait for OIT staff to respond to 
the request. As noted in our 2007 report on Enforcement Division 
operations, these requests may take several days to 1 week to complete. 
Having recognized system limitations, SEC officials have undertaken 
efforts to make improvements to CATS by developing a new case 
information management system called the Hub. However, these planned 
improvements do not address limitations of the SRO system and do not 
include expanded linkages between the SRO system and CATS.[Footnote 31] 

Conclusions: 

SEC's oversight of SRO enforcement programs has produced positive 
outcomes. For example, in response to an OCIE recommendation, SROs in 
the options market have developed a new surveillance authority, which 
is intended to improve coordination among SROs in monitoring the 
markets for insider trading and investigating any resulting alerts. The 
equities markets are expected to soon follow with a similar plan. SEC, 
through its Enforcement Division, has worked with SROs to detect and 
respond to potential securities laws violations. Between fiscal years 
2003 and 2006, SEC responded to an increasing number of SRO referrals-
-a large percentage of which are related to insider trading--with an 
increasing number of investigations and enforcement actions. SEC has 
started to incorporate the results of SRO internal audits into its on- 
site inspections, which helps to leverage resources. In addition, the 
agency plans to expand its oversight of SRO functions to include 
reviews of the internal audit function--with an emphasis on 
independence, staffing levels, and scope of coverage. Such reviews 
could help ensure that SROs are effectively assessing risks, 
instituting appropriate controls, and carrying out their 
responsibilities. 

However, several opportunities exist to enhance the efforts used by SEC 
to oversee SROs and, particularly, their enforcement programs. 
Specifically, OCIE examiners are conducting inspections of SRO 
enforcement programs without formal guidance. Although our review of a 
sample of inspections found that examiners have developed a methodology 
for reviewing SRO enforcement programs, the lack of written guidance-- 
which establishes minimum standards and quality controls--could limit 
OCIE's ability to provide reasonable assurances that its inspection 
processes and products are subject to basic quality controls in such 
areas as examination planning, data collection, and report review. 
Moreover, the lack of formal guidance could result in individual 
inspection teams creating data collection and other examination tools 
that otherwise would be centralized and more efficiently shared across 
inspection teams. 

Furthermore, OCIE's recent internal guidance on the use of SRO internal 
audit-related reports does not address the use of these reports for 
risk-assessment and inspection planning purposes, as we have previously 
recommended. We continue to believe that the use of these reports when 
conducting risk assessments and determining the scope of an upcoming 
inspection could allow OCIE to better leverage its inspection 
resources, especially if OCIE determines that the reports produced by 
SRO internal audit functions are reliable. As OCIE officials noted, 
they plan to begin assessing SRO internal audit functions in 2008, 
including the quality and reliability of their work products, although 
they have not yet developed guidance for inspection staff on conducting 
these reviews. By not considering the work and work products of the SRO 
internal audit function in its inspection planning process, OCIE may be 
duplicating SRO efforts and not maximizing the use of its limited 
resources. OCIE also may be missing an opportunity to better monitor 
the effectiveness of the SRO regulatory programs (including enforcement 
programs) between inspections. 

SEC also has an opportunity to leverage the work of SRO internal audit 
functions in its assessment of information security at SROs. Since ARP 
Policy Statements specifically are intended to oversee systems 
essential to market operations, Market Regulation officials do not 
target enforcement-related databases for specific review. Although SROs 
have assessed the security controls of these databases, Market 
Regulation officials have little knowledge of the content or 
comprehensiveness of these audits. As a result, Market Regulation 
cannot determine whether SROs have taken the appropriate steps to 
ensure the security of this sensitive information. Market Regulation 
could facilitate this evaluation by making certain that enforcement- 
related databases continue to be periodically reviewed by SROs, and 
that these reviews are comprehensive and complete. 

Both OCIE and Enforcement could benefit from improvements to 
information technology systems when overseeing SROs. OCIE currently 
lacks a system that tracks the status of inspection recommendations. 
OCIE officials told us that a new examination tracking database is in 
development that will allow OCIE to track the implementation of 
inspection recommendations as well as software that will allow OCIE to 
generate management reports from this database. By ensuring these 
system capabilities, OCIE management could improve its ability to 
monitor the implementation of OCIE recommendations, and begin 
developing measures for assessing the effectiveness of its program. 

Finally, while SEC has responded to a significant increase in SRO 
referrals between fiscal years 2003 and 2006, Enforcement's systems for 
receiving referrals and tracking the resulting investigations have 
limited capabilities for searching and analyzing information related to 
these referrals. Enforcement is currently working to address some 
limitations in its case tracking system; however, this effort does not 
include making improvements to the separate system used to receive and 
manage SRO referrals. By including system improvements to allow 
electronic access to all of the information contained in advisories and 
referrals submitted by SROs, generate management reports, and provide 
links to the case tracking system, Enforcement could enhance its 
ability to efficiently and effectively manage SRO advisories and 
referrals and conduct analyses that could contribute to improved SEC 
planning, operations, and oversight. 

Recommendations for Executive Action: 

To enhance SEC oversight of SROs, we recommend that the SEC Chairman 
take the following three actions: 

* establish a written framework for conducting inspections of SRO 
enforcement programs to help ensure a reliable and consistent source of 
information on SRO inspection processes, minimum standards, and quality 
controls; and, as part of this framework, broaden current guidance to 
SRO inspection staff on the use of SRO internal audit reports to direct 
examiners to consider the extent to which they will rely on reports and 
reviews of internal and external audit and other risk-management 
systems when planning SRO inspections; 

* ensure that Market Regulation makes certain that SROs include in 
their periodic risk assessment of their IT systems a review of the 
security of their enforcement-related databases, and that Market 
Regulation reviews the comprehensiveness and completeness of the 
related SRO-sponsored audits of their enforcement-related databases; 
and: 

* as part of the agency's ongoing efforts to improve information 
technology capabilities, 

- ensure that any software developed for tracking SRO inspections 
includes the ability to track and report SRO responses to and 
implementation status of OCIE inspections recommendations and: 

- consider system improvements that would allow Enforcement staff to 
electronically access and search all information in advisories and 
referrals submitted by SROs and generate reports that would facilitate 
monitoring and analysis of trend information and case activities. 

Agency Comments and Our Evaluation: 

We requested comments on a draft of this report from SEC. SEC provided 
written comments on the draft, which we have reprinted in appendix V. 
SEC also provided technical comments on a draft of the report, which 
were incorporated in this report as appropriate. In its written 
comments, SEC agreed with our recommendations. SEC noted that OCIE will 
provide SRO inspectors with written guidance on its risk-scoping 
techniques and compiled summary of inspection practices. In addition, 
OCIE plans to assess the quality and reliability of SRO internal audit 
programs and determine whether, and the degree to which, inspections 
can be risk-focused on the basis of SRO internal audit work. SEC also 
noted that it is developing a database to track the status of SRO 
inspection recommendations and provide management reports and that this 
enhancement should create additional efficiencies for inspection 
planning purposes. SEC's Market Regulation will implement our 
recommendation to ensure that enforcement-related databases continue to 
be periodically reviewed by SRO internal audit programs, and that these 
reviews are comprehensive and complete. Furthermore, Enforcement plans 
to consider recommended system improvements to more effectively manage 
the advisory and referral processes. 

As agreed with your office, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
after its date. At that time, we will send copies of this report to 
interested congressional committees and the Chairman of the Senate 
Committee on Finance. We will also send a copy to the Chairman of the 
Securities and Exchange Commission. We will also make copies available 
to others upon request. The report will be available at no charge on 
the GAO Web site at [hyperlink,http://www.gao.gov]. 

If you or your staff have any questions regarding this report, please 
contact me at (202) 512-8678 or h [Hyperlink, hillmanr@gao.gov] 
illmanr@gao.gov. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. Key contributors to this report are listed in appendix VI. 

Sincerely yours, 

Signed by: 

Richard J. Hillman: 

Managing Director: 

Financial Markets and Community Investment: 

[End of section] 

Appendixes:  

Apppendix I: Scope and Methodology: 

To discuss the overall structure of the Securities and Exchange 
Commission's (SEC) inspection program--more specifically, its approach 
to inspections of self-regulatory organizations' (SRO) surveillance, 
investigative, and enforcement programs (enforcement programs)--we 
reviewed and analyzed documentation of all 11 inspections that SEC's 
Office of Compliance Inspections and Examinations (OCIE) completed from 
March 2002 through January 2007 of enforcement programs related to the 
former NASD and the New York Stock Exchange (NYSE). We also reviewed 
and analyzed an OCIE memorandum to the Commission describing the SRO 
inspection process, staffing data provided by OCIE, and our prior work. 
Furthermore, we observed a demonstration of various information 
technology systems that NASD used to monitor the markets and track 
investigations and disciplinary actions. Finally, we reviewed and 
summarized the enforcement actions brought by SEC against SROs from 
1995 to 2007. We also conducted interviews with staff from OCIE, NASD, 
and NYSE. 

