This is the accessible text file for GAO report number GAO-13-314 entitled 'Securities and Exchange Commission: Continued Management Attention Would Strengthen Internal Supervisory Controls' which was released on April 18, 2013. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Committees: April 2013: Securities and Exchange Commission: Continued Management Attention Would Strengthen Internal Supervisory Controls: GAO-13-314: GAO Highlights: Highlights of GAO-13-314, a report to congressional committees. Why GAO Did This Study: Recent high-profile securities frauds have raised questions about the internal controls that SEC has in place to help ensure that staff carry out their work completely and in a manner consistent with applicable policies and procedures. Section 961 of the Dodd-Frank Act directs SEC to annually assess and report on internal supervisory controls for staff performing examinations, corporate financial securities filing reviews, and investigations. The act also requires GAO to review SEC’s structure for internal supervisory control applicable to staff working in those offices. This report examines the (1) steps the offices took to develop an internal supervisory control framework; (2) internal supervisory controls each office has implemented; and (3) extent to which the internal supervisory controls have operated as intended. GAO reviewed each office’s section 961 assessments and reports; analyzed the offices’ internal supervisory control framework; and tested a sample of 60 supervisory controls using random samples and nonprobability selections. What GAO Found: After the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) in 2010, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations, Division of Corporation Finance, and Division of Enforcement (herein “ the offices”) established a working group that developed an internal supervisory control framework. Internal supervisory controls include the processes established by management to help ensure that procedures applicable to staff are performed completely, consistent with applicable policies and procedures, and remain current. The overall control framework is generally consistent with federal internal control standards, which includes identifying and assessing risks, identifying and assessing internal controls, and reporting the results of testing to management and Congress. As part of developing and applying an internal supervisory control framework, the offices each identified internal supervisory controls to mitigate risks that could undermine their ability to consistently and competently carry out their responsibilities. These internal supervisory controls are built into the offices’ work processes—-that is, the processes they use to carry out examinations, financial securities filing reviews, and investigations—-and range from specific supervisory review and approval activities to management reports used to monitor the processes as a whole. For example, within Enforcement, supervisors must review and approve staff recommendations that a tip, complaint, or referral be closed without further investigation. Many of the offices’ internal supervisory controls existed prior to the development of SEC’s internal supervisory control framework; others were developed through the process of developing the framework. GAO identified deficiencies in about half of the 60 internal supervisory controls it tested. Specifically, GAO found that for 27 internal supervisory controls (1) the description of the control activity did not accurately reflect policy or practice; (2) documentation demonstrating execution of the control was not complete, clear, or consistent; or (3) the controls lacked clearly defined control activities. These control deficiencies may not prevent management from detecting whether the activities of the offices are conducted completely and in accordance with policy. However, similarities in the nature of deficiencies across all three offices suggest that management attention to the design and operation of internal supervisory controls is warranted. Federal internal control standards state that control activities should enable effective operation and have clear, readily available documentation. The offices have addressed or have been taking steps to address all of the 27 identified deficiencies. Some steps have been taken based on the offices' section 961 assessments. SEC addressed other deficiencies during GAO’s review after discussions with GAO detailing the identified deficiency. Not enough time has passed for GAO to assess the effectiveness of these changes. Ensuring that all internal supervisory controls have clearly defined activities and clear, readily available documentation demonstrating execution of the control would provide SEC management with better assurance that policies were being executed as intended and strengthen SEC’s internal supervisory control framework. What GAO Recommends: To help ensure that controls are properly designed and operating effectively, SEC should make certain that existing internal supervisory controls and any developed in the future have clearly defined activities and clear and readily available documentation demonstrating execution of the activities. SEC agreed with GAO’s recommendation. View [hyperlink, http://www.gao.gov/products/GAO-13-314]. For more information, contact A.Nicole Clowers, 202-512-8678, clowersa@gao.gov. [End of section] Contents: Letter: Background: Existing Internal Supervisory Control Framework Generally Reflects Accepted Standards of Internal Control: Offices' Work Processes Incorporate Internal Supervisory Controls Designed to Address Identified Risks: Common Control Deficiencies Indicate Need for Continued Management Attention to Internal Supervisory Controls: Conclusions: Recommendation for Executive Action: Agency Comments: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Securities and Exchange Commission: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: Roles and Responsibilities of OCIE, Corporation Finance, and Enforcement: Table 2: Status of (as of April 2013) of Sampled Internal Supervisory Controls Operating from October 2011 through June 2012 in Which the Description of the Control Activity Did Not Accurately Reflect Policy or Practice: Table 3: Status (as of April 2013) of Sampled Internal Supervisory Controls Operating from October 2011 through June 2012 That Lacked Complete, Clear, or Consistent Documentation Demonstrating Execution of the Control: Table 4: Status (as of April 2013) of Sampled Internal Supervisory Controls Operating from October 2011 through June 2012 That Lacked Clearly Defined Control Activities: Figure: Figure 1: Relationship between Internal Supervisory Control Framework and Internal Supervisory Controls: Abbreviations: COLD: Comment Letter Dissemination system: COSO: Committee of Sponsoring Organizations of the Treadway Commission: CTR: Confidential Treatment Request: EDGAR: Electronic Data Gathering, Analysis, and Retrieval system: FACTS: Filing Activity Tracking System: FMFIA: Federal Managers' Financial Integrity Act of 1982: MUI: matters under investigation: NEP: National Examination Program: NRSRO: Nationally Recognized Statistical Rating Organizations: OCIE: SEC, Office of Compliance Inspections and Examination: OCOO: SEC, Office of the Chief Operating Officer: OCR: SEC, Office of Credit Ratings: OIG: SEC, Office of Inspector General: OMB: Office of Management and Budget: OMI: SEC, Office of Market Intelligence: SEC: Securities and Exchange Commission: STARS: Super Tracking and Reporting System: TCR: tips, complaints, and referrals: TRENDS: Tracking and Reporting Examinations--National Documentation System: [End of section] United States Government Accountability Office: Washington, DC 20548: April 18, 2013: The Honorable Timothy Johnson: Chairman: The Honorable Michael Crapo: Ranking Member: Committee on Banking, Housing, and Urban Affairs: United States Senate: The Honorable Jeb Hensarling: Chairman: The Honorable Maxine Waters: Ranking Member: Committee on Financial Services: House of Representatives: The mission of the Securities and Exchange Commission (SEC) is to protect investors; maintain fair, orderly, and efficient securities markets; and facilitate capital formation. To meet its goals, SEC requires public companies to disclose meaningful financial and other information to the public, examines firms it regulates, and investigates potential violations of securities law. SEC typically identifies potential violations of securities law and brings hundreds of civil enforcement actions against individuals and companies each year. However, the failure of the agency to detect high-profile cases of fraud in recent years--such as the multi-billion dollar fraud committed by Bernard Madoff Investment Securities, LLC--has caused some members of Congress and SEC's Office of Inspector General (OIG) to question SEC's ability to identify and stop financial fraud. Some of these questions have focused on whether SEC has adequate internal controls for conducting its work. With an effective internal control system in place, management can deal with rapidly changing environments and shifting priorities. Internal controls also promote efficiency, reduce risk, and help ensure the reliability of financial statements and compliance with laws and regulations. To be effective, a system of internal control must incorporate a series of actions and activities that occur throughout an entity's operations and on an ongoing basis. Once in place, internal control provides reasonable, not absolute, assurance of meeting those objectives. Within SEC, having an adequate system of internal control can help the agency achieve its mission of protecting investors and maintaining fair and orderly markets, and improve accountability for doing so. Section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) requires us to review the adequacy and effectiveness of SEC's internal supervisory control structure and procedures applicable to SEC staff who perform examinations of registered entities, review filings for corporate financial securities, and conduct enforcement investigations.[Footnote 1] Such staff are located within SEC's Office of Compliance Inspections and Examinations (OCIE), Division of Corporation Finance, and Division of Enforcement--to which we refer collectively as the offices. Section 961 does not define "internal supervisory control." Therefore, for our report we define internal supervisory control as the processes management establishes to help ensure that procedures applicable to staff are performed completely, consistent with applicable policies and procedures, and remain current.[Footnote 2] We interpret internal supervisory controls as a subset of an overall internal control framework, with an emphasis on supervisory review and oversight of work that SEC staff conduct. This report examines the: * steps the offices have taken toward developing an internal supervisory control framework over the specified programs, * internal supervisory controls each office has implemented and how these controls reflect established internal control standards, and: * the extent to which the internal supervisory controls have operated as intended. To identify the steps each office took to develop an internal supervisory control framework, we evaluated and analyzed documentation from OCIE, Corporation Finance, and Enforcement. We interviewed officials from OCIE, Corporation Finance, and Enforcement about actions taken to develop an internal supervisory control framework. To describe the internal supervisory controls that exist as part of the offices' processes for conducting complete and consistent examinations, reviews of financial securities filings, and investigations, we evaluated and analyzed documentation from OCIE, Corporation Finance, and Enforcement. We also interviewed officials from these offices about the specific internal supervisory controls they have in place.[Footnote 3] To evaluate the extent to which the internal supervisory controls have operated as intended, we reviewed the policies, procedures, and stated control objectives of the offices to determine if selected internal supervisory controls were designed in a manner capable of achieving their stated objectives and functioned as intended. We categorized each of the internal supervisory controls for fiscal year 2011 according to the internal control standard (control environment, risk assessment, control activities, information and communication, and monitoring) each best demonstrates and selected a nonprobability sample of controls from each office based on known information relating to past internal control failures and high-risk activities. We supplemented this sample with a random selection of additional internal supervisory controls from the remaining population. The methodology used to review each control varied due to the nature of each control, the availability of control-level data, and the different methods used to document the control. The results of our review of the design and functioning of the specified controls are applicable only to the tested controls for the audited time period and therefore are not generalizable to all of SEC's internal supervisory controls. Because our review did not identify or test every control, it should not be interpreted as an attestation of the offices' internal control. Appendix I contains additional information on our scope and methodology. We conducted our work from February 2012 to April 2013 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: To carry out its mission, SEC's responsibilities are organized into 5 divisions and 23 offices. Of those, OCIE, the Division of Corporation Finance, and the Division of Enforcement are subject to section 961 of the Dodd-Frank Act.[Footnote 4] The roles and responsibilities of these offices are summarized in table 1. Table 1: Roles and Responsibilities of OCIE, Corporation Finance, and Enforcement: Division or office: Office of Compliance Inspections and Examinations; Roles and responsibilities: Administers a nationwide examination and inspection program for regulated self-regulatory organizations, broker- dealers, transfer agents, clearing agencies, and investment companies and advisors to improve compliance, prevent fraud, monitor risk, and inform policy. Division or office: Division of Corporation Finance; Roles and responsibilities: Reviews corporate disclosures, assists companies in interpreting the Commission's rules, and recommends new rules for adoption. Division or office: Division of Enforcement; Roles and responsibilities: Conducts investigations of potential violations of the federal securities laws, including the conduct of registered entities (such as broker-dealers and investment advisors) and unregistered entities (such as unregistered and fraudulent securities offerings), recommends, when appropriate, that the Commission file enforcement actions (either in a federal court or in an administrative proceeding before an administrative law judge), litigates these actions, negotiates settlements on behalf of the Commission, and works with criminal law enforcement agencies when warranted. Source: GAO summary of information from SEC. [End of table] Section 961 of the Dodd-Frank Act requires SEC to submit a report to Congress (1) on the assessment of the effectiveness of its internal supervisory controls and the procedures applicable to staff who perform examinations, enforcement investigations, and reviews of financial securities filings; (2) a certification that SEC has adequate internal supervisory controls to carry out examinations, reviews of financial securities filings, and investigations; and (3) a summary of the Comptroller General's findings on the adequacy and effectiveness of SEC internal supervisory controls.