Financial Markets:

Stronger System Controls and Oversight Needed to Prevent NASD Computer Outages

AIMD-95-22: Published: Dec 21, 1994. Publicly Released: Dec 21, 1994.

Additional Materials:

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed recent computer outages experienced by the National Association of Securities Dealers' (NASD) automated quotation and trading systems (NASDAQ), focusing on: (1) the nature and causes of the outages; (2) the outages' impact on market participants; (3) NASD planned responses to contingencies and disasters; (4) NASD oversight of its automated systems and facilities; and (5) how well the Securities and Exchange Commission (SEC) is ensuring that the securities markets are prepared for contingencies and disasters.

GAO found that: (1) unrelated software and hardware malfunctions caused the NASDAQ outages; (2) although NASD has seriously sought to make its systems more reliable, there are areas where it needs to make further improvements, such as testing new software; (3) although the outages did not significantly affect individual investors, they severely hampered broker-dealers's ability to perform best and efficient securities trades; (4) control weaknesses at the NASD backup computer facility and in NASD contingency and disaster plans could make it difficult for NASD to recover quickly from disasters; (5) NASD failure to include market systems reviews in its internal audits limits its systems oversight; and (6) although SEC has strengthened oversight of market automation in some areas, weaknesses still exist in its oversight program.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: According to SEC, it monitors all open audit recommendations and follows up with the SROs regarding their efforts to address these recommendations. However, SEC notes that it does not ensure that open recommendations are resolved within any specified timeframe. Instead, SEC relies on SRO management to address such recommendations. SEC believes that this is an effective and cost-efficient method of achieving closure on audit recommendations.

    Recommendation: The Chairman, SEC, should follow up on systems auditors' recommendations and ensure that the recommendations are adequately resolved.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: Rather than schedule regular, periodic on-site inspections, SEC has opted for relying on: (1) annual briefings with SRO staff; and (2) the results of the SROs' independent reviews as the bases for selecting which SROs to inspect. SEC believes this approach permits it to direct inspection resources to areas where weaknesses may exist.

    Recommendation: The Chairman, SEC, should determine SEC inspection frequency needed to ensure adequate oversight of market systems and facilities.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: According to the SEC, Commission staff and the SROs have held discussions about the frequency of independent reviews. While SEC has expressed its preference for annual independent reviews, the SROs believe that repeated general control audits are inefficient and provide few added benefits. Consequently, SEC and the SROs have reached a consensus on using a risk analysis approach whereby each year, the SROs develop an audit plan that: (1) identifies all automated market systems and facilities; (2) rates and ranks them on selected risk indicators; and (3) identifies areas to audit based on the risk analysis. The SROs' internal or external auditors will then audit the selected areas and report their findings to SRO management and SEC.

    Recommendation: The Chairman, SEC, should reach agreement with securities markets on the frequency of independent reviews.

    Agency Affected: United States Securities and Exchange Commission

  4. Status: Closed - Implemented

    Comments: In August 1995, SEC staff reviewed NASD's internal audit function and found that NASD has taken steps to improve its internal audit coverage of automated market systems. For example, in April 1995, NASD hired an electronic data processing (EDP) auditor to supplement its other EDP auditor. Both are certified information systems audit professionals. In addition, NASD recently prepared (and SEC has reviewed) an audit plan that provides coverage of NASD's market systems. As a result of these steps, SEC staff now have assurance that NASD has an internal audit function in place that will regularly review NASD's automated market systems and facilities.

    Recommendation: The Chairman, SEC, should ensure that NASD regularly schedules and conducts audits of its market systems.

    Agency Affected: United States Securities and Exchange Commission

  5. Status: Closed - Implemented

    Comments: While conducting a recent site visit at NASD, SEC staff found that NASD had revised its contingency and disaster recovery plan to address GAO-identified weaknesses. SEC staff also learned during the visit that NASD is still planning to purchase a new backup electrical supply system to eliminate the weakness in its existing power system that contributed to the system outage on August 1, 1994. SEC staff stated that NASD officials have committed to making this improvement, and they intend to monitor NASD's efforts in this area until the change is implemented.

    Recommendation: The Chairman, SEC, should ensure that NASD corrects weaknesses in its contingency and disaster recovery plan and backup data processing facility.

    Agency Affected: United States Securities and Exchange Commission

  6. Status: Closed - Implemented

    Comments: According to SEC officials, they held discussions with NASD about implementing software changes on potentially volatile trading days and are satisfied that NASD has taken reasonable steps to avoid such situations in the future. NASD has reiterated that it is the association's policy not to implement changes on potentially volatile trading days. In addition, SEC staff reviewed NASD's system change schedule for the near term and observed that NASD has not planned any changes on the days in question. As an added act of caution, NASD is distributing the system change schedule to top business managers via electronic mail to keep them informed of upcoming changes.

    Recommendation: The Chairman, SEC, should ensure that NASD avoids implementing software changes on potentially volatile trading days.

    Agency Affected: United States Securities and Exchange Commission

  7. Status: Closed - Implemented

    Comments: In following up with NASD on this issue, SEC found that NASD had hired a contractor to assess weaknesses with its automated systems facilities. SEC staff have reviewed the contractor's findings and recommendations and have discussed them with top NASD officials. According to SEC staff, NASD has committed to correcting the weaknesses, and SEC plans to monitor NASD's progress until the work is completed.

    Recommendation: The Chairman, SEC, should ensure that NASD performs a thorough assessment of its existing systems environment to identify weaknesses.

    Agency Affected: United States Securities and Exchange Commission

  8. Status: Closed - Implemented

    Comments: Since the report, SEC staff have visited NASD's facilities on several occasions and had discussions with NASD officials about the adequacy of its market system testing. During the course of this work, SEC staff learned that NASD had engaged two consulting firms to assess its testing function in light of GAO's findings and recommendations. SEC staff told GAO that they reviewed the consultants' reports, which both made recommendations to strengthen quality assurance testing. According to the Chief of SEC's electronic data processing review branch, NASD implemented a few of the consultants' recommendations but has decided not to implement the key ones because NASD disagreed with the consultants' quality assurance methodologies. Consequently, the Chief told GAO that, during future NASD inspections and quarterly meetings, SEC will continue to push for implementation of these recommendations but will not take any additional action beyond this.

    Recommendation: The Chairman, SEC, should ensure that NASD expands testing processes for its market systems to better detect problems.

    Agency Affected: United States Securities and Exchange Commission

  9. Status: Closed - Implemented

    Comments: SEC has stated that it is committed to expanding the scope and depth of its oversight program for market automation. In March and April 1995, SEC hired two additional computer specialists to help oversee automated market systems and facilities.

    Recommendation: Given that the gaps in SEC oversight are attributable in part to a lack of technical staff, the Chairman, SEC, should determine the number of staff needed to adequately oversee the rapid growth of market automation and report this information to SEC congressional appropriations and authorization committees in time for consideration in next year's budget.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Sep 29, 2016

Jul 25, 2016

Jul 5, 2016

May 6, 2016

Apr 21, 2016

Apr 18, 2016

Apr 12, 2016

Mar 28, 2016

Mar 8, 2016

Feb 16, 2016

Looking for more? Browse all our products here