To evaluate certain aspects of SEC's inspection program, including 
guidance and planning, the use of SRO internal audit products, and the 
tracking of inspection recommendations, we reviewed OCIE inspection 
guidance related to the review of NASD district offices and SRO 
internal audit reports, guidance for bank examiners from the Board of 
Governors of the Federal Reserve System and the Office of the 
Comptroller of the Currency, inspection guidelines developed by the 
inspectors general, and our prior work. In addition, we reviewed SEC 
guidance for conducting reviews of SRO information technology (IT) 
related to market trading operations and regulatory fee remittance, and 
NASD and NYSE internal and external audits of IT security. Furthermore, 
we reviewed internal control standards for the federal government and 
conducted interviews with officials from OCIE and SEC's Division of 
Enforcement (Enforcement) on their respective procedures for ensuring 
that SROs implement inspection recommendations and remedial actions 
required as part of enforcement actions. We also conducted interviews 
with staff from OCIE, SEC's Division of Market Regulation and Office of 
Information Technology, NASD, and NYSE. 

To describe the SRO referral process and recent trends in referral 
numbers and related SEC investigations, and evaluate SEC's information 
system for advisories and referrals, we observed a demonstration from 
Enforcement staff on the capabilities of their IT systems, analyzed 
data from SEC's SRO Referral Receipt System (SRO system) and Case 
Activity Tracking System (CATS), and interviewed Enforcement, NASD, and 
NYSE staff to determine how SEC manages the processes for receiving SRO 
referrals and conducting subsequent investigations. In particular, to 
understand trends in SRO advisories, referrals, and subsequent SEC 
investigations, we requested and analyzed data from SEC's referral and 
case tracking systems from fiscal years 2003 through 2006. We analyzed 
the data to provide descriptive information on the number of SEC's 
advisories, referrals, matters under inquiry (MUI), investigations, 
actions, and case outcomes during the period. We also analyzed these 
data by manually merging records from the SRO system and CATS to obtain 
descriptive data on the amount of time it takes SROs to identify 
unusual market activity and convey that information to SEC, as well as 
how long it takes SEC to respond by opening MUIs and investigations and 
achieving case outcomes. We inquired about checks SEC performs on the 
data and deemed the data reliable for the purposes of addressing our 
objectives. When calculating the average duration of stages to process 
SRO referrals, we distinguished between case stages that featured both 
open and close dates and those that were open or active as of the date 
we received data from SEC, and we reported duration information 
accordingly. In addition, to calculate case stage durations, we 
consulted with SEC and SRO staff to distinguish between initial and 
updated referrals and performed duration calculations using initial 
referrals only to avoid double counting that could skew the average 
duration results. 

We performed our work in Washington, D.C; New York, New York; and 
Rockville, Maryland, between September 2006 and September 2007 in 
accordance with generally accepted government auditing standards. 

[End of section] 

Appendix II: SEC Oversight of SRO Enforcement Programs Related to 
Insider Trading: 

SRO surveillance, investigative, and disciplinary programs are designed 
to enforce SRO rules and federal securities laws related to insider 
trading--the buying or selling of a security by someone who has access 
to material, nonpublic information about the security--and are subject 
to SEC oversight through periodic inspections by OCIE. In January 2007, 
OCIE completed a sweep inspection (a probe of specific activities 
across all or a sample of SROs) of SRO enforcement programs related to 
insider trading. As a result of OCIE's inspection, the options SROs 
submitted a plan to SEC to create a more uniform and coordinated method 
for surveillance and investigation of insider trading in the options 
markets, and the equities SROs indicated their intent to submit a 
similar plan. From fiscal years 2003 through 2006, SEC significantly 
increased the number of investigations that related to insider trading. 

SROs Coordinate with SEC and Use Surveillance, Investigative, and 
Disciplinary Programs to Enforce Insider Trading Rules and Laws: 

SROs employ enforcement programs to enforce SRO rules and federal 
securities laws related to insider trading. Insider trading is illegal 
because any trading that is based on this information is unfair to 
investors who do not have access to the information. When persons buy 
or sell securities on the basis of information not generally available 
to the public, investor confidence in market fairness can be eroded. 
Information that could be exploited for personal gain by insiders 
include such things as advance knowledge of mergers or acquisitions, 
development of a new drug or product, or earnings announcements. While 
company insiders (e.g., directors and senior executives) may be the 
most likely individuals to possess material, nonpublic information, 
others outside of the company also may gain access to the information 
and use it for their personal gain. For example, employees at a copy 
store who discovered material, nonpublic information while making 
presentation booklets for a firm could commit insider trading if they 
traded on that information prior to it being made public. 

To detect insider trading, SROs have established electronic 
surveillance systems that monitor their markets for aberrational 
movements in a stock's price or volume of shares traded, among other 
things, and generate alerts if a stock's price or volume of shares 
traded moves outside of set parameters. These systems link trade 
activity data to news and research about corporate transactions (such 
as mergers, acquisitions, or earnings announcements); public databases 
of listed company officers and directors; and other internal and 
external sources of information to detect possible insider trading. For 
example, the NASD Securities Observation News Analysis and Regulation 
system combines trade activity on NASDAQ, the American Stock Exchange, 
and the over-the-counter markets with news stories and other external 
sources of information to detect potential instances of insider trading 
and other potential violations of federal securities laws or NASD 
rules.[Footnote 32] 

SRO staff review the thousands of alerts generated by the electronic 
surveillance systems annually to identify those that are most likely to 
involve insider trading or fraud and warrant further investigation. In 
conducting reviews of these alerts, SRO staff consider such factors as 
the materiality of news, the existence of any previous news 
announcements, and the profit potential. If, in reviewing the trading 
associated with the alert, SRO staff determines there is a strong 
likelihood of insider trading, they can expand this review to a full 
investigation. In the course of a full investigation, SROs gather 
information from their member broker-dealers and the issuer of the 
traded stock to determine whether there is any relationship between 
those individuals who traded the stock and those individuals who had 
advance knowledge of the transaction or event. For example, SRO staff 
will typically request from their member broker-dealers the names of 
individuals and organizations that traded in advance of a corporate 
transaction or event, a process known as bluesheeting.[Footnote 33] 
These data are then cross-referenced with information the SRO staff 
obtain from the issuer of the stock, including a chronology of the 
events leading up to the corporate transaction or event and the names 
of individuals who had knowledge of inside information. 

SROs have created technology-based tools to assist in the 
identification of potential repeat offenders. For example, SROs can 
compare their blue sheets to a database called the Unusual Activity 
File (UAF), which includes data on suspicious trading activity 
identified by all SROs that are part of the Intermarket Surveillance 
Group, to help identify persons or entities that have been flagged in 
prior referrals or cases related to insider trading, fraud, or market 
manipulation.[Footnote 34] Some SROs have also developed other 
databases for their internal use. For example, NASD developed a 
database similar to the UAF for suspicious trading activity it has 
identified. NYSE also has developed a database of individuals who are 
affiliated with entities that it considers at high risk for insider 
trading. 

When SROs find evidence of insider trading involving their members, 
they can conduct disciplinary hearings and impose penalties ranging 
from disciplinary letters to fines to expulsion from trading and SRO 
membership. Because SROs do not have jurisdiction over entities and 
individuals that are not part of their membership, they refer 
suspicious trading on the part of nonmembers directly to Enforcement. 
Although Enforcement staff do not have direct access to SRO 
surveillance data or recidivist databases like the UAF, several staff 
told us they are able to obtain any needed information from the SRO 
analysts who made the referrals. 

Data we reviewed from NASD and NYSE between fiscal years 2003 and 2006 
showed that the SROs referred significantly more nonmembers to SEC for 
suspected insider trading than they referred members internally to 
their own Enforcement staff. According to SRO staff, this may be 
because the majority of the entities and individuals who trade on the 
basis of material, nonpublic information do so as a result of 
connections to the issuers of the stocks traded, rather than the 
investment advisor role that would involve member firms and their 
employees. Another possible explanation, according to SRO staff, is 
that the individual registered persons (SRO members) typically conceal 
their misconduct by trading in nominee accounts or secretly sharing in 
the profits generated by nonregistered persons involved in the scheme. 
As a result, they said that concealed member misconduct is often 
exposed through evidence developed by SEC using its broader 
jurisdictional tools after the SRO has referred a nonmember to SEC. For 
example, they said that SEC can expose the concealed member misconduct 
by fully investigating the nonregistered person's activities through 
documents such as telephone and bank records obtained by subpoena. SEC 
also has the ability to issue subpoenas to nonmembers to appear for 
investigative testimony. 

SEC's Inspection Program to Oversee SRO Enforcement Efforts Has 
Identified Opportunities for SROs to Improve Surveillance of Insider 
Trading: 

OCIE assesses the effectiveness of SRO regulatory programs, including 
enforcement programs, through periodic inspections. OCIE officials said 
that when evaluating SRO enforcement programs related to insider 
trading, their objective is to assess whether the parameters of the 
surveillance systems are appropriately set to detect abnormal movements 
in a stocks' price or volume and generate an alert, the extent to which 
SRO policies and procedures direct the SRO staff to conduct thorough 
reviews of alerts and resulting investigations, and the extent to which 
SRO analysts comply with these policies and procedures and apply them 
consistently. OCIE staff said that when reviewing case files, one of 
their priorities is to assess the evidence upon which the SRO analyst 
relied when deciding to terminate the review of an alert or 
investigation. For example, they said that they will assess whether the 
analyst selected an appropriate period to review trading records 
(because suspicious trades may have occurred several days or weeks 
prior to the material news announcement), whether the analyst reviewed 
the UAF and internal databases for evidence of recidivism, and whether 
the analyst appropriately reviewed any other stocks or entities related 
to the trading alert. 