[Footnote 5] According to section 961, SEC must submit these reports no later than 90 days after the end of each fiscal year.[Footnote 6] SEC's first three annual reports--for fiscal years 2010, 2011, and 2012--found no significant deficiencies in internal supervisory controls, and concluded that the controls were effective.[Footnote 7] While not subject to section 961, SEC's Office of the Chief Operating Officer (OCOO) and the Division of Risk, Strategy, and Financial Innovation provided advice and assistance to OCIE, Corporation Finance, and Enforcement, in identifying, establishing, and carrying out internal control policies and procedures. For example, the Division of Risk, Strategy, and Financial Innovation advised the offices on developing appropriate statistical methods for testing controls. The OCOO has also provided guidance and training on how to implement an internal control process. In addition to the section 961 requirement, SEC is responsible for establishing and maintaining effective internal control and financial management systems that meet the objectives of the Federal Managers' Financial Integrity Act of 1982 (FMFIA).[Footnote 8] FMFIA requires agencies to annually assess and report on the internal controls that protect the integrity of their programs and whether financial management systems conform to related requirements. The Office of Management and Budget's (OMB) Circular No. A-123, which requires agencies to provide an assurance statement on the effectiveness of programmatic internal controls and financial system conformance, provides guidance for implementing FMFIA. We review SEC's internal controls for its financial management systems as part of our annual financial audit of the agency and therefore these controls are not examined in this report.[Footnote 9] Internal Control Standards: GAO's Standards for Internal Control in the Federal Government provides the overall framework for establishing and maintaining internal control in federal agencies.[Footnote 10] In implementing these standards, management is responsible for developing detailed policies and procedures to fit their agency's operations. Agencies may implement these standards at an office level to establish an overall framework for organizing the development and implementation of internal controls. The standards also can be implemented to help ensure that specific program activities are carried out according to adopted policies and procedures. Our standards are similar to the framework for internal control developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).[Footnote 11] Five interrelated standards establish the minimum level of quality acceptable for internal control: * Control Environment. Management and employees should establish and maintain an environment throughout the organization that sets a positive supportive attitude toward internal control and conscientious management. A positive control environment is the foundation for all other standards. It provides the discipline and structure as well as the climate that influences the quality of an organization's internal control. Management's philosophy and operating style also affect the environment, including management's philosophy towards monitoring, audits, and evaluations. * Risk Assessment. After establishing clear, consistent agency objectives, management should conduct an assessment of the risks the agency faces from external and internal sources. Risk assessment is the identification of risks associated with achieving the agency's control objectives and analysis of the potential effects of the risk. Risk identification methods may include qualitative and quantitative ranking activities, management discussions, strategic planning, and consideration of findings from audits and other assessments. Risks should be analyzed for their possible effect and risk analysis generally includes estimating a risk's likelihood of occurrence and its significance or impact if it were to occur. Because governmental, economic, regulatory, and operating conditions continually change, mechanisms should be provided to identify and appropriately deal with additional risk resulting from such changes. * Control Activities. Control activities--policies and procedures that help management carry out its directives--help to ensure that actions are taken to address risks. Control activities are an integral part of an entity's planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. The control activities should be effective and efficient in accomplishing the agency's control objectives. * Information and Communications. Key information should be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. * Monitoring. Management should assess the quality of internal control performance over time and ensure that the findings of audits and other reviews are promptly resolved. Existing Internal Supervisory Control Framework Generally Reflects Accepted Standards of Internal Control: As part of their efforts to respond to section 961 requirements, OCIE, Corporation Finance, and Enforcement put in place an internal supervisory control framework that generally reflects federal internal control standards. The framework requires that each office develop a formal process for identifying and assessing risks, identifying key internal controls that address those risks, assessing the operating effectiveness of internal controls, and reporting the results of the testing. According to staff, although internal controls were in place to oversee examinations, investigations, and securities filing reviews, the offices had no formal methods for identifying, documenting, or assessing internal supervisory controls prior to 2010. Before 2010, the offices annually assessed and provided assurance statements on the adequacy of their internal controls to comply with requirements of FMFIA and OMB Circular No. A-123; however, according to SEC officials, these assessments generally focused on controls affecting SEC's financial statements and information technology.[Footnote 12] In response to section 961 of the Dodd-Frank Act, senior officers and staff from OCIE, Corporation Finance, and Enforcement and the Offices of the Chief Accountant, General Counsel and Executive Director formed the 961 Working Group (Working Group) to coordinate the annual assessment and certification. This group also worked to coordinate the section 961 assessments with agencywide efforts to comply with FMFIA internal control requirements. The Working Group included senior-level managers who also were tasked with leading their office's 961 annual assessment efforts. In fiscal year 2011, the Working Group expanded to include OCOO.[Footnote 13] Additionally, since fiscal year 2011 the MorganFranklin consulting firm, has provided assistance to the offices on certain aspects of SEC's 961 program. During our interviews with members of the Working Group, staff demonstrated knowledge of their respective office's internal control framework, known gaps, and efforts to address gaps. Staff discussed risks to their respective programs and how existing controls addressed those risks. For example, OCIE staff discussed a key risk of examinations being conducted in a manner inconsistent with policies and procedures due to a gap in its processes for organizing and updating policies and procedures. OCIE staff described the development of the new governance structure and how it addresses this gap. Division management and senior officer involvement in the establishment of the internal supervisory control framework and in- depth understanding of a program's internal supervisory control framework, risks, and the design and implementation of a plan to mitigate risks reflect the control environment standard, which states that management should establish and maintain an environment throughout the organization that sets a positive and supportive attitude toward internal control and conscientious management. As they worked to develop the internal supervisory control framework, the Working Group used GAO's standards, guidance in OMB Circular No. A- 123, and the Commission's own internal control guidance to public companies.[Footnote 14] To guide the design of the framework and internal supervisory controls assessment process, the Working Group identified three key principles--(1) control systems and assessments should be designed to provide a reasonable assurance of effectiveness, (2) management should rely on its judgment, and (3) management should make judgments based on risk and its own knowledge and expertise to implement an efficient and effective evaluation process. The Working Group also developed key definitions and criteria to better coordinate the offices' approach for determining the scope and required evidence needed to support management's evaluation and certification as required under section 961.[Footnote 15] For example, the group defined "internal supervisory control" to assist each office in scoping its assessment and established criteria for determining if a control evaluation finding rose to the level of a "deficiency" or "significant deficiency," which is consistent with generally accepted government auditing standards.[Footnote 16] The resulting internal supervisory control framework generally reflects federal internal control standards.[Footnote 17] Specifically, SEC's internal supervisory control framework includes the following elements: Identifying and assessing risks. Under SEC's framework, each office must conduct an annual risk assessment. Consistent with the risk assessment standard of internal control, each office's risk assessment includes processes for identifying and assessing key risks. To implement this process, each office assigned a small group, led by the managing executive or other senior officer, the task of identifying what they believed to be the key risks.[Footnote 18] The Division of Enforcement also received support from MorganFranklin in conducting its 961 reviews for fiscal years 2011 and 2012. These small groups then evaluated the "inherent risk" associated with each key risk based on their judgment of the likelihood of the risk occurring and the severity of impact if it were to occur.[Footnote 19] Based on this evaluation, each risk was assigned a rating. For example, for each identified risk in fiscal year 2011, Corporation Finance rated the likelihood of the risk occurring using a three-level system (low, medium, or high). It similarly rated each identified risk's impact. The group then used a three-by-three matrix to arrive at an overall risk rating. Identifying key internal controls that address the risks. For each key risk, the small groups identified corresponding key controls, including internal supervisory controls, used to address the risks.[Footnote 20] For example, OCIE requires examination reports and workpapers to be reviewed and approved by management at the end of every examination. This helps to ensure that applicable rules and regulations are reviewed and examinations are consistently performed. The key risks and controls are documented in a risk-assessment tool called a risk and control matrix and, according to SEC staff, vetted by other managers and senior officials within each respective office, and approved by each office's director. Specific controls implemented by each office are discussed in more detail later in this report. Assessing the operating effectiveness of internal controls. In developing SEC's framework, the Working Group incorporated the required 961 annual assessments. Consistent with the internal control standard for monitoring, the assessments provide the Commission and management with annual evaluations of the design and operating effectiveness of each office's internal supervisory controls. According to the Working Group, each office has the discretion to determine the methodology, including level of evidence and frequency, for testing each control that would provide management with reasonable assurance of the control's effectiveness. Furthermore, the Working Group also consulted with SEC's Division of Risk, Strategy, and Financial Innovation and used GAO's Financial Audit Manual for assistance in determining the appropriate sample sizes, and the acceptable number of errors for a particular sample size and for pulling random samples.[Footnote 21] Each office designated an assessment team to carry out the testing and took steps to maintain the objectivity of the testing. For example, Corporation Finance's senior assessment team segregated testing duties so that an associate director would not be involved in selecting samples or testing the work of the offices that he or she oversees.[Footnote 22] According to staff, the fiscal year 2011 assessment was the first year for which control testing was conducted under section 961.[Footnote 23] On the basis of our review of each office's assessment procedures and documentation of assessment findings for fiscal year 2011, each used accepted methods such as inquiry, observation, inspection, and direct testing.[Footnote 24] Reporting the results of the assessments. SEC's framework also requires each office, upon completion of testing, to evaluate the results of its testing and communicate details of the assessment process and findings in writing to the office's director. Once the office's director determines the assessment and its findings are complete, each office prepares a memorandum from the director to the chairman summarizing the results. This memorandum is intended to disclose any significant deficiency that could adversely affect the ability of the office to consistently carry out its work with professional competence and integrity. The Working Group then drafts the required public report to Congress and certification document, which is signed by the directors of Corporation Finance, Enforcement, Office of Credit Ratings (OCR), and OCIE.[Footnote 25] Section 961 does not require the public disclosure of any significant deficiencies, but instead requires that directors certify that they have disclosed to the Commission any significant deficiencies. [Footnote 26] Section 961(c) requires the office director to certify that, among other things, he or she has evaluated the effectiveness of the internal supervisory controls during the 90-day period ending on the final day of the fiscal year to which the report relates and disclosed to the Commission any significant deficiencies in the design or operation of internal supervisory controls that could adversely affect the ability of the office to consistently conduct inspections, investigations, or financial securities filing reviews with professional competence and integrity. Reporting assessment results constitutes a significant part of an overall internal control framework and reflects the information and communication and monitoring components of internal control standards.