OCIE officials said that in light of the recent increase in merger and 
acquisition activity and the increased potential for insider trading, 
SROs are making greater efforts to detect attempts of individuals or 
firms to benefit on both sides of a merger or acquisition.[Footnote 35] 
For example, they said that where previously it was common for one SRO 
analyst to investigate any alerts generated from the movement of the 
target firm and for a different analyst to investigate any alerts 
generated from the movement of the acquiring firm--making it difficult 
to identify an account or individual that may have traded on both sides 
of the acquisition--SRO policies now generally require one analyst to 
review and investigate both stocks involved in a merger or acquisition. 
Generally speaking, mergers and acquisitions present opportunities for 
insider trading because the acquiring company generally must pay more 
per share than the current price, causing the target firm's stock price 
to increase. In this case, an individual with knowledge of an upcoming 
acquisition could purchase the target's stock prior to the announcement 
and then sell for a gain the stock after the announcement at the higher 
price. An individual also could sell any holdings or sell short the 
stock of the acquiring firm if the individual believed that the 
acquiring firm's stock price would decrease after the 
announcement.[Footnote 36] Finally, an individual could attempt to buy 
the target firm and sell (or short sell) the acquiring firm in an 
attempt to benefit on both sides of an acquisition. 

In January 2007, OCIE completed sweep inspections of surveillance and 
investigatory programs related to insider trading at 10 SROs. As a 
result of its inspections, OCIE identified opportunities for improved 
coordination and standardization among SROs in monitoring and 
investigating possible insider trading. OCIE found that because each 
SRO at the time maintained its own surveillance systems, the variances 
in the system parameters could result in the possibility that stock or 
option movements might generate an alert at one SRO but not another. 
Furthermore, OCIE found that because each SRO was responsible for 
monitoring every stock that traded on its market, the SROs were 
duplicating the initial screening of alerts. 

As a result of OCIE's then ongoing inspection, the options SROs 
submitted a plan to SEC to create a more uniform and coordinated method 
for the regulation, surveillance, investigation, and detection of 
insider trading in the options markets. SEC approved the plan, called 
Options Regulatory Surveillance Authority (ORSA), in June 
2006.[Footnote 37] The plan allows the options SROs to delegate part or 
all of the responsibility of conducting insider trading surveillance 
and investigations for all options trades to one or more SROs, with 
individual SROs remaining responsible for the regulation of their 
respective markets and retaining responsibility to bring disciplinary 
proceedings as appropriate. ORSA has currently delegated this 
surveillance and investigative responsibility to the Chicago Board 
Options Exchange. The ORSA plan also provides for the establishment of 
a policy committee that is responsible for overseeing the operation of 
the plan and for making all relevant policy decisions, including 
reviewing and approving surveillance standards and other parameters to 
be used by the SRO performing the surveillance and investigative 
functions under the plan. The committee also will establish guidelines 
for generating, reviewing, and closing insider trading alerts; specific 
and detailed instructions on how analysts should review alerts; and 
instructions on closing procedures, including proper documentation and 
rationale for closing an alert. OCIE officials stated that they have 
met regularly with the options SROs to monitor the implementation of 
the plan and the development of related policies and procedures. 
According to the Commission, the ORSA plan should allow the options 
exchanges to more efficiently implement surveillance programs for the 
detection of insider trading, while eliminating redundant effort. As a 
result, OCIE officials believe the plan will promote more effective 
regulation and surveillance. 

According to OCIE officials, the equities SROs are currently drafting a 
similar plan for coordinating insider trading surveillance in equities 
markets. However, instead of designating one SRO to conduct all insider 
trading-related surveillance, OCIE officials said that the current 
draft proposal would require each listing market, or its designee, to 
conduct insider trading surveillance for its listed issues, regardless 
of where trading in the security occurred. This includes reviewing 
alerts, pursuing investigations, and resolving cases through referrals 
(to SEC) or disciplinary action. OCIE officials said that the equities 
SROs anticipate voting on a proposed plan at the October 2007 
Intermarket Surveillance Group meeting and to submit the plan to SEC by 
the end of 2007. 

[End of section] 

Appendix III: SEC Civil Enforcement Actions against SROs, January 1995- 
September 2007: 

Pursuant to sections 19 and 21 of the Securities Exchange Act of 1934, 
SEC may bring enforcement actions against an SRO either in federal 
court or through an administrative proceeding if it has found that an 
SRO has violated or is unable to comply with the provisions of the act 
and related rules and regulations, or if it has failed to enforce 
member compliance with SRO rules without reasonable justification or 
excuse. The act authorizes SEC to seek a variety of sanctions in an 
administrative proceeding, including the revocation of SRO 
registration, issuance a cease-and-desist order, or censure. An SRO may 
also agree to undertake other remedial actions in a settlement 
agreement with SEC. In addition to the remedies available in 
administrative enforcement action, a district court in a civil 
enforcement action may impose civil monetary penalties and has 
discretion to fashion such other equitable remedy it deems appropriate 
under the circumstances. 

Tables 2 through 11 summarize the 10 civil enforcement actions SEC 
brought against SROs from January 1995 through September 2007. For this 
report, we have included only those findings and terms of settlement 
related to SRO surveillance, investigative, or disciplinary programs 
(enforcement programs). As such, these summaries do not necessarily 
identify all findings and terms of the settlement agreements. 

Table 2: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of August 8, 1996: 

Type of action; 
Order Instituting Public Administrative Proceedings Pursuant to Section 
19(h)(1) of the Securities Exchange Act of 1934, Making Findings and 
Imposing Remedial Sanctions. 

Administrative Proceeding File No. 3-9056. 

Respondent; 
National Association of Securities Dealers (NASD). 

Action date; 
August 8, 1996. 

Key findings; 
SEC made the following findings: 

* NASD failed to conduct an appropriate inquiry into an anticompetitive 
pricing convention among NASDAQ market makers;; 
* NASDAQ market makers followed and enforced a pricing convention used 
to determine the increments in which they would adjust their displayed 
quotes; 
* market makers shared proprietary information about customer orders, 
collaborated and coordinated their activities, failed to honor 
quotations, and failed to timely report trades; and; 
* market-making firms held excessive amounts of influence in NASD 
oversight, its committees, and the disciplinary process. 

Outcomes; 
Without admitting or denying SEC's findings, NASD agreed to take the 
following actions: 

* take significant steps to restructure its governance and regulatory 
structure, including ensuring a substantial independent review staff 
reporting directly to NASDAQ's Board of Governors; 
* increase staff positions for Enforcement, Examination, and Market 
Regulation; 
* institute the participation of professional hearing officers to 
preside over disciplinary proceedings; 
* institute measures to enhance the enforcement of the trade reporting, 
firm quote, customer limit order handling, and other market-making 
rules; 
* develop an enhanced audit trail system; and; 
* enhance its systems for trading and market surveillance. 

Source: SEC. 

[End of table] 

Table 3: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of June 29, 1999: 

Type of action; 
Order Instituting Public Administrative Proceedings Pursuant to Section 
19(h)(1) of the Securities Exchange Act of 1934, Making Findings and 
Ordering Compliance with Undertakings. 

Administrative Proceeding File No. 3-9925. 

Respondent; 
New York Stock Exchange, Inc. (NYSE). 

Action date; 
June 29, 1999. 

Key findings; 
SEC made the following findings: 

NYSE; 
* failed to enforce compliance with Section 11(a) of the Exchange Act; 
Rule 11a-1; and NYSE Rules 90, 95, and 111, which are aimed at 
preventing independent floor brokers (IFB) from exploiting their 
position for personal gain; 
* failed to take appropriate action to police the manners in which IFBs 
were compensated; 
* failed to establish surveillance procedures designed to evaluate how 
commissions were computed; and; 
* suspended its routine IFB surveillance for extensive periods. 

Outcomes; 
Without admitting or denying SEC's findings, prior to settlement with 
SEC, NYSE took certain steps that included: 
* providing new or additional guidance regarding IFB compensation 
arrangements; 
* designing and implementing a program to require the examination of 
all IFBs within 2-year cycles; 
* amending NYSE rules to require certain members to make and keep 
written records of compensation arrangements; 
* adopting new rules requiring all members to disclose their own 
account or accounts over which they exercise any discretion; 
* maintaining error accounts to facilitate NYSE monitoring for trading 
abuses; and; beginning to develop a floor audit trail for the 
electronic capture of certain order information. 

NYSE also agreed to further take the following actions: 
* enhance and improve its regulation of IFBs, member firm floor 
brokers, specialists, registered competitive market makers, and 
competitive traders; 
* file an affidavit with the Commission setting forth the details of 
NYSE's compliance with the undertakings described; 
* retain an independent consultant for review of NYSE's rules, 
practices, and procedures applicable to floor members and recommend 
changes to these rules as necessary; and; 
* maintain a substantial independent internal review staff with 
adequate resources to regularly review all aspects of NYSE. 

Source: SEC. 

[End of table] 

Table 4: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of September 11, 2000: 

Type of action; 
Order Instituting Public Administrative Proceedings Pursuant to Section 
19(h)(1) of the Securities Exchange Act of 1934, Making Findings and 
Imposing Remedial Sanctions. 

Administrative Proceeding File No. 3-10282. 

Respondents; 
American Stock Exchange (AMEX), Chicago Board Options Exchange (CBOE), 
Pacific Exchange (PCX), and Philadelphia Stock Exchange (PHLX). 

Action date; 
September 11, 2000. 