[Footnote 27] In fiscal year 2012, the Working Group took additional steps to improve the overall internal supervisory control framework and 961 assessment processes. Notably, the group adopted a single set of procedures for conducting the annual assessments for all of the offices. In fiscal year 2011, each office used similar but separate processes for conducting its assessment. The fiscal year 2012 procedures maintain a risk-assessment methodology that continues the offices' focus on identifying key risks, but differs in that it establishes a common scale for assessing the likelihood and impact of key risks. The fiscal year 2012 procedures also provide a common definition of key controls and information on how to identify them; allow for each office to design an appropriate control evaluation strategy; provide guidance--developed in consultation with economists from the Division of Risk, Strategy, and Financial Innovation--for conducting statistical testing of internal supervisory controls; and incorporate additional control testing guidance similar to that set forth in our Financial Audit Manual. Finally, the procedures incorporate guidance from the offices' fiscal year 2011 procedures on reporting the results of the assessments to office or division management, SEC's Chairman, and Congress. In fiscal year 2012, the Working Group also further incorporated staff from OCOO and provided additional guidance aimed at improving the offices' risk assessment and control identification. According to OCOO staff, in fiscal year 2012, they periodically reviewed the offices' documentation of risks and controls, consulted with the offices to help address any challenges or questions, and helped staff use an electronic tool that assists in the identification of key risks and controls. This tool also captures control descriptions and data on control evaluation results and provides information to office management in a standardized format. Additionally, OCOO staff assisted OCIE and Enforcement with identifying potential gaps in risks and controls. OCOO staff and MorganFranklin also provided staff from each of the three offices with additional training on how to identify and evaluate risks and controls. For example, training materials outline specific questions to ask when evaluating the design of new or established controls such as (1) how often the control activity was completed, (2) how the control was documented, and (3) the purpose of the documentation. Such training can help to improve future 961 assessments, specifically the evaluation of a control's design to help ensure it includes clear and specific implementing procedures. OCOO plans to increase its support to each office's risk and control identification and assessment process. Offices' Work Processes Incorporate Internal Supervisory Controls Designed to Address Identified Risks: As part of developing and applying the internal supervisory control framework, each office identified internal supervisory controls to address the risks identified through the risk assessment. These internal supervisory controls are built into the offices' work processes--that is, the processes they use to carry out examinations, filing reviews, and investigations. The controls are intended to help ensure that objectives are being met and that the procedures applicable to staff carrying out these activities are conducted completely and consistently. They range from supervisory review and approval activities to information regularly provided to management to monitor the processes as a whole. According to staff, many of the offices' internal supervisory controls existed prior to the development of SEC's internal supervisory control framework in 2010. Others were developed through the process of developing the framework. Our review of each office's process for conducting examinations, filing reviews, and investigations found that each included controls generally reflective of the internal control standards.[Footnote 28] As noted earlier, agencies may implement the internal control standards at an office level to establish an overall framework for organizing the development and implementation of internal controls and at the program level to help ensure that specific activities are carried out according to adopted policies and procedures. Figure 1 shows the relationship between the internal supervisory control framework and the internal supervisory controls established by each office at the program level. Figure 1: Relationship between Internal Supervisory Control Framework and Internal Supervisory Controls: [Refer to PDF for image: pie-chart with 3 subchart illustrations] Internal supervisory control framework at the office level: Control environment (CE): Working group and office assessment teams. Risk assessment (RA): Risk identification and assessment. Control activities (CA): Control identification. Monitoring (M): Testing of internal controls; Annual 961 assessments. Information and communication (IC): Reporting results of 961 assessments to management. Examples of program activities that demonstrate internal control standards: Investigations: CE: Internal supervisory control: Office of Market Intelligence centrally handles tips, complaints and referrals; RA: Internal supervisory control: Annual 961 assessments; CA: Internal supervisory control: Supervisory reviews of tips, complaints and referrals recommendations; M: Internal supervisory control: Monthly performance reports; IC: Internal supervisory control: Regular management meetings with investigative staff. Filing reviews: CE: Internal supervisory control: Each assistant director office is responsible for filings from separate sectors of the economy; RA: Internal supervisory control: Annual 961 assessments; CA: Internal supervisory control: Second-level supervisory reviews; M: Internal supervisory control: Public release of correspondence; IC: Internal supervisory control: Program performance reports; Examinations: CE: Internal supervisory control: National Examination Program governance structure; RA: Internal supervisory control: Annual 961 assessments; CA: Internal supervisory control: Supervisory reviews of scope memorandums and examination reports; M: Internal supervisory control: Monthly performance reports; IC: Internal supervisory control: Monthly video teleconferences. Source: GAO analysis. [End of figure] OCIE's Internal Supervisory Controls Are Designed to Help Ensure Examinations Are Conducted Completely and Consistently: OCIE administers SEC's nationwide examination program. Key risks to ensuring examinations are conducted in a manner consistent with OCIE objectives include (1) not effectively or efficiently selecting high- risk examination candidates and (2) examination findings that are not generally supported by the workpapers. To address these and other identified risks, OCIE developed controls that help ensure that high- risk examination candidates are selected in accordance with OCIE program goals and that managers perform oversight of examination workpapers to better ensure that examination findings are generally supported by workpapers. OCIE's Internal Supervisory Controls That Demonstrate the Control Environment Standard: OCIE's recent implementation of a new governance structure, generally referred to as the National Examination Program (NEP), has the potential to provide for greater standardization of the examination process and supervisory controls. Consistent with the standard of control environment, NEP defines areas of authority and responsibility. For example, under NEP, senior officers with the title of national associate head each of the five examination program areas. The national associates are charged with setting directives and helping ensure consistency across NEP. Under NEP, OCIE also created a number of committees responsible for carrying out designated activities.[Footnote 29] A primary function of the committees is to help ensure that policies and procedures are formally discussed, approved, and communicated. Such a committee structure reflects the control environment standard by clearly delegating authority and responsibility throughout OCIE. Further, OCIE created an Office of the Managing Executive responsible for general operational areas and oversight of internal controls. Assigning responsibility for internal controls to a senior-level manager demonstrates a commitment to internal control and is consistent with establishing a positive control environment. Finally, OCIE has been working with SEC University to develop an examiner certification program based on a job analysis of examiners to identify the skills needed.[Footnote 30] Such efforts reflect a control environment by helping to ensure all personnel possess and maintain a level of competence that allows them to accomplish their assigned duties. OCIE's Internal Supervisory Control Activities: In addition to the examination program's governance structure, OCIE established a standardized set of policies and procedures for conducting examinations under NEP. These control activities are a key part of the framework. Prior to the adoption of standardized policies and procedures, the processes for conducting and documenting supervisory review of staff work varied. For example, some regional offices used control sheets to document staff work and supervisory review, while others indicated review through management's review of the examination report. The standardized policies and procedures outline the examination process and provide guidance to staff and supervisors for conducting and reviewing examinations. They also include existing management and supervisory activities intended to help ensure that examinations are carried out according to OCIE policies and are consistent with OCIE's goals and objectives. Examples of internal supervisory control activities include the following: * Entity selection. NEP management works with regional offices to determine registrants targeted for examination. Each year, NEP management holds several meetings to develop examination program goals and objectives, including guidance for the selection of registrants for examination and potential focus areas. To further assist OCIE management in selecting registrants for examination, OCIE's Office of Risk Analysis and Surveillance staff use information from registration and other required forms, past examinations, and other sources to help identify regulated entities that likely pose the highest risk to investors. According to staff, each regional office is provided this information about the regulated entities in its jurisdiction, including specific areas of risk that a certain entity may pose. The regional offices incorporate local information and knowledge and confer with home office (headquarters) management and national associates on a semi-annual basis to determine registrants targeted for examination. * Examination scope approval. Supervisors review and approve the initial scope of the examination and any subsequent modifications to the scope. After staff conduct the pre-examination research, procedures require the staff to schedule a pre-examination meeting with supervisors to discuss the areas that will be included in the scope of the examination and whether additional expertise or resources are needed. The staff document the decisions made and submit the scoping work to the supervisor for approval. Supervisors are expected to ensure that relevant pre-examination research is completed, including a review of: previous examinations and deficiencies; tips, complaints, and referrals; and Division of Enforcement activity. They also must determine that the proposed scope of the examination is appropriate and in line with OCIE goals and objectives. * Examination workpaper review. Supervisors review and sign control sheets (or other examination workpapers).[Footnote 31] OCIE procedures require staff to document the steps that were taken during the course of the examination, methodology used, documents reviewed, and findings and conclusions for each aspect of the examination in the workpapers. Supervisors review the key workpapers supporting the staff's findings to determine whether the work performed sufficiently assessed the focus areas in the scoping and planning documents. Supervisors also must review the evidence provided to determine if it sufficiently supports the findings and conclusions. Finally, procedures require that supervisors meet with the examination team after the information- gathering portion of the examination is substantially complete to discuss preliminary findings and any challenges encountered during the examination. In the event that staff discover facts that may result in an Enforcement referral, those facts should be brought to the immediate attention of an associate director. Once the appropriate associate director or national associate determines that an examination merits a referral to Enforcement, OCIE staff are to follow NEP procedures for documenting and communicating the referral to Enforcement. * Examination report approval. An assistant director or higher-level supervisor approves the nonpublic examination report. After the examination team completes its examination but before it finalizes its nonpublic examination report, staff prepare the report and submit it for approval. Once examination findings are approved, an examination team will issue an examination summary or other closing letter to the registrant. Examination managers are responsible for ensuring that the examination summary letter includes information about any required response from the registrant and that the letter and report are properly filed in OCIE's systems. * Examination closing approval. An examination manager or a higher- level supervisor approves the closure of an examination. OCIE policies and procedures consider an examination to be closed after the assistant director or other authorized supervisor has approved the examination summary report, staff have sent an examination summary letter to the entity, and the entity has satisfactorily responded to the examination summary letter; or, when an Enforcement referral has been made and no further OCIE staff action is expected. According to staff, the examination manager or higher-level supervisor determines the sufficiency of an entity's response. In addition to the standardized policies and procedures, OCIE also has been implementing a new examination tracking system, the Tracking and Reporting Examinations-National Documentation System (TRENDS), which is intended to improve documentation of staff work and supervisory reviews and approvals. Consistent with the internal control standard of control activities, TRENDS is designed to provide OCIE with a means of clearly documenting significant events in the examination process and making that documentation readily available for review and reporting purposes. TRENDS was created in 2011 to capture NEP data and information, including workpapers, examination scope, deficiencies, audit techniques, and management approvals. TRENDS replaces manual methods for maintaining the results of examination work. For example, TRENDS replaces paper-based scope memorandums and examination reports with on-line "working scope" and "examination summary" screens. [Footnote 32] In TRENDS, each examination workbook has three phases (prefieldwork, fieldwork, and postfieldwork). At the completion of the prefieldwork and postfieldwork phases, examination staff electronically submit the examination workbook for management approval. Supervisors then can approve the workbook or return it to the staff for corrections or additional work. When staff receives a satisfactory registrant response to the examination summary letter, supervisors then perform a final approval by closing the examination. These approvals correspond to the internal supervisory control activities described earlier. TRENDS also contains built-in workflows and checklists that help ensure staff complete certain steps before an examination moves to the next phase and automatic notifications that alert supervisors of pending reviews. TRENDS also allows staff to search associated or previously closed examinations and track the status of deficiencies, and will be used to collect examination program performance information and statistics.[Footnote 33] In January 2012, OCIE began a phased-in implementation of TRENDS. According to OCIE, by September 30, 2013, all OCIE examination programs will use the system for newly initiated examinations. OCIE's Internal Supervisory Controls That Demonstrate the Information and Communication Standard: In addition to direct supervisory oversight activities and improved documentation of examinations through TRENDS, OCIE managers and supervisors attend meetings and receive updates that allow them to gather and provide the information intended to help individuals to carry out their internal supervisory control responsibilities. Such practices reflect the internal control standard for information and communication. OCIE policy requires a supervisor to attend specific examination meetings, such as a prefieldwork planning meeting, the postfieldwork meeting described above, and where feasible, the examination exit interview or conference call. According to staff, these meetings further enable supervisors to obtain the operating information necessary to determine if an examination team is meeting its objectives. OCIE also established standing meetings to discuss broader examination program information. For instance, OCIE holds monthly videoconferences with staff to provide updates on policies or procedures, share information on current examination program events and trends, and provide staff with the opportunity to raise issues with management. In addition, senior officers in OCIE regional offices and headquarters conduct quarterly meetings with the assistant directors and exam managers to review all open examinations, and the NEP senior management meets weekly to discuss program performance and goal achievement. Furthermore, OCIE management obtains pertinent information, through monthly performance reports that are prepared by the Office of the Managing Executive. These reports contain key performance measures, such as the percentage of enforcement investigations resulting from examination referrals and the percentage of firms receiving examination summary letters that take corrective action in response to all examination findings. Finally, OCIE management monitors examination information to help ensure the office meets the statutory requirement that examinations be completed within the later of 180 days of the end of fieldwork or the date on which the last document was received from the registrant.[Footnote 34] OCIE's Internal Supervisory Controls That Demonstrate the Monitoring Standard: OCIE also implemented a number of controls consistent with federal internal control standards for monitoring. In addition to the 961 annual assessments, supervisory oversight of examinations, and management review of regular reports and the meetings, OCIE hired a senior specialized examiner to develop a compliance program within its Office of Chief Counsel. Since then, a compliance group has been formed and three additional permanent staff positions have been added to the group. The group periodically tests a random sample of examinations from each NEP office to evaluate for compliance with documented procedures and make recommendations for improvement. According to staff, this group is empowered to select what to evaluate (and when) and reports to the Chief Counsel. As of March 5, 2013, the Office of Chief Counsel was in the process of filling a recently created assistant director position to lead OCIE's compliance group. Since its creation, the group has completed six separate evaluations and, according to staff, has two additional evaluations ongoing. Moreover, OCIE established policies and procedures for responding to OCIE recommendations from GAO and SEC OIG audits. According to OCIE policy, management of the affected area will meet to discuss and draft a response to GAO and OIG audit findings. The Compliance, Ethics, and Internal Controls Steering Committee is responsible for reviewing management's proposed responses to GAO or OIG recommendations and other identified deficiencies. The committee discusses the response, obtains additional information if necessary, and can elect to elevate the response to OCIE's Executive Committee, which consists of the director of the NEP and at least seven members of the NEP's leadership team--including at least two representatives from headquarters, two from large regional offices, and three from smaller regional offices, if necessary.[Footnote 35] All responses to GAO and OIG recommendations are presented to OCIE's director for final approval. According to staff, any audit findings and recommendations made by OCIE's compliance unit follow a similar process. Noncontroversial or lower-level responses to recommendations may bypass the committees and go directly to the director for approval. Corporation Finance's Internal Supervisory Controls Are Designed to Help Ensure Financial Securities Filing Reviews Are Conducted Completely and Consistently: Corporation Finance selectively reviews filings made under the Securities Act of 1933 and Securities and Exchange Act of 1934 to monitor and enhance compliance with the applicable disclosure and accounting requirements.[Footnote 36] Key risks identified by the division to meeting its objectives include (1) not effectively identifying companies for review in accordance with regulations or that pose the greatest risk to investors and (2) not identifying and addressing material noncompliance in reviewing company disclosures. The division developed key internal supervisory controls to address these and other risks, including documenting procedures for determining the level and scope of reviews. Corporation Finance Internal Supervisory Controls That Demonstrate the Control Environment Standard: The review program for corporate financial securities filings, which falls under the Office of Disclosure Operations in Corporation Finance, includes a number of management efforts and processes designed to oversee the program's performance and establish a positive control environment.[Footnote 37] Consistent with the control environment standard, the division created an organizational structure with clear lines of authority and reporting. The program consists of 12 assistant director-led offices, each responsible for filings from one or more sectors of the economy. Each office includes a number of attorneys and accountants who serve as first-line supervisors. The program is overseen by senior management consisting of a deputy director and five associate directors. In addition, in 2011 Corporation Finance created an Office of the Managing Executive responsible for general operational areas and oversight of internal controls. Assigning responsibility for internal controls to a senior- level manager demonstrates a commitment to internal control and is consistent with establishing a positive control environment. Corporation Finance Internal Supervisory Control Activities: In addition to control environment procedures, the division has established policies and procedures for conducting filing reviews. Specifically, the division's filing review procedures include multiple internal supervisory controls to help ensure that filing reviews are being conducted completely and consistently and that the division's goals and objectives are being met. Examples of internal supervisory controls that reflect the control activities standard are described below. * Annual filing review goals. At the start of each fiscal year, division management develops goals for the filing review program. The goals include reviewing companies pursuant to section 408 of the Sarbanes-Oxley Act and internally defined criteria.[Footnote 38] The division also aims to conduct financial reviews of the most highly capitalized companies, reflecting a broad shareholder base, every year. In addition, division management suggests criteria for selecting other companies for review and allows broad discretion for assistant directors to make selections within these parameters. According to division officials, together these companies account for a substantial percentage of total market capitalization. * Second-level supervisory review. Once identified for selective review, a filing enters the review cycle, which generally includes four phases: screening, examination, closing, and the public posting to [hyperlink, http://www.SEC.gov] of SEC comments and responses to them ("filing review correspondence"). For most filings, a second- level review is required during each of these phases.[Footnote 39] For example, in the examination phase, examiners evaluate the disclosures in the filing and document their evaluation and any proposed comments on compliance improvements or material noncompliance with applicable disclosure or financial statement requirements in an examination report.[Footnote 40] Designated second-level review staff then review the examination reports and proposed comments to confirm that the comments are consistent with prior comments from the assistant director's office, address appropriate issues, reflect the division's opinions and interpretations of disclosure and financial statement requirements, and generally comply with division policies.[Footnote 41] Second-level reviewers' findings are documented in a review report. Corporation Finance created various documents and electronic databases to record and store filing review data. Recording significant events in the filing review process and ensuring that documentation is readily available for review are consistent with the control activities standard. Generally, documentation for each filing review includes a screening sheet, an examination report, a review report, and a closing memorandum. Each document captures information on the filing review and describes staff members' participation. For example, the examination report captures factual information about the company, the filing, the staff member who performed the filing review, the nature (or type) of the filing, and any staff comments. The closing memorandum includes a list of the documents reviewed, the actions taken, when the review was concluded, and any significant issues identified during the review. The division maintains five distinct electronic databases to track, conduct, document, and report on different aspects of its filing review program. For example, the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system is the division's primary record-keeping system.[Footnote 42] EDGAR performs automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others that voluntarily file or are required by law to file forms with SEC. Corporation Finance is aware of limitations within the databases that require some information to be manually entered or uploaded and that such limitations increase opportunities for error and misinformation. As a result, division management recently began conducting periodic audits of access rights and data quality. Corporation Finance Internal Supervisory Controls That Demonstrate the Information and Communication Standard: Consistent with the internal control standard for information and communication, the division's management interacts with supervisors and staff using standing meetings and memorandums to share information about the program's progress towards meeting filing review goals, quality of staff's work, and compliance with established policies and procedures. Also, management regularly receives various standard and ad hoc reports about program performance. For example, assistant and associate directors receive weekly updates that provide a real-time snapshot of the division's current workload. Division managers also receive monthly reports that present summary data on review activity and progress toward meeting goals for number of reviews completed and timing. Finally, the division provides guidance and other program information to staff on its intranet site. Corporation Finance Internal Supervisory Controls That Demonstrate the Monitoring Standard: In addition to the annual 961 assessment, Corporation Finance has implemented a number of controls consistent with the monitoring internal control standard. For example, according to Corporation Finance staff, their standing meetings are an important aspect of the division's monitoring strategy and provide opportunities for senior officers to share information about resources, potential issues with filing reviews, or personnel matters within the assistant director offices. For example, associate directors, assistant directors, and the senior assistant chief accountants in disclosure operations meet regularly to share information across the division and discuss trends or issues across filing reviews. Corporation Finance staff also stated that assistant directors and senior accountants regularly meet with staff to gather information on what staff have seen in their filing reviews. Other internal supervisory controls that demonstrate the monitoring standard include the division's practices of (1) releasing its correspondence with companies to the public, which allows for public scrutiny of its work, and (2) assigning a senior officer to manage the process of developing and tracking responses to audit recommendations. Corporation Finance also has efforts under way to help provide an overarching perspective on the quality of filing reviews. Enforcement's Internal Supervisory Controls Are Designed to Help Ensure Investigations Are Conducted Completely and Consistently: Enforcement is charged with