Key findings; 
SEC made the following findings: 

* The options exchanges significantly impaired the operations of the 
options market by following a course of conduct under which they 
refrained from joint listing a large number of options; 
* The exchanges inadequately surveilled their markets for potential 
rules violations, failed to conduct thorough investigations, and failed 
to adequately enforce rules applicable to members on their floors; 
* The exchanges failed to enforce compliance with rules that promote 
competition, enhance investor protections, and prohibit anticompetitive 
conduct; 
* The exchanges generally lacked automated surveillance systems, and 
relied too heavily on complaints; 
* In many cases, the exchanges did not take appropriate enforcement 
actions when violations were uncovered; 
* In cases where enforcement actions were taken, the exchanges did not 
impose sanctions adequate to provide reasonable deterrence against 
future violations. 

Outcomes; 
Without admitting or denying SEC's findings, The SROs agreed to take 
the following actions: 

* eliminate advance notice to any other market of the intention to list 
an existing option or new option;  
* eliminate any provisions to the Joint Plan that would prevent a 
market from commencing to list or trade any option listed on another 
market or an option that another market has expressed and intent to 
list; 
* enhance and improve its surveillance, investigative, and enforcement 
processes and activities with a view toward preventing and eliminating 
harassment, intimidation, refusals to deal, and retaliation against 
market participants acting competitively; ; 
* acting jointly, design and implement a consolidated options audit 
trail system; and; 
* enhance and improve its surveillance, investigative, and enforcement 
processes and activities for options order handling rules, limit order 
displays, priority rules, trade reporting, and firm quote rules. 

Source: SEC. 

[End of table] 

Table 5: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of September 30, 2003: 

Type of action; 
Order Instituting Public Administrative Proceedings Pursuant to 
Sections 19(h) and 21C of the Securities Exchange Act of 1934, Making 
Findings, and Imposing a Censure, a Cease-and-Desist Order and Other 
Relief. 

Administrative Proceeding File No. 3-11282. 

Respondent; 
Chicago Stock Exchange (CHX). 

Action date; 
September 30, 2003. 

Key findings; 
SEC made the following findings: 

CHX; 
* failed to implement surveillance systems and procedures to detect and 
prevent violations of its firm quote, trading ahead, and limit order 
display rules; 
* relied on an ineffective manual review process; 
*did not provide staff with adequate and consistent standards and 
guidelines to assist them; 
* failed to take adequate disciplinary action against members when 
violations were detected; and; 
* failed to take adequate disciplinary action against recidivists or 
violators of multiple rules. 

Outcomes; 
Without admitting or denying SEC's findings, CHX agreed to take the 
following actions: 

* increase its staffing for enforcement programs and implement new 
protocols and guidelines regarding surveillance; 
* begin offering training sessions regarding compliance with trading 
rules; 
* enhance its exception reports and computer logic; 
* create a regulatory oversight committee; and; 
* hire an outside consultant to conduct a comprehensive review of CHX's 
trading floor surveillance and enforcement programs as well as report 
on its findings. 

Source: SEC. 

[End of table] 

Table 6: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of February 9, 2005: 

Type of action; 
Report of Investigation Pursuant to Section 21(a) of the Securities 
Exchange Act of 1934 Regarding the Nasdaq Stock Market, Inc., as 
Overseen by Its Parent, the National Association of Securities Dealers. 

Respondent; 
National Association of Securities Dealers (NASD). 

Report release date; 
February 9, 2005. 

Key findings; 
SEC made the following findings: 

* NASD and NASDAQ did not adequately address a large number of wash 
trades and matched orders in March 2002 by MarketXT, an ECN, NASD 
member, and registered broker- dealer, which were reported through 
NASDAQ; 
* NASDAQ failed to communicate to NASD Regulation the observations of 
NASDAQ staff members relating to the trading described above; 
* NASDAQ supervisors failed to take any steps to ensure that the 
suspicious trades were referred to NASD Regulation; 
* NASD Regulation's automated surveillance programs did not 
independently detect the suspicious conduct. 

Outcomes; 
Remedial steps taken by NASDAQ: 

* created a NASDAQ Regulation Group; 
* had the NASDAQ Office of General Counsel (OGC) formalize the 
procedure for responding to information that suggests a possible rule 
violation; 
* instituted mandatory companywide employee education on regulatory 
responsibilities; 
* amended its code of conduct to require that employees refer potential 
regulatory violations to OGC or other appropriate NASDAQ department; 
and; 
* refunded the consolidated tape for the fees it received associated 
with MarketXT trading. 

Remedial steps taken by NASD: 

* formed a committee of the NASD board to review a number of governance 
issues, and studied the standards for NASD review of NASDAQ board 
items; 
* retained a law firm to review the interactions between NASD and 
NASDAQ in the regulatory area; and; 
* NASD board appointed a special committee with the charge of reviewing 
the relationship between NASD and NASDAQ, and NASD's oversight of that 
relationship. 

Source: SEC. 

[End of table] 

Table 7: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of April 12, 2005: 

Type of action; 
Order Instituting Public Administrative Proceedings Pursuant to 
Sections 19(h)(1) and 21C of the Securities Exchange Act of 1934, 
Making Findings, Ordering Compliance with Undertakings, and Imposing a 
Censure and a Cease-and-Desist Order. 

Administrative Proceeding File No. 3-11892. 

Respondent; 
New York Stock Exchange, Inc. (NYSE). 

Action date; 
April 12, 2005. 

Key findings; 
SEC made the following findings: 

NYSE; 
* failed to properly detect, investigate, and discipline widespread 
unlawful proprietary trading by specialists on the floor of the 
exchange; 
* surveillance systems failed to detect the vast majority of improper 
trades due to NYSE's reliance on automated systems whose parameters and 
procedures were unnecessarily and unreasonably broad; 
* Office of Market Surveillance policies improperly limited the cases 
selected for further examination; 
* inadequate referral procedures and investigation policies further 
limited the cases examined; and; 
* additional and repeat violations were often treated with additional 
informal actions, rather than being escalated to formal disciplinary 
actions. 

Outcomes; 
Without admitting or denying SEC's findings, NYSE agreed to take the 
following actions: 

* commit to biannual, third-party audits of its regulatory function, of 
which SEC receives a copy, and; 

* establish a pilot program for sufficient audio and video equipment to 
capture floor trading activity occurring at a specialist's post. 

Source: SEC. 

[End of table] 

Table 8: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of May 19, 2005: 

Type of action; 
Order Instituting Administrative and Cease-and-Desist Proceedings 
Pursuant to Sections 19(h) and 21C of the Securities Exchange Act of 
1934, Making Findings, and Imposing Sanctions. 

Administrative Proceeding File No. 3-11931. 

Respondents; 
National Stock Exchange (NSX) and the CEO of NSX. 

Action date; 
May 19, 2005. 

Key findings; 
SEC made the following findings: 

NSX; 
* failed to enforce compliance by its dealer firms with the market 
order exposure rule and the customer priority (trading ahead) rule; 
* did not update its interpretation after decimalization and did not 
bring to SEC's attention its intention to enforce the rule according to 
its old interpretation; 
* did not conduct surveillance until 2004 for violations of its 
customer priority rule, which prohibited designated dealers from 
trading ahead of customer orders in their possession; 
* failed to develop and implement an automated surveillance report to 
detect trading ahead; 
* when trading-ahead violations were identified, failed to perform a 
follow-up review of that member's trading to determine whether 
additional violations had occurred; and; 
* failed to preserve e-mails made or received in the course of its 
business or self-regulatory activity for a minimum of 5 years. 

Outcomes; 
Without admitting or denying SEC's findings, NSX agreed to take the 
following actions: 

* create a regulatory oversight committee (ROC); 
* adopt structural protections to ensure the NSX's regulatory functions 
shall be independent from the commercial interests of NSX and its 
members; 
* adopt internal procedures that provide for the ROC and NSX Board to 
approve the issuance of regulatory circulars; 
* create and maintain complete and detailed minutes of all NSX board 
meetings; 
* implement and maintain automated daily surveillance for potential 
violations of the NSX and Exchange Act rules; 
* require NSX designated dealers to implement system enhancements; 
* design and implement a mandatory training program for NSX's 
regulatory department that addresses compliance with the federal 
securities laws and NSX rules; and; 
* hire an independent consultant to conduct a comprehensive review of 
NSX's policies and procedures for rulemaking, surveillance, and 
examination programs. 

Source: SEC. 

[End of table] 

Table 9: Summary of Findings, Enforcement Actions, and Outcomes Brought 
under the SEC Administrative Proceeding of June 1, 2006: 

Type of action; 
Order Instituting Administrative and Cease-and-Desist Proceedings, 
Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist 
Order Pursuant to Sections 19(h) and 21C of the Securities Exchange Act 
of 1934. 

Administrative Proceeding File No. 3-12315. 

Respondent; 
Philadelphia Stock Exchange (PHLX). 

Action date; 
June 1, 2006. 

Key findings; 
SEC made the following findings: 

PHLX; 
* did not adequately surveil for violations of rules relating to 
priority of options orders; 
* failed to properly surveil for firm quote rule violations; 
* did not implement any type of surveillance of its equities market to 
monitor its specialists for compliance with the firm quote rule; 
* generated exception reports using improper parameters, which excluded 
certain transactions that were potentially priority rule or firm quote 
violations; 
* generated an excessive number of alerts and false positives in 
exception reports for front-running violations, making the reports 
ineffective; and; 
* did not maintain adequate written surveillance procedures for PHLX 
investigators reviewing the surveillance reports. 