investigating potential violations of the federal securities laws and litigating SEC's enforcement actions. As documented by Enforcement, key risks to the division's mission include (1) untimely identification and investigation of potential securities fraud and (2) failure to bring enforcement actions that could deter potential violators and protect investors. Enforcement developed internal supervisory controls to address these and other risks. Enforcement Internal Supervisory Controls That Demonstrate the Control Environment Standard: In 2009, Enforcement began a review of its investigative process intended to streamline procedures and maximize resources. Since that time, Enforcement implemented a number of actions that collectively reflect Enforcement management's efforts to establish and manage its overall performance, in accordance with the internal control standard for control environment. These actions included the following: * In 2009, Enforcement created the Office of the Managing Executive to oversee functions such as case-management systems and broader operational areas such as process improvement and internal controls. According SEC officials, the new office enables staff to focus on mission-critical investigative activities. * In 2010, the division established the Office of Market Intelligence (OMI) to centrally handle tips, complaints, and referrals, known as TCRs. OMI uses a searchable database (known as the TCR system) to triage TCRs, and assign or refer potential investigative leads. OMI has been currently piloting a tool that will add analytics capabilities to the database to improve staff's ability to identify high-value TCRs and to search for trends and patterns. * Also, in 2010, the division reassigned approximately 20 percent of its staff to nationwide specialized units designed to concentrate on high-priority enforcement areas, including asset management (for example, hedge funds and investment advisors), market abuse (large- scale insider trading and market structure issues), structured and new products (such as derivatives products), Foreign Corrupt Practices Act violations, and municipal securities and public pensions. The units rely on the knowledge and expertise of experienced staff to better detect links and patterns that could suggest wrongdoing. * Finally, Enforcement has been working with SEC University to develop a curriculum for all levels of staff to increase competency in: * investigative skills and knowledge of the division's high-priority enforcement areas. Enforcement Internal Supervisory Control Activities: The division maintains procedures that reflect the internal control standard for control activities and that are intended to help ensure that investigations are being carried out according to Enforcement's policies. Such control activities are designed to occur early in and throughout the enforcement process. * Supervisory review of TCR recommendations. According to OMI triage procedures, OMI staff review tips, complaints, and referrals before entering them into the TCR system, then decide whether a TCR should be (1) closed because it does not suggest a violation of securities law, (2) assigned for further review, (3) referred outside of Enforcement, or (4) assigned for investigation. The division's control activities include requirements for all decisions to be reviewed by management or senior investigative staff. In addition, TCRs that were closed without becoming an investigation may undergo additional supervisory review by an OMI attorney, assistant director, or senior-level subject-matter expert, and can be re-opened, if appropriate. * Management discussions and documentation of formal orders of investigation. Recommendations to pursue a formal order of investigation are discussed between investigative staff and management and rely heavily on information from sources such as the staff's informal inquiries, publicly available information, informants, complaints, and whistleblowers. Recommendations that are approved are documented in a signed memorandum to the Commission's Office of the Secretary. * Quarterly meetings for ongoing investigations. In 2010, Enforcement began conducting quarterly review meetings between supervisors and senior staff to discuss major milestones, resources, and other feedback for all open and active investigations. Supervisors document quarterly reviews by using check sheets. * Supervisory review of resolutions. As investigations are brought to resolution, assistant directors must review and approve all staff recommendations to close an investigation. Senior officers approve and sign off on the final case-closing report. Each closing approval is documented in a memorandum and recorded in Enforcement's case tracking system, called HUB.[Footnote 43] Enforcement Internal Supervisory Controls That Demonstrate the Information and Communication Standard: Enforcement management relies heavily on information communicated by staff and internal systems to carry out internal supervisory control responsibilities. The division has established various practices intended to help ensure that information is conveyed in a timely, relevant, and reliable form, in accordance with the accepted internal control standard for information and communication. For example, staff may access common information about TCRs and active investigations through the TCR and HUB systems, which can encourage effective communication among staff about whether to exercise investigative and enforcement powers.[Footnote 44] In addition, during quarterly reviews, supervisors are expected to review the status of all open and active investigations, including information about target deadlines, potential impediments, and estimated resources. Weekly senior officer meetings and bimonthly meetings between senior division leadership and assistant directors enable discussion of key issues and developments that affect investigations. According to Enforcement officials, the meetings help ensure investigations stay on track and have the necessary resources. Finally, staff, supervisors, and senior division management hold a separate weekly meeting, known as the "To-be- calendared" meeting to discuss all recommendations to pursue an enforcement action or settle an enforcement action in litigation. Enforcement Internal Supervisory Controls That Demonstrate the Monitoring Standard: Enforcement's procedures for conducting the 961 assessment, in addition to many of the activities noted above, are consistent with the internal control standard for monitoring. Monitoring controls help management oversee and assess the quality of the work of Enforcement staff. For example, supervisors regularly review information to (1) determine whether investigations are meeting the division's strategic goals, performance goals, and compliance requirements; and (2) monitor staff performance. The division also complies with SEC's procedures for responding to external audit recommendations. Common Control Deficiencies Indicate Need for Continued Management Attention to Internal Supervisory Controls: We identified deficiencies in about half of the 60 internal supervisory controls we tested. Specifically, we reviewed a nongeneralizable sample of 60 controls--20 controls from each office's fiscal year 2011 risk and control matrix--that reflect (1) broad aspects of the offices' internal supervisory control structure, and (2) our knowledge of previous internal control failures or high-risk areas.[Footnote 45] We found that about half (33 controls) were effectively designed and generally operating as intended. However, the other half had deficiencies in design or operating effectiveness. Specifically, for almost half (27) of the controls in our sample (1) descriptions of the control activity did not accurately reflect policy or practice; (2) documentation demonstrating the controls' execution was not complete, clear, or consistent; or (3) the controls lacked clearly defined control activities. These control deficiencies may not prevent management from detecting whether the activities of the offices are conducted completely and in accordance with policy. However, the deficiencies were similar in nature across all three offices and made testing the controls difficult. Without clearly defined control activities and consistent, readily accessible documentation, management and others (including external auditors) may not be able to determine whether the supervisory controls were being appropriately applied and whether they were effective in achieving their intended outcomes. The offices have addressed or have been taking steps to address all the 27 identified deficiencies. SEC officials identified some of these deficiencies as they tested the controls during their fiscal year 2011 assessments.[Footnote 46] Other control deficiencies in our sample were addressed during our review, after we had detailed discussions with SEC staff about the deficiencies. However, not enough time had passed to assess the effectiveness of these changes. First, in reviewing these controls we found some that some descriptions of the control activity did not accurately reflect current policy or practice. Six controls in our sample were difficult to review because the control description, as stated in the fiscal year 2011 risk and control matrix, did not accurately reflect the policy or practice in place during the audit period (see table 2). For example, one of the controls implemented by Enforcement stated that OMI was responsible for providing training on TCR system policies and procedures. However, when questioning Enforcement officials about this control, the officials said that OMI does not maintain documentation of TCR training because it is provided on an informal, as-needed basis and that attendance records are maintained by a different SEC office. Enforcement updated its fiscal year 2012 risk and control matrix to reflect the SEC office responsible for implementing the control. Similarly, an OCIE control described supervisors' use of control sheets to conduct the review of examination workpapers; however, we found that OCIE policy did not require the use of control sheets during the audit period. As OCIE continues to implement TRENDS, all supervisory reviews and approvals of examination control sheets or similar workpapers will be captured electronically. In March 2013, OCIE officials updated the risk and control matrix to better align the control description with current policy. Table 2: Status of (as of April 2013) of Sampled Internal Supervisory Controls Operating from October 2011 through June 2012 in Which the Description of the Control Activity Did Not Accurately Reflect Policy or Practice: SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: Management performs oversight of examination workpapers and signs control sheets to attest to the review to ensure that examination findings are generally supported by workpapers; Deficiency: During the audit period, staff was not required to use control sheets to document their review of examination workpapers; Action taken to address: deficiency: With the implementation of TRENDS in fiscal year 2012, evidence of supervisory review and approval of examination control sheets or similar workpapers are captured electronically. SEC office or division: Division of Corporation Finance; Internal supervisory control description: If, during the course of a filing review, an assistant director office is unable to resolve a material disclosure issue, it will consult with the division's Office of Enforcement Liaison and consider whether to refer the matter to Enforcement; Deficiency: Division's procedures were last updated in 2005 and did not reflect current procedures; Action taken to address: deficiency: Enforcement Liaison manual has been modified to reflect current procedures. SEC office or division: Division of Enforcement; Internal supervisory control description: OMI communicates TCR procedures and provides TCR training to SEC personnel (procedures and training are located on the division's intranet); Deficiency: During the audit period, OMI was not responsible for providing TCR training; Action taken to address: deficiency: The fiscal year 2012 risk and control matrix omits language suggesting OMI's responsibility for TCR training and better reflects OMI's current responsibilities. Internal supervisory control description: Potential MUIs or investigations are automatically routed, via system parameters, to authorized individuals within the Investigations Group for review and approval; Deficiency: The TCR system is not capable of automatic routing; Action taken to address: deficiency: The fiscal year 2012 risk and control matrix omits reference to "automatic routing" because MUIs or investigations are manually routed by staff. Internal supervisory control description: Training requests are submitted on Form 182 and approved by the Enforcement training unit; Deficiency: During the audit period, Enforcement was not responsible for managing Form 182s submitted by staff; Action taken to address: deficiency: The fiscal year 2012 risk and control matrix revised the control language to reflect Enforcement management's responsibility for approving training requests. Internal supervisory control description: Enforcement has a nationwide program specifically focused on training all staff members on new developments in the securities industry. The training unit is able to share this information with all staff members through a SharePoint site linked to the division's intranet site, EnforceNet. Attendance and electronic certifications are tracked and monitored by supervisors; Deficiency: During the audit period, no nationwide training program was available to staff. In addition, there was no mechanism to confirm that supervisors tracked or monitored staff attendance; Action taken to address: deficiency: The fiscal year 2012 risk and control matrix clarifies the nature of the training available to Enforcement staff by omitting reference to a nationwide training program. The matrix also omits the reference to tracking and monitoring staff attendance to better reflect current practice. Source: GAO summary of its review of selected SEC internal supervisory controls. [End of table] Second, for some controls the documentation demonstrating execution of the control was not complete, clear, or consistent. For nine controls in our sample, the underlying documentation to support execution of the control was inconsistent, unclear, or missing (see table 3). For example, management reviews of OCIE examination reports were documented in different ways, conducted by different levels of management, and found in different locations in the examination file. As of April 2013, OCIE officials stated that they addressed or were addressing deficiencies in all of these controls. In another example, Enforcement's documentation of supervisory review of case progress on a quarterly basis was not consistent and in a few instances lacked evidence demonstrating that the review took place. Specifically, we requested all checksheets from our audit period, a total of 168, used by supervisors to document their quarterly case reviews and found that the checksheets were not maintained in a manner readily available for review. As a result, we worked with Enforcement officials to select a sample of 65 checksheets to review. Upon review, we found that the practices for documenting supervisory review were inconsistent and made our review challenging. For example, in some checksheets, supervisors signed the checksheet and also initialed next to each individual case listed on the checksheet. On other checksheets, supervisors signed the checksheet and either did not initial next to individual cases at all or only initialed next to select cases. Enforcement officials said that communication through standing meetings with assistant directors and executive management, rather than supervisory signatures, provided officials with confidence that the quarterly case reviews were taking place. To increase consistency in how the quarterly review sheets are executed, Enforcement officials provided guidance to its senior officers communicating that supervisors must sign the checksheet and that this signature will indicate that all matters on the checksheet have been reviewed. Table 3: Status (as of April 2013) of Sampled Internal Supervisory Controls Operating from October 2011 through June 2012 That Lacked Complete, Clear, or Consistent Documentation Demonstrating Execution of the Control: SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: Management conducts quarterly reviews of open examinations to identify any outstanding issues related to complex or lengthy examinations and help develop a resolution or alternative examination plan; Identified deficiency: OCIE home and regional offices use inconsistent practices for documenting these reviews. Also, loss of records or deletion of appointments inhibited appraisal of some reviews; Action taken to address deficiency: According to OCIE staff, they plan to develop a standard form to document these reviews. SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: Key examination policies and procedures are posted on the NEP intranet to ensure that staff can access the appropriate policy or procedure as needed; Identified deficiency: OCIE self-identified that NEP intranet is not well organized; Action taken to address deficiency: New OCIE intranet under development to better organize policies and procedures. SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: Management reviews and approves examination reports at the end of every examination to ensure examination results are documented and interpreted appropriately; Identified deficiency: Although we generally could find evidence of management review, documentation varied from signed examination reports to e-mails indicating approval; Action taken to address deficiency: TRENDS captures the supervisor's or manager's name and date of all reviews and approvals in a consistent manner. SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: NEP management provides employees with semi-annual and annual feedback through a formal performance plan process which is in place for all employees to ensure effective communication with staff. Both management and staff sign this performance plan as evidence of review; Identified deficiency: SEC office or division: A significant number of semi-annual and annual plans/review sheets were missing documentation of staff or supervisory participation in one or both of the reviews; Action taken to address deficiency: SEC office or division: According to OCIE staff, management has been working with the Office of Human Resources to ensure that staff have adequate feedback and direction. OCIE also stated that SEC University has provided and will provide managers with additional training on performance feedback. SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: Examinations are scoped using a risk-based approach. Management approves the scope memorandums, examination reports, document requests and deficiency letters at the time of the examination to ensure that applicable rules and regulations are reviewed during the examination; Identified deficiency: Evidence of management review of scope memorandums varied and did not always include management signature or initials on the scope document; Action taken to address deficiency: TRENDS captures scoping information and supervisor approval in a consistent manner. SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: In subsequent examinations, staff review previous deficiencies to check for recidivist behavior and include this information in the scope memorandum; Identified deficiency: A number of scope memorandums did not contain information indicating staff reviewed previous examinations for deficiencies; Action taken to address deficiency: TRENDS requires examiners to confirm they have reviewed previous examinations before submitting the scope memorandum for approval. SEC office or division: Division of Enforcement; Internal supervisory control description: The chief litigation counsel or immediate supervisor review case progress (status, deadlines, etc.) on a quarterly basis; Identified deficiency: During the audit period, Enforcement did not require a consistent or specific format for documenting the results of quarterly case reviews; Action taken to address deficiency: Division provided guidance to staff clarifying appropriate documentation of supervisory review. SEC office or division: Division of Enforcement; Internal supervisory control description: If a potential action (litigation/settlement) arises out of an investigation or litigation, an action memorandum (recommendation) is prepared and vetted/reviewed by immediate supervisors and senior officers before the "To-be- calendared" meeting and subsequent "calendar briefing"; Identified deficiency: Enforcement does not document senior officer and immediate supervisor review of action memorandum prior to the memorandum being placed on the "To-be-calendared" meeting agenda; Action taken to address deficiency: The fiscal year 2012 risk and control matrix omits reference to "To-be-calendared" meeting and subsequent "calendar briefing," and division management no longer considers this control to be applicable to section 961 requirements. SEC office or division: Division of Enforcement; Internal supervisory control description: On a quarterly basis, select staff are responsible for coordinating the sub-certification process for outstanding balances for the associate director group in each regional office and the home office; Identified deficiency: During the audit period, no mechanism was in place to document the coordinating efforts of staff applicable to the control; Action taken to address deficiency: The fiscal year 2012 risk and control matrix omits reference to coordination activities and includes requirements for senior staff to certify balance due and collection activity reports on a quarterly basis. Source: GAO summary of its review of selected SEC internal supervisory controls. [End of table] Finally, some controls lacked clearly defined control activities. Specifically, 12 controls in our sample were difficult to test because they were not designed to enable the control to operate effectively (see table 4). For example, Corporation Finance's policy requires a review of all Securities Act initial public offerings and initial Exchange Act registrations unless an associate director determines otherwise; however, we found that the division lacked specific procedures by which an associate director could indicate and document this decision. And, although decisions to forgo a second-level review at the screening and examination stages were made consistently, the documented procedures did not completely describe when exceptions to the general requirement were acceptable. In addition, Enforcement did not have a mechanism in place to implement its control that all policies and procedures are reviewed, updated, and approved on an annual basis. As of April 2013, all of these deficiencies were addressed or were being addressed. Table 4: Status (as of April 2013) of Sampled Internal Supervisory Controls Operating from October 2011 through June 2012 That Lacked Clearly Defined Control Activities: SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: In some regions, training is available locally to ensure staff are appropriately trained on emerging trends and topical issues; Identified deficiency: OCIE self-identified that its systems for tracking staff training were insufficient; Action taken to address deficiency: SEC University developed a new information technology system for tracking training. OCIE also has hired a training manager to coordinate training. SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: NEP has key performance indicators and strategic plan metrics that are measured and updated by the Office of the Managing Executive and reported to the Chairman's Office and Office of Financial Management on a monthly basis to communicate NEP progress. In addition, OCIE holds regular videoconferences with the home office and regional offices to discuss the regional examination plan and progress; Identified deficiency: OCIE has introduced new performance measures and lacks the means for capturing the data necessary to report on these measures; Action taken to address deficiency: OCIE management and information technology staff have been developing the means for capturing and reporting information for some new performance metrics. SEC office or division: Office of Compliance Inspections and Examinations; Internal supervisory control description: Management makes/approves assignments before each examination; Identified deficiency: Staff indicated management approval was captured in scope memorandums but risk and control matrix stated that approval was captured on the examination report. Management review and approval of the examination report takes place after the report is completed; Action taken to address deficiency: Control updated to reflect approval of staffing prior to examination. TRENDS system captures staffing and approval information in pre-examination stage. SEC office or division: Division of Corporation Finance; Internal supervisory control description: Using selective review criteria, assistant director offices evaluate company and transaction disclosures to determine the appropriate level of review of each transactional filing; Identified deficiency: Division procedures did not reflect screening criteria that allowed for exceptions to the general requirement that filings be screened and for that screening to be reviewed; Action taken to address deficiency: Division updated and documented its screening criteria to describe exceptions to the general requirement. SEC office or division: Division of Corporation Finance; Internal supervisory control description: Following documented procedures, assistant director offices determine level and scope of review. These procedures require a second-level review of corporate filing review recommendations and proposed comments on Securities Act filings and a second-level review of proposed comments on Exchange Act filings; Identified deficiency: Division procedures did not reflect examination second-level review criteria that allowed for exceptions to the general requirement for a second-level review. Also practice of this exception preceded adoption of policy; Action taken to address deficiency: Division updated and documented its second-level review criteria to describe exceptions to the general requirement. SEC office or division: Division of Corporation Finance; Internal supervisory control description: Unless an associate director confirms that it is appropriate to proceed otherwise, the division reviews all Securities Act initial public offerings and initial Exchange Act registrations; Identified deficiency: Division lacked a specific procedure for documenting associate director decision and system for recording it; Action taken to address deficiency: Implemented procedures for capturing associate director approval in Filing Activity Tracking System or on screening sheet. SEC office or division: Division of Corporation Finance; Internal supervisory control description: The deputy and associate directors review and validate procedures before posting them on the division's intranet site; Identified deficiency: Division lacked documented procedures for deputy and associate review and approval of procedures and lacked approved procedures for posting them to the intranet; Action taken to address deficiency: Control removed from fiscal year 2012 risk and control matrix. Division management determined no longer a key risk. SEC office or division: Division of Corporation Finance; Internal supervisory control description: Management uses EDGAR and Filing Activity Tracking System to track filing review information and limits access to these databases to enhance accuracy; Identified deficiency: During the audit period, Corporation Finance lacked adopted procedures for conducting reviews of user access to databases; Action taken to address deficiency: Adopted formal procedures for regularly auditing access rights. SEC office or division: Division of Corporation Finance; Internal supervisory control description: Assistant director offices seek advice from the division's Office of Chief Accountant on matters that may lead to restatement; Identified deficiency: Corporation Finance lacked procedures to specify when such consultations should occur and how the consultations should be documented; Action taken to address deficiency: Control removed from fiscal year 2012 risk and control matrix. Division management determined no longer a key risk. SEC office or division: Division of Enforcement; Internal supervisory control description: All existing procedures are reviewed, updated, and approved on an annual basis; Identified deficiency: During the audit period, Enforcement did not have a mechanism in place to ensure that all existing procedures were reviewed, updated, or approved on an annual basis; Action taken to address deficiency: According to Enforcement staff, officials have been developing a list of all policies, procedures, and regulations that will be updated periodically based upon guidance to be determined. SEC office or division: Division of Enforcement; Internal supervisory control description: Enforcement has policies and procedures in place intended to incorporate a means by which employees should comply with all rules and regulations related to employment at the Commission; Identified deficiency: During the audit period, Enforcement did not have a mechanism in place to ensure that its policies and procedures could effect employee compliance with employment rules and regulations; Action taken to address deficiency: According to Enforcement staff, officials have been developing a tool to identify and track updates to compliance-related policies and procedures. SEC office or division: Division of Enforcement; Internal supervisory control description: Management performs direct and ongoing monitoring of the progress of investigations through regular