Outcomes; 
Without admitting or denying SEC's findings, PHLX agreed to take the 
following actions: 

* obtain outside counsel and consultants to conduct a complete review 
of its regulatory programs, augment the ranks of regulatory staff and 
management, and significantly increase its regulatory budget in an 
effort to enhance its regulatory program and; 
* implement a mandatory, annual training program for all floor members 
and members of PHLX regulatory staff responsible for surveillance, 
investigation, examination, and discipline of floor members that 
addresses compliance with the federal securities laws and PHLX rules. 

Source: SEC. 

[End of table] 

Table 10: Summary of Findings, Enforcement Actions, and Outcomes 
Brought under the SEC Administrative Proceeding of March 22, 2007: 

Type of action; 
Order Instituting Administrative and Cease-and-Desist Proceedings, 
Making Findings, and Imposing Remedial Sanctions, a Censure, and a 
Cease-and-Desist Order Pursuant to Sections 19(h)(1) and 21C of the 
Securities Exchange Act of 1934. 

Administrative Proceeding File No. 3-12594. 

Respondent; 
American Stock Exchange (AMEX). 

Action date; 
March 22, 2007. 

Key findings; 
SEC made the following findings: 

* From 1999 through June 2004, AMEX had critical deficiencies in its 
surveillance, investigative, and enforcement programs for ensuring 
compliance with its rules as well as federal securities laws; 
* AMEX's continual regulatory deficiencies during this period resulted 
in large part from its failure to pay adequate attention to regulation, 
put in place an oversight structure, or dedicate sufficient resources 
to ensure that the exchange was meeting its regulatory obligations; 
* AMEX failed to surveil for, or take appropriate action relating to, 
evidence of violations of firm quote, customer priority, limit order 
display, and trade reporting rules; 
* Under a 2000 enforcement action, the Commission ordered AMEX to 
enhance and improve its regulatory programs for surveillance, 
investigation, and enforcement of the options order handling rules. 
AMEX also was required to provide Commission staff with annual 
affirmations detailing its progress in complying with the 2000 order. 
AMEX failed to comply with these obligations; 
* AMEX employed incorrect or deficient parameters in some of its 
surveillance systems. 

Outcomes; 
Without admitting or denying SEC's findings, AMEX agreed to take the 
following actions: 

* file with the Commission a proposed rule change to identify and 
implement enhancements to its trading systems for equities and options 
reasonably designed to prevent specialists from violating AMEX's 
priority rules; 
* enhance its training program and implement mandatory annual training 
for all floor members; 
* commencing in 2007, and for each of the successive 2-year periods (6 
years), retain a third-party auditor to conduct a comprehensive audit 
of AMEX's surveillance, examination, investigative, and disciplinary 
programs relating to trading applicable to all floor members; and; 
* submit an auditor's report to its board of governors and the 
directors of OCIE and Market Regulation, and include the audit report 
in its annual report. 

SEC ordered that AMEX shall; 
* develop a plan of corrective action, including dates for 
implementation, which they are to keep and provide to the Commission 
upon request. 

Source: SEC. 

[End of table] 

Table 11: Summary of Findings, Enforcement Actions, and Outcomes 
Brought under the SEC Administrative Proceeding of September 5, 2007: 

Type of action; 
Order Instituting Administrative and Cease-and-Desist Proceedings, 
Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist 
Order Pursuant to Sections 19(h) and 21C of the Securities Exchange Act 
of 1934. 

Administrative Proceeding File No. 3-12744. 

Respondent; 
Boston Stock Exchange, Inc. (BSE) and the former President of BSE. 

Action date; 
September 5, 2007. 

Key findings; 
SEC made the following findings: 

* BSE failed, between 1999 and 2004, to enforce certain of its rules 
intended to prevent BSE broker-dealer specialist firms from trading in 
a way that benefited them, while disadvantaging their customers who 
were trying to buy and sell stock; 
* BSE failed to develop and implement adequate procedures for 
surveillance of violations of its customer priority rules; 
* BSE's failure to implement programming changes and to otherwise 
conduct effective surveillance allowed hundreds, if not thousands, of 
violations per day to go undetected; 
* Violations continued even after the Commission staff had repeatedly 
warned BSE of the need to improve surveillance systems; 
* BSE internal documents demonstrated awareness of BSE's surveillance 
system's flaws at all levels of the organization, and these flaws 
resulted in the system yielding too many exceptions to be useful in 
detecting priority rule violations. 

Outcomes; 
Without admitting or denying SEC's findings, prior to settlement with 
SEC, BSE took certain steps that included; 
* replacement of senior management responsible for regulatory 
compliance during the period in which the violations discussed herein 
occurred. 

BSE also agreed to take the following actions: 

* Within 90 days after the issuance of the Order, enhance its existing 
training programs for all members of the regulatory staff responsible 
for surveillance, investigation, examination, and discipline; 
* Retain a third-party auditor, not unacceptable to the Commission, to 
conduct a comprehensive audit of BSE's surveillance, examination, 
investigation, and disciplinary programs; 
* The auditor must submit an audit opinion to BSE's Board of Governors, 
and the following Commission officials: Director of OCIE, Director of 
Division of Market Regulation, and Director of the Boston Regional 
Office; 
* BSE must implement the auditor's recommendations. BSE may disagree 
with the recommendations and may attempt to reach an agreement with the 
auditor. If such agreement cannot be reached, the auditor's 
recommendations will be binding. 

Source: SEC. 

[End of table] 

[End of section] 

Appendix IV: Analyses of SEC-Provided Data on Various Case Stages: 

Tables 12 to 22 include analyses of data from fiscal years 2003 to 2006 
provided by SEC from its SRO system and CATS. This appendix provides 
specific analyses on the number and types of advisories; referrals; 
matters under inquiry (MUI); investigations; case actions; and case 
outcomes, by fiscal year and SRO. It also describes reasons that SEC 
closed MUIs and provides data on average and median investigation 
durations, by type of investigation. 

Table 12: Number and Type of Advisories, Fiscal Years 2003-2006: 

Fiscal year: 2003; 
Number of insider trading advisories: 5; 
Number of market manipulation advisories: 0; 
Number of all other types of advisories: 0; 
Total advisories: 5. 

Fiscal year: 2004; 
Number of insider trading advisories: 48; 
Number of market manipulation advisories: 1; 
Number of all other types of advisories: 1; 
Total advisories: 50. 

Fiscal year: 2005; 
Number of insider trading advisories: 135; 
Number of market manipulation advisories: 3; 
Number of all other types of advisories: 7; 
Total advisories: 145. 

Fiscal year: 2006; 
Number of insider trading advisories: 166; 
Number of market manipulation advisories: 7; 
Number of all other types of advisories: 17; 
Total advisories: 190. 

Total; 
Number of insider trading advisories: 354; 
Number of market manipulation advisories: 11; 
Number of all other types of advisories: 25; 
Total advisories: 390. 

Source: GAO. 

[End of table] 

Table 13: Number of Advisories, by Fiscal Year and SRO, Fiscal Years 
2003-2006: 

Fiscal year: 2003; 
Number of advisories from NASD[A]: 0; 
Number of advisories from NYSE: 0; 
Number of advisories from all other SROs: 5; 
Total advisories: 5. 

Fiscal year: 2004; 
Number of advisories from NASD[A]: 0; 
Number of advisories from NYSE: 1; 
Number of advisories from all other SROs: 49; 
Total advisories: 50. 

Fiscal year: 2005; 
Number of advisories from NASD[A]: 0; 
Number of advisories from NYSE: 16; 
Number of advisories from all other SROs: 129; 
Total advisories: 145. 

Fiscal year: 2006; 
Number of advisories from NASD[A]: 5; 
Number of advisories from NYSE: 18; 
Number of advisories from all other SROs: 167; 
Total advisories: 190. 

Total; 
Number of advisories from NASD[A]: 5; 
Number of advisories from NYSE: 35; 
Number of advisories from all other SROs: 350; 
Total advisories: 390. 

Source: GAO. 

[A] NASD officials noted that they develop information on unusual 
market activity as well as they possibly can and typically submit 
referrals, rather than advisories. 

[End of table]

Table 14: Number and Type of Referrals, Fiscal Years 2003-2006: 

Fiscal year: 2003; 
Number of insider trading referrals: 283; 
Number of market manipulation referrals: 53; 
Number of all other types of referrals: 102; 
Total referrals: 438. 

Fiscal year: 2004; 
Number of insider trading referrals: 321; 
Number of market manipulation referrals: 10; 
Number of all other types of referrals: 9; 
Total referrals: 340. 

Fiscal year: 2005; 
Number of insider trading referrals: 306; 
Number of market manipulation referrals: 24; 
Number of all other types of referrals: 18; 
Total referrals: 348. 

Fiscal year: 2006; 
Number of insider trading referrals: 386; 
Number of market manipulation referrals: 41; 
Number of all other types of referrals: 87; 
Total referrals: 514. 

Total; 
Number of insider trading referrals: 1,296[A]; 
Number of market manipulation referrals: 128; 
Number of all other types of referrals: 216; 
Total referrals: 1,640. 

Source: GAO. 

[A] Our analysis shows that from fiscal years 2003 to 2006, almost 80 
percent of SRO referrals involved potential insider trading activity, 
and that almost 60 percent of investigations opened by SEC involved 
potential insider trading. A SEC branch chief noted that the 
differences in percentages reflect the difficulty of proving insider 
trading cases. 

[End of table] 

Table 15: Number of Referrals, by SRO and Fiscal Year, Fiscal Years 
2003-2006: 

Fiscal year: 2003; 
Number of referrals from NASD: 247; 
Number of referrals from NYSE: 70; 
Number of referrals from all other SROs: 121; 
Total referrals: 438. 

Fiscal year: 2004; 
Number of referrals from NASD: 177; 
Number of referrals from NYSE: 39; 
Number of referrals from all other SROs: 124; 
Total referrals: 340. 

Fiscal year: 2005; 
Number of referrals from NASD: 130; 
Number of referrals from NYSE: 89; 
Number of referrals from all other SROs: 129; 
Total referrals: 348. 

Fiscal year: 2006; 
Number of referrals from NASD: 201; 
Number of referrals from NYSE: 142; 
Number of referrals from all other SROs: 171; 
Total referrals: 514. 

Total; 
Number of referrals from NASD: 755; 
Number of referrals from NYSE: 340; 
Number of referrals from all other SROs: 545; 
Total referrals: 1,640. 

Source: GAO. 

[End of table] 

Table 16: Number and Type of Matters Under Inquiry, Fiscal Years 2003- 
2006: 

Fiscal year: 2003; 
Number of insider trading MUIs: 86; 
Number of market manipulation MUIs: 40; 
Number of all other types of MUIs: 26; 
Total MUIs: 152. 

Fiscal year: 2004; 
Number of insider trading MUIs: 147; 
Number of market manipulation MUIs: 44; 
Number of all other types of MUIs: 29; 
Total MUIs: 220. 

Fiscal year: 2005; 
Number of insider trading MUIs: 154; 
Number of market manipulation MUIs: 74; 
Number of all other types of MUIs: 37; 
Total MUIs: 265. 

Fiscal year: 2006; 
Number of insider trading MUIs: 172; 
Number of market manipulation MUIs: 89; 
Number of all other types of MUIs: 61; 
Total MUIs: 322. 

Total; 
Number of insider trading MUIs: 559; 
Number of market manipulation MUIs: 247; 
Number of all other types of MUIs: 154; 
Total MUIs: 960. 

Source: GAO. 

[End of table] 

Table 17: Numbers of Matters Under Inquiry Closed and Associated 
Reasons for Closure, Fiscal Years 2003-2006: 

Reason for closure: Closed into investigation; 
Number of MUIs closed: 605; 
Percentage of total MUIs closed: 63.0%. 

Reason for closure: Evidence not appropriate for investigation; 
Number of MUIs closed: 253; 
Percentage of total MUIs closed: 26.4. 

Reason for closure: Closed due to resource limits; 
Number of MUIs closed: 38; 
Percentage of total MUIs closed: 4.0. 

Reason for closure: Case transferred to another SEC office; 
Number of MUIs closed: 29; 
Percentage of total MUIs closed: 3.0. 

Reason for closure: Merged with another case; 
Number of MUIs closed: 20; 
Percentage of total MUIs closed: 2.1. 

Reason for closure: Inappropriate for SRO action; 
Number of MUIs closed: 12; 
Percentage of total MUIs closed: 1.3. 

Reason for closure: Sent to state or local agency; 
Number of MUIs closed: 1; 
Percentage of total MUIs closed: 0.1. 

Reason for closure: Sent to SRO for further action; 
Number of MUIs closed: 1; 
Percentage of total MUIs closed: 0.1. 

Reason for closure: Sent to another federal agency; 
Number of MUIs closed: 1; 
Percentage of total MUIs closed: 0.1. 

Total; 
Number of MUIs closed: 960; 
Percentage of total MUIs closed: 100. 

[End of table] 

Source: GAO. 

Table 18: Number and Type of Investigations Resulting from SRO 
Referrals, Fiscal Years 2003-2006: 

Fiscal year: 2003; 
Number of insider trading investigations: 50; 
Number of market manipulation investigations: 17; 
Number of all other types of investigations: 15; 
Total investigations: 82. 

Fiscal year: 2004; 
Number of insider trading investigations: 89; 
Number of market manipulation investigations: 26; 
Number of all other types of investigations: 21; 
Total investigations: 136. 

Fiscal year: 2005; 
Number of insider trading investigations: 84; 
Number of market manipulation investigations: 38; 
Number of all other types of investigations: 26; 
Total investigations: 148. 

Fiscal year: 2006; 
Number of insider trading investigations: 111; 
Number of market manipulation investigations: 60; 
Number of all other types of investigations: 37; 
Total investigations: 208. 

Total; 
Number of insider trading investigations: 334; 
Number of market manipulation investigations: 141; 
Number of all other types of investigations: 99; 
Total investigations: 574. 

Source: GAO. 

[End of table] 

Table 19: Average and Median Investigation Duration, by Type of 
Investigation, Fiscal Years 2003-2006: 

Type of investigation: All investigations; 
Average duration, by days: 534. 

Type of investigation: Insider trading; 
Average duration, by days: 554. 

Type of investigation: Market manipulation; 
Average duration, by days: 543. 

Type of investigation: All investigations, except insider trading; 
Average duration, by days: 495. 

Source: GAO. 

[End of table] 

Table 20: Number, Type, and Duration of Investigations, Fiscal Years 
2003-2006: 

Fiscal year: 2003; 
Open investigations (as of 4/18/07): Number: 36; 
Open investigations (as of 4/18/07): Days of average duration: 1,426; 
Closed investigations: Number: 46; 
Closed investigations: Days of average duration: 741. 

Fiscal year: 2004; 
Open investigations (as of 4/18/07): Number: 68; 
Open investigations (as of 4/18/07): Days of average duration: 1,114; 
Closed investigations: Number: 68; 
Closed investigations: Days of average duration: 565. 

Fiscal year: 2005; 
Open investigations (as of 4/18/07): Number: 98; 
Open investigations (as of 4/18/07): Days of average duration: 744; 
Closed investigations: Number: 50; 
Closed investigations: Days of average duration: 434. 

Fiscal year: 2005; 
Open investigations (as of 4/18/07): Number: 183; 
Open investigations (as of 4/18/07): Days of average duration: 372; 
Closed investigations: Number: 25; 
Closed investigations: Days of average duration: 260. 

Total/Average; 
Open investigations (as of 4/18/ 07): Number: 385; 
Open investigations (as of 4/18/07): Days of average duration: 697; 
Closed investigations: Number: 189; 
Closed investigations: Days of average duration: 534. 

Source: GAO. 

[End of table] 

Table 21: Number and Type of Case Actions, Fiscal Years 2003-2006: 

Fiscal year: 2003; 
Number of insider trading actions: 2; 
Number of market manipulation actions: 0; 
Number of all other types of actions: 0; 
Total actions: 2. 

Fiscal year: 2004; 
Number of insider trading actions: 4; 
Number of market manipulation actions: 2; 
Number of all other types of actions: 2; 
Total actions: 8. 

Fiscal year: 2005; 
Number of insider trading actions: 15; 
Number of market manipulation actions: 5; 
Number of all other types of actions: 3; 
Total actions: 23. 

Fiscal year: 2006; 
Number of insider trading actions: 13; 
Number of market manipulation actions: 4; 
Number of all other types of actions: 12; 
Total actions: 29. 

Total; 
Number of insider trading actions: 34; 
Number of market manipulation actions: 11; 
Number of all other types of actions: 17; 
Total actions: 62. 

Source: GAO. 

[End of table] 

Table 22: Number and Type of Case Outcomes, Fiscal Years 2003-2006: 

Fiscal year: 2003; 
Number of insider trading outcomes: 3; 
Number of market manipulation outcomes: 0; 
Number of all other types of outcomes: 0; 
Total outcomes: 3. 

Fiscal year: 2004; 
Number of insider trading outcomes: 20; 
Number of market manipulation outcomes: 1; 
Number of all other types of outcomes: 2; 
Total outcomes: 23. 

Fiscal year: 2005; 
Number of insider trading outcomes: 33; 
Number of market manipulation outcomes: 4; 
Number of all other types of outcomes: 8; 
Total outcomes: 45. 

Fiscal year: 2006; 
Number of insider trading outcomes: 40; 
Number of market manipulation outcomes: 10; 
Number of all other types of outcomes: 32; 
Total outcomes: 82. 

Total; 
Number of insider trading outcomes: 96; 
Number of market manipulation outcomes: 15; 
Number of all other types of outcomes: 42; 
Total outcomes: 153. 

Source: GAO. 

[End of table] 

[End of section] 

Appendix V: Comments from the Securities and Exchange Commission: 

Christopher Cox: 
Chairman: 
Headquarters: 
100 F Street, NE: 
Washington, Dc 20549: 
Chairmanoffice@sec.Gov: 
[hyperlink, http://www.sec.gov]: 

Regional Offices: 
Atlanta, Boston, Chicago, Denver, Fort Worth, Los Angeles, Miami, New 
York, Philadelphia, Salt Lake City, San Francisco: 
United States: 

Securities And Exchange Commission: 

November 2, 2007: 

Mr. Richard Hillman: 
Managing Director: 
Financial Markets and Community Investment: 
U.S. Government Accountability Office: 
441 G Street, N.W.: 
Washington, DC 20548: 

Dear Mr. Hillman: 

Thank you for the opportunity to review and comment on the draft GAO 
report on the SEC's oversight of self-regulatory organizations. The SEC 
staff is separately providing you with technical comments on the draft 
report. 