interactions with staff members (through telephone calls, e- mails, and ad hoc case meetings and through regularly scheduled or routine management and supervisory meetings); Identified deficiency: During the audit period, Enforcement did not have a mechanism in place to track the nature or frequency of the direct or ongoing monitoring activities referenced in the control; Action taken to address deficiency: The fiscal year 2012 risk and control matrix includes specific language to convey direct monitoring activities. For example, one control is designed to ensure that senior officers and assistant directors reviews open investigations. Source: GAO summary of its review of selected SEC internal supervisory controls. [End of table] Conclusions: Since the passage of the Dodd-Frank Act, OCIE, Corporation Finance, and Enforcement have established an internal supervisory control framework that is generally reflective of federal internal control standards. The offices' efforts, including senior-level management and internal control experts' involvement in the formation of the 961 Working Group, demonstrate a deliberate and coordinated approach to designing the framework. In addition, senior-level management's involvement in the annual 961 assessments, as well as our audit, indicate a commitment to improving internal control. We found deficiencies in the design or operating effectiveness of about half of the 60 internal supervisory controls we tested. Specifically, for these internal supervisory controls, the description of the control activity did not accurately reflect policy or practice; the documentation demonstrating execution of the control was not complete, clear, or consistent; or the control lacked clearly defined control activities. These control deficiencies may not prevent management from detecting whether the activities of the offices are conducted completely and in accordance with policy. However, the similarity in the nature of the deficiencies across all three offices suggests that management attention to the design and operation of internal supervisory controls is warranted. Federal internal control standards state control activities should enable effective operation and have clear, readily available documentation. The offices have addressed or have been taking steps to address all the 27 identified deficiencies. In some cases, the offices began to take corrective action before or during our audit based on their fiscal year 2011 section 961 assessment findings. Other control deficiencies were addressed during our review, after we had detailed discussions with SEC staff about the deficiencies. Because most actions became effective during our audit, not enough time had passed to test and verify the effectiveness of the actions SEC has been taking to address the identified deficiencies. Taking steps to ensure that all controls have clearly defined activities and clear and readily available documentation demonstrating execution of the activity would provide SEC management with better assurances that policies were being executed as intended and strengthen SEC's internal supervisory control framework. Furthermore, SEC management and auditors would be better able to test and assess the effectiveness of a control, opening the doors to further improvement in individual controls. Recommendation for Executive Action: To help ensure that controls are properly designed and operating effectively, SEC should make certain that existing internal supervisory controls and any developed in the future have clearly defined activities and clear and readily available documentation demonstrating execution of the activities. Agency Comments: We provided a draft of this report to SEC for review and comment. SEC provided written comments, which are reprinted in appendix II. In its letter, SEC agreed with our recommendation. SEC also states that GAO concluded that the agency has established an overall framework to implement section 961 that meets GAO's internal control standards. While we found that OCIE, Corporation Finance, and Enforcement have established an internal supervisory control framework that is generally reflective of federal internal control standards, we also found deficiencies in the design or operating effectiveness of about half of the 60 internal supervisory controls we tested. The offices have addressed or have been taking steps to address all of the deficiencies. Further, SEC noted in its letter that it conducted additional testing on the effectiveness of its internal supervisory controls for the 90-day period ending September 30, 2012, and did not identify any material weakness or significant deficiencies. We did not evaluate SEC's testing of controls for this time period as part of this report. SEC also provided technical comments on the draft report, which we incorporated as appropriate. We are sending copies of this report to SEC, appropriate congressional committees and members, and other interested parties. The report also is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staffs have any questions about this report, please contact me at (202) 512-8678 or clowersa@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Signed by: A. Nicole Clowers: Director, Financial Markets and Community Investment Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: This report focuses on functions performed through the Office of Compliance and Examination (OCIE), Division of Corporation Finance (Corporation Finance), and Division of Enforcement (Enforcement) at the Securities and Exchange Commission (SEC)--to which we refer collectively as the offices. We examined (1) the steps the offices have taken toward developing an internal supervisory control framework over the specified programs, (2) the internal supervisory controls each office has implemented and how these controls reflect established internal control standards, and (3) the extent to which the internal supervisory controls have operated as intended. To describe the steps each office has taken toward developing an internal supervisory control framework over the specified programs, we evaluated and analyzed documentation from (1) fiscal year 2011 assessments that OCIE, Corporation Finance, and Enforcement completed in accordance with requirements of section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act; (2) SEC's reports to Congress; and (3) documentation related to each office's fiscal year 2011 testing of internal supervisory controls. We also reviewed documentation from the 961 Working Group and Office of the Chief Operating Officer, such as training presentations and documents describing the electronic tool used to capture risk and control information. We also reviewed previous GAO reports on other internal control frameworks and GAO's audits of SEC's financial statement and the Federal Managers' Financial Integrity Act process. We compared SEC's internal supervisory control framework with frameworks set forth in GAO's Standards for Internal Control in the Federal Government. [Footnote 47] We interviewed officials from OCIE, Corporation Finance, Enforcement, and the Office of the Chief Operating Officer about actions taken to develop an internal supervisory control framework and how the framework addresses accepted internal control standards. To describe the internal supervisory controls that exist as part of the offices' processes for conducting complete and consistent examinations, reviews of financial securities filings, and investigations, we evaluated and analyzed documentation from OCIE, Corporation Finance, and Enforcement, including policies and procedures for conducting examinations, filing reviews, and investigations. We also analyzed the offices' fiscal years 2011 and 2012 risk and control matrixes, in which they identify key risks and controls designed to mitigate those risks. Furthermore, we observed the information technology systems used to track and document these activities. We interviewed officials from these offices about the examination, filing review, and investigation processes; and the specific internal supervisory controls that each unit has in place. We also interviewed these officials and MorganFranklin, the consulting firm hired to help assess the offices' internal supervisory controls, to better understand their work processes, internal supervisory controls, and how each office has been addressing individual internal control standards. Finally, we obtained staff views on each office's internal controls and communication from focus groups of randomly selected supervisory and nonsupervisory staff from OCIE and Enforcement in the Fort Worth, Texas; Miami, Florida; and Los Angeles, California regional offices and headquarters. We obtained similar information from Corporation Finance supervisory and nonsupervisory staff.[Footnote 48] We assessed a nongeneralizable sample of 60 fiscal year 2011 internal supervisory controls relevant to the conduct of examinations, filing reviews, and investigations to determine whether they operated as intended. We identified 135 controls that we categorized according to the internal control standard (control environment, risk assessment, control activities, information and communication, and monitoring) each best demonstrated. We selected a nonprobability sample of 11 OCIE, 10 Corporation Finance, and 11 Enforcement controls to review based on known information on past internal control failures and high- risk activities. We supplemented this sample with a random selection of 9 controls from OCIE and Enforcement and 10 controls from Corporation Finance from the remaining population, for a total of 20 controls from each office. For the selected controls, we reviewed the policies, procedures, and stated control objectives of the offices to determine if selected internal supervisory controls were designed in a manner capable of achieving their stated objectives. We also interviewed staff from each office on the operation of these controls. To review the operational effectiveness of the selected controls, we directly observed the electronic databases or spreadsheets described in some controls, obtained documentation or electronic data to analyze other controls, and compared the evidence with each control's description to determine whether the control functioned as intended. The methodology used to review each control varied due to the nature of each control, the availability of control-level data, and the different methods used to document the control. In this report, we present our findings on controls with deficiencies in tables 2 through 4. The results of our reviews of the design and functioning of the specified controls are applicable only to the tested control for the audited time period and therefore are not generalizable to all of SEC's internal supervisory controls. To review the fiscal year 2011 testing conducted by each office, we reviewed documentation describing the methodologies used and the results. As our review did not identify or test every control, it should not be interpreted as an attestation of the offices' internal control. We conducted this performance audit from February 2012 to April 2013 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Securities and Exchange Commission: United States Securities and Exchange Commission: The Chairman: Washington, DC 20549: April 8, 2013: A. Nicole Clowers: Director: Financial Markets and Community Investment: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Ms. Clowers: Thank you for the opportunity to review the draft report entitled, Continued Management Attention Would Strengthen Internal Supervisory Controls ("Report"). We greatly appreciate the valuable insight that the Government Accountability Office ("GAO") has provided to the SEC throughout the course of this engagement. Thank you, too, for the acknowledgment of the significant work that SEC staff and managers have devoted over the past three years to establishing the new internal controls program required to successfully implement the new requirements contained in Section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 ("Dodd-Frank Act"). [Footnote 1] We are pleased to learn that you have concluded that the SEC has established an overall control framework to implement Section 961 that meets GAO's internal control standards, including with respect to identifying and assessing risks, identifying and assessing internal controls, and reporting the results of testing to SEC management and Congress.[Footnote 2] We also appreciate the specific findings and recommendation contained in your Report, which are extremely helpful as we work to strengthen our ability to assess and address the identified risks that pose the greatest challenges to the continued quality and success of our programs. We remain committed to continuing to strengthen our framework and will incorporate the GAO's recommendation into our annual risk assessment process. In this engagement, GAO selected and tested a sample of internal supervisory controls from the list of existing operating controls for the fiscal year ending September 30, 2011 ("2011 reporting cycle"). The 2011 reporting cycle, in fact, was the first year that we conducted testing of the internal supervisory controls identified by Section 961 of the Dodd-Frank Act. During this first year of detailed testing, our Office of Compliance Inspections and Examinations, Division of Enforcement and Division of Corporation Finance ("the offices") identified a number of deficiencies requiring corrective action and management attention, although we did not believe that any of these deficiencies rose to the level of a material weakness or significant deficiency. The GAO's Report reaches a similar conclusion with respect to the 2011 reporting cycle and notes that the SEC has already taken, or is taking steps, to address nearly all of the deficiencies identified by the GAO. Since many of these deficiencies had already been identified by SEC management during our 2011 testing, corrective action in many cases was already underway in 2012 at the time that GAO conducted its testing. Building on the procedures that GAO performed on the 2011 reporting cycle, SEC management conducted additional testing on the effectiveness of internal supervisory controls for the 90-day period ending September 30, 2012 ("2012 reporting cycle"). While GAO was not in a position to evaluate the results of our assessment of internal supervisory controls for the 2012 reporting cycle, SEC management did not identify any material weaknesses or significant deficiencies during this testing. The results of this assessment were reported to Congress in December 2012. Meeting the challenges related to developing and maintaining a strong internal supervisory control system is a top priority for the SEC. We strongly embrace the goals that Congress set forth in Section 961 of maintaining internal supervisory controls that reasonably assure that the core work of three of our primary functions — enforcement investigations, examinations of registered entities, and reviews of corporate financial securities filings — are