As you know, SROs play a critical role in monitoring and regulating 
activities in the securities industry. The SEC, in turn, operates a 
robust program for oversight of the SROs' operations. The GAO reviewed 
the structure and evaluated certain components of the SEC's inspection 
program for SROs, as well as the SEC's process for receiving, and 
following up on, referrals from the SROs of possible securities laws 
violations. 

SRO Inspections Program. SRO inspections conducted by the SEC's Office 
of Compliance Inspections and Examinations (OCIE) play a particularly 
critical part in the oversight of SROs. As noted in the report, to help 
ensure that SROs are fulfilling their regulatory responsibilities, OCIE 
conducts both routine and special inspections of SRO regulatory 
programs. The report notes that routine inspections assess SRO 
enforcement, arbitration, listings, and member examination programs at 
regular intervals. Special inspections are conducted as warranted and 
encompass follow-up work on prior recommendations or enforcement 
actions, investigations of tips or reports, and sweep inspections. The 
report summarizes these inspection processes and also makes several 
recommendations for possible enhancement to existing processes. 

Specifically, GAO recommends that inspection staff establish a written 
framework for conducting inspections of SRO enforcement programs and 
that, as part of that framework, inspection staff broaden the current 
examination guidance to direct that examiners consider the extent to 
which they will rely on the reports of reviews conducted by SROs' 
internal audit and other risk-management programs. GAO also recommends 
that the software program under development for tracking SRO 
inspections include the ability to track the status of the SROs' 
implementation of corrective actions.

As reflected in the report, OCIE believes that the considerable 
differences among SRO regulatory programs make it difficult to adopt a 
uniform manual for conducting inspections of SRO enforcement programs. 
To date, such inspections have been specifically tailored and risk- 
focused on the particular operations of the SRO inspected. For example, 
in determining the scope and nature of each inspection, examiners are 
directed to, among other things, review previous inspection reports of 
the SRO to be inspected (including the SRO's response to the report and 
all follow-up communications between the SRO and OCIE) and conduct 
appropriate pre-inspection research about the nature of the SRO's 
regulatory program. Nonetheless, we agree that a manual could help 
ensure quality standards and controls. Consistent with GAO's 
recommendation, OCIE will prepare written guidance for SRO inspectors 
regarding the inspection of SRO enforcement programs, including risk-
scoping techniques, and a compiled summary of inspection practices. We 
believe that this guidance may be particularly useful in training new 
examiners. 

As noted in the report, OCIE also plans to assess the quality and 
reliability of the SROs' internal audit programs and to determine 
whether, and the extent to which, inspections can be risk-focused based 
on the SRO's own internal audit work. As GAO learned during the review, 
internal audit programs vary among the SROs, so the determination of 
whether the SEC can effectively rely on SRO internal audit work product 
must be based on careful analysis. 

Finally, as the report notes, OCIE is developing a tracking database 
for SRO inspections that will, among other things, track the 
implementation of SRO inspection recommendations and generate reports. 
This enhancement should create additional efficiencies when inspectors 
are planning and conducting future inspections of SROs and is 
consistent with your recommendation. 

Oversight of Security of SRO Databases. GAO also reviewed the process 
used by the Division of Market Regulation to conduct regular security 
reviews of the SROs' information technology systems, in accordance with 
SEC guidance. As noted in the report, these reviews are intended to 
oversee SRO systems that are essential to market operations. GAO's 
report states that NASD (now FINRA) and NYSE have conducted internal 
and external reviews that concluded that both have adequate controls in 
place to protect sensitive enforcement-related data. GAO recommends 
that the Division of Market Regulation make certain that enforcement-
related databases continue to be periodically reviewed by SROs' 
internal audit programs and that these reviews be comprehensive and 
complete. The staff of the Division of Market Regulation will implement 
this recommendation. 

SRO Referrals and Advisories. GAO also reviewed the process by which 
SROs refer matters to the SEC's Division of Enforcement, recent trends 
in the number of referrals and related SEC enforcement investigations, 
and the information system maintained by the Division of Enforcement 
for these advisories and referrals. As noted in the report, the number 
of advisories and referrals from SROs have increased in recent years, 
and there has been a corresponding increase in the number of Commission 
enforcement investigations and enforcement actions based on SRO 
referrals. Most of these referrals involved potential insider trading 
that was detected through SROs' surveillance systems. 

As the report notes, the Division of Enforcement is currently 
implementing a new case tracking system. To enhance the ability of the 
Enforcement staff to manage the advisory/referral process and to 
efficiently access information from those referrals and advisories, the 
report recommends that the Enforcement staff consider system 
improvements that would allow the staff to electronically access and 
search all information in referrals and advisories submitted by SROs 
and generate reports. The report suggests linking the referral and 
advisory system to the case tracking system in order to provide 
Enforcement staff with electronic access to referral and advisory 
information, and the report recommends that the staff be able to 
generate reports. We agree that additional information technology 
changes such as these may help the Enforcement staff to effectively 
analyze trends, manage current caseloads, and focus areas of 
investigation. We will assess the feasibility of the recommended system 
improvements.

We appreciate GAO's attention to these issues and as detailed above 
will address the report's recommendations.

Sincerely, 

Signed by: 

Christopher Cox: 
Chairman: 

[End of section] 

Appendix VI: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Richard J. Hillman, (202) 512-8678, hillmanr@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, Karen Tremba (Assistant 
Director), Nina Horowitz, Stefanie Jonkman, Matthew Keeler, Marc 
Molino, Omyra Ramsingh, Barbara Roesmann, and Steve Ruszczyk made key 
contributions to this report. 

Footnotes: 

[1] The Securities Exchange Act of 1934 requires SROs to, among other 
things, be so organized and have the capacity to carry out the purposes 
of the act and to enforce compliance by its members and persons 
associated with its members with the rules and regulations of the act 
and the rules of the SRO. SEC approved the establishment of FINRA in 
July 2007. FINRA is the result of the consolidation of the former NASD 
(which regulated the over-the-counter market for exchange-listed and 
nonexchange-listed securities and provided regulatory services to 
markets such as the American Stock Exchange and the NASDAQ Stock 
Market) and the member regulation, enforcement, and arbitration 
operations of NYSE Regulation, Inc. (NYSE Regulation). However, NYSE 
Regulation, a subsidiary of NYSE, continues to be responsible for 
monitoring trading that occurs on NYSE and NYSE Arca, Inc., and 
conducting investigations of suspicious trades. Because this 
consolidation occurred after we finished our fieldwork, we refer to the 
former NASD, and not FINRA, throughout this report. 

[2] SEC generally refers to its reviews of SROs, investment companies, 
and investment advisers as "inspections" and its reviews of registered 
broker-dealers as "examinations." 

[3] On the basis of 2006 data, NYSE and NASD provide market oversight 
over the two largest exchanges in terms of domestic equity market 
capitalization and the value of their shares traded. 

[4] During a sweep inspection, OCIE probes specific activities of all 
SROs, or a sample of them, to identify emerging compliance issues. 

[5] See GAO, Securities Regulation: Opportunities Exist to Enhance 
Investor Confidence and Improve Listing Program Oversight, GAO-04-75 
(Washington, D.C.: Apr. 8, 2004). During our prior review, OCIE 
officials expressed concern that the routine use of SRO internal audit 
reports during SRO inspections would have a "chilling effect" on the 
flow of information between SRO internal audit staff and other SRO 
employees. 

[6] As a result of a 1985 study, SEC determined that SROs had created a 
viable intermarket surveillance program, and terminated its then 
tentative Market Oversight and Surveillance System project by 
determining not to develop the direct surveillance capabilities the 
system would have allowed. See United States Securities and Exchange 
Commission, Final Report to The Senate Committee on Banking, Housing, 
and Urban Affairs and The House Committee on Energy and Commerce: 
Regarding the Market Oversight and Surveillance System (Washington, 
D.C.: 1985). 

[7] Insider trading is the buying or selling of a security by someone 
who has access to material, nonpublic information about the security. 
It is illegal because any trading that is based on this information is 
unfair to investors who do not have access to the information. 

[8] OCIE also lists NASD district offices as key regulatory programs 
with routine inspection cycles. OCIE also conducts inspections of other 
nonexchange SROs, which include registered clearing agencies, transfer 
agents, and the Municipal Securities Rulemaking Board. 

[9] In addition to FINRA and NYSE, there are nine other SROs that 
operate or provide regulatory services to an exchange: the American 
Stock Exchange; the Boston Stock Exchange; the Chicago Board Options 
Exchange; the Chicago Stock Exchange; the International Securities 
Exchange; the NASDAQ Stock Market LLC; the National Stock Exchange; 
NYSE Arca, Inc; and the Philadelphia Stock Exchange. 

[10] Corrective actions are at times taken prior to the inspection 
report being issued. In this case, OCIE generally still notes the 
finding and recommendation in its report. 

[11] Five branch chiefs and 3 assistant directors are located within 
the Office of Market Oversight. 

[12] Congress passed the Sarbanes-Oxley Act of 2002 in response to 
corporate failures and fraud that resulted in substantial financial 
losses to institutional and individual investors. This act 
substantially increased SEC's appropriations. Pub. L. No. 107-204, 116 
Stat. 745 (2002). 

[13] OCIE officials told us that they plan to hire 6 professional staff 
and 1 branch chief. 

[14] GAO-04-75. 