consistently performed with professional competence and integrity. We remain dedicated to continuously evaluating our system of internal supervisory controls, monitoring the quality of our supervisory controls, and implementing changes to enhance our control environment when warranted. We appreciate GAO's attention to these important issues and would like to thank you and your staff for your work, which will greatly assist us in our continuing efforts to strengthen the quality and effectiveness of our program operations. Sincerely, Signed by: Elisse B. Walter: Chairman: Footnotes: [1] Section 961 of the Dodd-Frank Act requires the SEC to report annually to Congress on the assessment of the effectiveness of its internal supervisory controls applicable to staff who perform examinations, enforcement investigations, and reviews of corporate filings. In its first three annual reports — for FY 2010, 2011, and 2012 — the SEC found no significant deficiencies in its internal supervisory controls related to the core functions identified in Section 961. [2] The SEC maintains a formal system of internal control over financial reporting that allows the agency annually to prepare and submit audited financial statements to Congress and the Office of Management and Budget. GAO previously audited our system of internal control over financial reporting and found that the agency maintained, in all material respects, effective internal control over financial reporting, among other findings. [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: A. Nicole Clowers, (202) 512-8678 or clowersa@gao.gov: Staff Acknowledgments: In addition to the contact named above, Andrew Pauline (Assistant Director), Bethany Benitez, Tiffani Humble, Matt Keeler, Kristen Kociolek, Jonathan Kucskar, Mark Molino, Luann Moy, Mark Ramage, and Barbara Roesmann made key contributions to this report. [End of section] Footnotes: [1] Pub. L. No. 111-203, § 961(e)(1), 124 Stat. 1376, 1908 (2010). [2] Similarly to our definition, SEC defines internal supervisory control as the processes management established for monitoring that procedures applicable to staff are performed consistently with competence and integrity, and also remain reasonable, adequate, and current. [3] The focus of this report is on the offices' internal supervisory controls for conducting examinations, financial securities filing reviews, and investigations. Therefore, it does not include information on the offices' other internal controls for such areas as financial management, information technology, or information security. The SEC OIG recently examined the agency's internal controls for information security. See SEC, Office of Inspector General, 2012 FISMA Executive Summary Report, OIG-512 (Washington, D.C. Mar. 29, 2013). [4] See Pub. L. No. 111-203, § 961(b)(1)(B). Section 961 includes certification requirements that apply to directors of OCIE, Enforcement, Corporation Finance, and "any successor division or office." Id. at § 961(c)(1). During fiscal year 2012, the Office of Credit Ratings (OCR)--which section 932(a) of the Dodd-Frank Act created and SEC established in June 2012--assumed from OCIE the responsibility of examining entities that are registered as Nationally Recognized Statistical Rating Organizations (NRSRO). Although not specifically mentioned in section 961, as a successor office OCR, began to provide the required certification for examinations of NRSROs. [5] Pub. L. No. 111-203, § 961(b)(1)-(3). [6] Id. at § 961(a). [7] Section 961(e) requires that we report on SEC's internal supervisory control structure not less frequently than once every 3 years. This is our first report on this topic; therefore, SEC's first three annual reports noted that we had not yet reviewed SEC's internal supervisory controls. [8] Pub. L. No. 97-255, 96 Stat. 814 (Sept. 8, 1982). [9] For our most recent audit, see GAO, Financial Audits: Securities and Exchange Commission Fiscal Years 2012 and 2011 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-13-122R] (Washington, D.C.: Nov. 15, 2012). [10] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: Nov. 1999). [11] COSO was organized in 1985 to sponsor the National Commission on Fraudulent Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also has developed recommendations (including a framework for internal control) for public companies and their independent auditors, for SEC and other regulators, and for educational institutions. [12] According to OMB Circular No. A-123, "the requirements of FMFIA serve as an umbrella under which other reviews, evaluations, and audits should be coordinated and considered to support management's assertion about the effectiveness of internal control over operations, financial reporting, and compliance with laws and regulations." According to SEC staff, they identify and assess risks and identify controls as part of SEC's larger FMFIA management assurance process to identify the universe of risks and corresponding controls for each office. After this process is completed, internal supervisory controls are identified and tested to fulfill the annual 961 assessment requirements. [13] In fiscal year 2012, OCR was added to the Working Group. [14] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1], and OMB, Circular No A-123: Management's Responsibility for Internal Control (Washington, D.C.: Dec. 21, 2004), accessed March 6, 2013, [hyperlink, http://www.whitehouse.gov/omb/circulars_a123_rev]. [15] Pub. L. No. 111-203, § 961(b)-(c). [16] GAO, Government Auditing Standards (2011 Revision), [hyperlink, http://www.gao.gov/products/GAO-12-331G] (Washington, D.C.: Jan. 20, 2012). [17] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [18] The Working Group defines a key risk to be a risk that in the office's informed judgment carries significant inherent risk to its ability to consistently conduct examinations, investigations, or reviews with professional competence and integrity. [19] Inherent risk refers to the risk that exists under the assumption that no controls are in place to prevent or detect the risk. [20] The Working Group defines key controls as those controls that, if they fail, may significantly inhibit a division or office from meeting its objectives. [21] GAO, Financial Audit Manual, 1, [hyperlink, http://www.gao.gov/products/GAO-08-585G] (Washington, D.C.: July 2008). [22] For the fiscal year 2011 assessment, the team consisted of the Deputy Director for Disclosure Operations, the Managing Executive, and a management and program analyst. The Associate Director for Disclosure Standards was added to the team for the fiscal year 2012 assessment. [23] According to staff, the offices did not conduct effectiveness testing in fiscal year 2010 due to the limited time between passage of the Dodd-Frank Act and the required reporting deadline. [24] [hyperlink, http://www.gao.gov/products/GAO-12-331G]. [25] In fiscal year 2012, the director of OCR began signing the certification document. [26] Pub. L. No. 111-203, § 961(c)(2)(D). [27] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [28] Standards for Internal Control in the Federal Government is necessarily flexible; therefore, the same control could be determined to meet the characteristics of more than one standard. Although we use examples of internal supervisory controls from each office that reflect each of the internal control standards, each office has numerous other controls that also could be characterized as reflective of internal control standards. [29] OCIE's NEP committees are Executive Committee; Operating Committee; Technology Steering Committee; People Steering Committee; Risk and Examination Process Steering Committee; and Compliance, Ethics, and Internal Control Steering Committee. [30] SEC University is part of the Office of Human Resources and consists of three colleges. The Leadership Development College focuses on leadership and offers classes to all SEC employees. The Securities and Investor Protection College offers mission-relevant training and development and continuing education to staff in the various mission offices. The Core Curriculum College provides training in core competencies and development training for all support employees. SEC University collaborates with the divisions and offices to conduct training needs assessments and develop training plans to address the identified needs. [31] OCIE procedures do not require staff to use control sheets, but do require documentation of the steps taken during an examination. As NEP program offices begin using a new tracking and reporting system to document their examinations, the system will be updated to accommodate control sheets or similar documents. [32] As OCIE phases in the TRENDS system, the office will continue to use the Super Tracking and Reporting System (STARS) to record and track examinations opened prior to the implementation of TRENDS. STARS collects and records basic data such as when the examination was conducted; what staff participated; what types of deficiencies were found, if any; and the outcome of the examination. [33] Staff access rights to TRENDS examination information are based on the staff member's role in specific examinations. In general, staff only may access examinations to which they are assigned and work on those portions of the examination to which they have been assigned. Supervisors can access any examination for which they are responsible. All staff can open, in a read-only format, any closed examinations in TRENDS. [34] Pub. L. No. 111-203, § 929U, 124 Stat. 1376, 1867 (2010) (amending the Securities Exchange Act of 1934, Pub. L. No. 73-291, 48 Stat. 881 (codified as amended at 15 U.S.C. §§ 78a-78pp)). [35] The NEP leadership team is comprised of OCIE's director, deputy director, regional office directors, the national associate directors, managing executive, chief counsel and compliance and ethics officers, and all of the associate regional directors for examinations. [36] The Securities Act of 1933 regulates public offerings of securities, requiring that issuers register securities with SEC and provide certain disclosures, including a prospectus, to investors at the time of sale, unless an exemption from registration is available. Securities Act of 1933, Pub. L. No. 73-22, 48 Stat. 74 (1933) (codified as amended at 15 U.S.C. §§ 77a -77aa). The Securities Exchange Act of 1934 established the SEC and provided it with broad authority over all aspects of the securities industry; this includes the power to require periodic reporting of information by companies with publicly traded securities. Securities Exchange Act of 1934, Pub. L. No. 73-291, 48 Stat. 881 (codified as amended at 15 U.S.C. §§ 78a - 78pp). [37] For the purposes of the 961 assessments, Corporation Finance defines "corporate financial securities filings" to mean filings containing financial statements and related disclosures that (1) public companies file with SEC in accordance with the Securities Act, Exchange Act, and Commission rules and regulations, and (2) fall within the scope of authority delegated by the Commission to the division. [38] The Sarbanes-Oxley Act of 2002 requires the division to review disclosures made by issuers reporting under section 13(a) of the Securities Exchange Act of 1934 (including reports filed on Form 10- K), and which have a class of securities listed on a national securities exchange or traded on an automated quotation facility of a national securities association. Pub. L. No. 107-204, § 408(a), 116 Stat. 745, 790 (codified at 15 U.S.C. § 7266(a)). The reviews are to be made at least once every 3 years and include a review of an issuer's financial statements. Id. at § 408(a), (c). Recently, the division hired an outside consulting firm to review the process created by the division's information technology unit to identify companies for review to meet its requirements under section 408 of Sarbanes-Oxley. [39] Second-level reviewers are typically supervisory staff, but may not be depending on work load and an assistant director's determination of the capabilities of other staff to undertake the reviews. [40] Examiners evaluate disclosures based on a review level determined during the screening phase of the filing review process. [41] Depending on the nature and extent of the review or which staff member is responsible for processing the filing, the assistant director's office may complete a review and issue comments without also assigning a reviewer to the filing review. The division has not established criteria for determining when a staff member is qualified to be a reviewer. Division management allows assistant directors to make that determination. [42] In addition to EDGAR, SEC maintains four other systems: The Filing Activity Tracking System (FACTS) tracks the progress of filing reviews. The Closing Memo Database is used to maintain and provide easy access to closing memorandums. The Comment Letter Dissemination system enables staff to schedule filing review correspondence for dissemination, review the correspondence before dissemination, confirm that the correspondence is associated with the correct review, and ensure that the filing review does not contain confidential or personally identifiable information. The Confidential Treatment Request system is used to track the status and disposition of the division's processing of confidential treatment requests. [43] HUB has been Enforcement's primary case tracking system since 2007. The system focuses on tracking information about matters under investigation (MUI) and investigations. In May 2011, Enforcement transferred information from its legacy case management system, called CATS2000, to HUB. Also in 2011 and 2012, Enforcement made other system enhancements to HUB, such as the ability to track the collection of civil monetary penalties and return of illegal profits (called disgorgement). [44] Staff ability to incorporate data and information into the TCR and HUB systems is limited to the work to which they have been assigned. However, staff can search the TCR and HUB systems for information about TCRs or investigations that may be related to their work assignments. [45] Many controls used in the offices--such as those used for staffing and personnel management, budgeting, and information technology systems and physical security--were not applicable to the scope of this work. We developed the methods to test each control based on the nature of the control, and the quality or availability of data. The offices previously tested many of these controls for their 961 reports for fiscal year 2011. See appendix I for more information. [46] Most of SEC's actions to address the identified deficiencies became effective during or after our audit. As a result, we were unable to test and verify the effectiveness of these actions. [47] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [48] All Corporation Finance staff are located in headquarters and therefore did not participate in the focus groups in the regional offices. [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E-mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]