[15] A requirement for registration as a national securities exchange 
or national securities association is that the SRO have the capacity to 
enforce compliance of it members with SRO rules and with the federal 
securities laws and rules. However, OCIE officials stated that there is 
no SEC rule that expressly requires SROs to have an internal audit 
program with prescribed characteristics. 

[16] SEC has recognized that a strong internal audit function 
contributes to how effectively SROs fulfill their regulatory 
responsibilities. On at least two occasions, SEC recommended that SROs 
strengthen this function to improve their oversight. First, an 
investigation that SEC began in 1994 into the operations and 
investigations of NASD and the market-making activities of NASDAQ found 
that NASD failed over a period to conduct an appropriate inquiry into 
the anticompetitive actions among NASDAQ market markers. In responding 
to SEC's resulting recommendations, NASD agreed to ensure the existence 
of a "substantial" independent review staff reporting directly to 
NASDAQ's Board of Governors. Second, SEC reported in 1999 that its 
investigations of the activity of NYSE floor brokers found that NYSE 
failed to dedicate sufficient resources to allow regulatory staff to 
perform certain required examinations of floor-broker activity. To 
address SEC's resulting recommendation, NYSE agreed to maintain its 
Regulatory Quality Review Department as a "substantial" independent 
internal review staff with adequate resources to regularly review all 
aspects of NYSE. (See app. III for additional information on these 
investigations.) 

[17] SEC enforcement actions and inspections over the past several 
years have highlighted weaknesses in the effectiveness of certain 
regulatory programs and raised questions whether, in certain 
circumstances, SROs have maintained regulatory programs that are 
sufficiently rigorous to detect, deter, and discipline for member' 
violations of the federal securities laws and rules and SRO rules. 
Accordingly, SEC is currently considering the adoption of new rules and 
the amendment of existing rules designed to provide greater 
transparency to, among other things, key aspects of the regulatory 
operations of national securities exchanges and registered securities 
associations. OCIE officials believe these rules would allow OCIE to 
better monitor SRO activities between inspections. See Fair 
Administration and Governance of Self-Regulatory Organizations, et al., 
69 Fed. Reg. 71126 (Dec. 8, 2004) (proposed rule). 

[18] SEC's Policy Statement regarding Automated Systems of Self- 
Regulatory Organization issued in 1989 set for SEC's expectation that 
SROs establish comprehensive planning and assessment programs to 
determine the capacity and vulnerability of their IT trading and market 
information systems. The statement also provides guidance on the 
components of such a program, which included independent reviews and 
notification processes for system changes and outages. See Automated 
Systems of Self-Regulatory Organizations, Exchange Act Release No. 
27445 (Nov. 16, 1989), published in 54 Fed. Reg. 48703 (Nov. 24, 1989). 
Under the ARP, SEC staff conduct reviews of how SROs are addressing 
SEC's expectations in these areas. For further information on ARP, see 
GAO, Financial Market Preparedness: Significant Progress Has Been Made, 
but Pandemic Planning and Other Challenges Remain, GAO-07-531 
(Washington, D.C.: Mar. 29, 2007). 

[19] Section 31 of the Securities and Exchange Act requires SEC to 
collect transaction fees designed to cover the cost to the government 
of the supervision and regulation of the securities markets, including 
costs associated with administrative, enforcement, and rulemaking 
activities. 15 U.S.C. ß 78ee. 

[20] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00.21.3.1 (Washington, D.C.: November 1999). 

[21] Between fiscal years 2002 and 2006, OCIE completed an average of 
42 inspections of SROs per year. 

[22] SEC uses CATS to record key information about MUIs, 
investigations, actions, and case outcomes. This information includes 
basic background on cases SEC has opened, dates for case milestones, 
and eventual case outcomes. 

[23] Enforcement officials said that although advisories generally do 
not contain enough information to warrant opening an MUI, they found 
this sharing of information useful in staying abreast of and 
potentially responding to unusual market activity. 

[24] Referrals that do not become MUIs are closed, but information on 
the referrals still resides in the SRO system. If MUIs approved by OMS 
branch chiefs and Enforcement associate directors involve issuers or 
individuals in multiple states or in Washington, D.C., MUIs may be 
assigned to headquarters Enforcement staff for review and decisions on 
whether to fully investigate. Otherwise, branch chiefs assign MUIs to 
the appropriate SEC regional office. For example, an MUI that contains 
information about suspected insider trading activity among individuals 
in a New York firm would be referred to SEC's New York Regional Office. 

[25] According to SEC Enforcement officials, SEC's case tracking system 
records the beginning of an investigation when Enforcement staff decide 
to investigate MUIs and open an investigation. The investigation is 
officially closed in the system after administrative or district court 
proceedings have concluded and all outcomes, such as fines, other 
penalties, and disgorgement, have been collected and distributed. The 
investigation average calculated in footnote 23 therefore includes 
cases that are filed or instituted as litigated matters, which require 
additional time for interim steps, such as discovery depositions and 
trial. The average also includes matters where a party is given an 
extended time in which to pay disgorgement or penalties, due to his or 
her financial condition. It also includes matters where additional 
noninvestigative time is spent distributing funds to investors through 
a disgorgement or Fair Fund. The investigation is not formally closed 
in CATS until all such additional steps are completed. 

[26] The overall referral and investigation processes duration of 726 
days, or almost 2 years, consists of a 123-day average for issue 
identification and SEC referral receipt, 17-day average for SEC to open 
an MUI, 52-day average for SEC to determine whether to investigate a 
matter, and 534-day average for SEC to open an investigation and 
completely conclude a case (see fig. 2). 

[27] We calculated the 123-day average duration between SRO issue 
identification and SEC referral receipt using data from the SRO system 
on formal referrals. The 123-day average does not include earlier 
contact by SROs, which may make telephone referrals that may predate 
formal referrals. In addition, we calculated the 17-day average 
duration between SEC referral receipt and SEC MUI opening using data on 
MUIs that SEC opened after receiving referrals from SROs. The 17-day 
average does not include instances when SEC opened an MUI before 
receiving an SRO referral. 

[28] We calculated average investigation duration by using 189 of 574 
total investigations opened during the period of our review that had 
open and close dates, and therefore could be used to calculate the 
average duration. Of the 574 investigations SEC opened during our 
review period, the remaining 385 (or two thirds) were ongoing or active 
as of the date SEC provided us with these data (Apr. 18, 2007) and were 
not used to calculate the 534-day average duration for investigations. 
We determined that as of this date, these active cases had been open an 
average of 696 days. Appendix IV provides additional information on 
these cases. 

[29] Figure 3 is not drawn to scale. Data found in this figure have two 
sources. The SRO system is the source of data on the number of 
advisories and referrals, while CATS is the source for the data on 
MUIs, investigations, actions, and case outcomes. 

[30] Calculating certain durations included in this report required us 
to manually merge data from the SRO and case tracking systems. 

[31] GAO, Securities and Exchange Commission: Additional Actions Needed 
to Ensure Planned Improvements Address Limitations in Enforcement 
Division Operations, GAO-07-830 (Washington, D.C.: Aug. 15, 2007) for 
more information on CATS management and reporting limitations and SEC's 
ongoing efforts to create the Hub to improve Enforcement information 
system capabilities. 

[32] In July 2007, SEC approved the establishment of the Financial 
Industry Regulatory Authority (FINRA). FINRA consolidated the former 
NASD (which provided regulatory services to markets such as the 
American Stock Exchange and NASDAQ) and the member regulation, 
enforcement, and arbitration operations of NYSE Regulation. NYSE 
Regulation, however, continues to be responsible for monitoring trading 
activity on the NYSE market and conducting investigations of suspicious 
trades. Because this consolidation occurred after our audit work was 
complete, we chose to refer to the former NASD, and not FINRA, 
throughout this report. 

[33] When bluesheeting a broker-dealer, SROs request detailed 
information about trades performed by the firm and its client, 
including the stock's name, the date traded, price, transaction size, 
and a list of the parties involved. The questionnaires SROs use came to 
be known as blue sheets because they were originally printed on blue 
paper. Today, due to the high volumes of trades, this information is 
provided electronically. 

[34] The purpose of the ISG is to provide a framework for the sharing 
of information and the coordination of regulatory efforts among 
exchanges trading securities and related products to address potential 
intermarket manipulations and trading abuses. 

[35] Referrals from SROs grew from 438 to 514, or an increase of 17 
percent, between fiscal years 2003 and 2006. The numbers of SEC 
investigations and enforcement actions also showed a corresponding 
increase. We found that almost 91 percent of all advisories and almost 
80 percent of SRO referrals sent to SEC during this period involved 
suspected insider trading activity, which Enforcement and SRO staff 
attributed to increased merger and acquisition activity. 

[36] A short sale is the sale of a borrowed security, commodity, or 
currency with the expectation that the asset will fall in value. For 
example, an investor who borrows shares of stock from a broker and 
sells them on the open market is said to have a short position in the 
stock. The investor must eventually return the borrowed stock by buying 
it back from the open market. If the stock falls in price, the investor 
buys it for less than he or she sold it, thus making a profit. 

[37] Order Approving Options Regulatory Surveillance Authority Plan, 
Exchange Act Release No. 34-53940 (June 5, 2006), published in 71 Fed. 
Reg. 34399 (2006) (Order). 

GAO's Mission:  

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony:  

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "Subscribe to Updates."  

Order by Mail or Phone:  

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Gloria Jarmon, Managing Director, JarmonG@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: