Financial Markets: Stronger System Controls and Oversight Needed to Prevent NASD Computer Outages
AIMD-95-22
Published: Dec 21, 1994. Publicly Released: Dec 21, 1994.
Skip to Highlights
Highlights
Pursuant to a congressional request, GAO reviewed recent computer outages experienced by the National Association of Securities Dealers' (NASD) automated quotation and trading systems (NASDAQ), focusing on: (1) the nature and causes of the outages; (2) the outages' impact on market participants; (3) NASD planned responses to contingencies and disasters; (4) NASD oversight of its automated systems and facilities; and (5) how well the Securities and Exchange Commission (SEC) is ensuring that the securities markets are prepared for contingencies and disasters.
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
United States Securities and Exchange Commission | The Chairman, SEC, should ensure that NASD expands testing processes for its market systems to better detect problems. |
Closed – Implemented
Since the report, SEC staff have visited NASD's facilities on several occasions and had discussions with NASD officials about the adequacy of its market system testing. During the course of this work, SEC staff learned that NASD had engaged two consulting firms to assess its testing function in light of GAO's findings and recommendations. SEC staff told GAO that they reviewed the consultants' reports, which both made recommendations to strengthen quality assurance testing. According to the Chief of SEC's electronic data processing review branch, NASD implemented a few of the consultants' recommendations but has decided not to implement the key ones because NASD disagreed with the consultants' quality assurance methodologies. Consequently, the Chief told GAO that, during future NASD inspections and quarterly meetings, SEC will continue to push for implementation of these recommendations but will not take any additional action beyond this.
|
United States Securities and Exchange Commission | The Chairman, SEC, should ensure that NASD performs a thorough assessment of its existing systems environment to identify weaknesses. |
Closed – Implemented
In following up with NASD on this issue, SEC found that NASD had hired a contractor to assess weaknesses with its automated systems facilities. SEC staff have reviewed the contractor's findings and recommendations and have discussed them with top NASD officials. According to SEC staff, NASD has committed to correcting the weaknesses, and SEC plans to monitor NASD's progress until the work is completed.
|
United States Securities and Exchange Commission | The Chairman, SEC, should ensure that NASD avoids implementing software changes on potentially volatile trading days. |
Closed – Implemented
According to SEC officials, they held discussions with NASD about implementing software changes on potentially volatile trading days and are satisfied that NASD has taken reasonable steps to avoid such situations in the future. NASD has reiterated that it is the association's policy not to implement changes on potentially volatile trading days. In addition, SEC staff reviewed NASD's system change schedule for the near term and observed that NASD has not planned any changes on the days in question. As an added act of caution, NASD is distributing the system change schedule to top business managers via electronic mail to keep them informed of upcoming changes.
|
United States Securities and Exchange Commission | The Chairman, SEC, should ensure that NASD corrects weaknesses in its contingency and disaster recovery plan and backup data processing facility. |
Closed – Implemented
While conducting a recent site visit at NASD, SEC staff found that NASD had revised its contingency and disaster recovery plan to address GAO-identified weaknesses. SEC staff also learned during the visit that NASD is still planning to purchase a new backup electrical supply system to eliminate the weakness in its existing power system that contributed to the system outage on August 1, 1994. SEC staff stated that NASD officials have committed to making this improvement, and they intend to monitor NASD's efforts in this area until the change is implemented.
|
United States Securities and Exchange Commission | The Chairman, SEC, should ensure that NASD regularly schedules and conducts audits of its market systems. |
Closed – Implemented
In August 1995, SEC staff reviewed NASD's internal audit function and found that NASD has taken steps to improve its internal audit coverage of automated market systems. For example, in April 1995, NASD hired an electronic data processing (EDP) auditor to supplement its other EDP auditor. Both are certified information systems audit professionals. In addition, NASD recently prepared (and SEC has reviewed) an audit plan that provides coverage of NASD's market systems. As a result of these steps, SEC staff now have assurance that NASD has an internal audit function in place that will regularly review NASD's automated market systems and facilities.
|
United States Securities and Exchange Commission | The Chairman, SEC, should reach agreement with securities markets on the frequency of independent reviews. |
Closed – Implemented
According to the SEC, Commission staff and the SROs have held discussions about the frequency of independent reviews. While SEC has expressed its preference for annual independent reviews, the SROs believe that repeated general control audits are inefficient and provide few added benefits. Consequently, SEC and the SROs have reached a consensus on using a risk analysis approach whereby each year, the SROs develop an audit plan that: (1) identifies all automated market systems and facilities; (2) rates and ranks them on selected risk indicators; and (3) identifies areas to audit based on the risk analysis. The SROs' internal or external auditors will then audit the selected areas and report their findings to SRO management and SEC.
|
United States Securities and Exchange Commission | The Chairman, SEC, should determine SEC inspection frequency needed to ensure adequate oversight of market systems and facilities. |
Closed – Implemented
Rather than schedule regular, periodic on-site inspections, SEC has opted for relying on: (1) annual briefings with SRO staff; and (2) the results of the SROs' independent reviews as the bases for selecting which SROs to inspect. SEC believes this approach permits it to direct inspection resources to areas where weaknesses may exist.
|
United States Securities and Exchange Commission | The Chairman, SEC, should follow up on systems auditors' recommendations and ensure that the recommendations are adequately resolved. |
Closed – Implemented
According to SEC, it monitors all open audit recommendations and follows up with the SROs regarding their efforts to address these recommendations. However, SEC notes that it does not ensure that open recommendations are resolved within any specified timeframe. Instead, SEC relies on SRO management to address such recommendations. SEC believes that this is an effective and cost-efficient method of achieving closure on audit recommendations.
|
United States Securities and Exchange Commission | Given that the gaps in SEC oversight are attributable in part to a lack of technical staff, the Chairman, SEC, should determine the number of staff needed to adequately oversee the rapid growth of market automation and report this information to SEC congressional appropriations and authorization committees in time for consideration in next year's budget. |
Closed – Implemented
SEC has stated that it is committed to expanding the scope and depth of its oversight program for market automation. In March and April 1995, SEC hired two additional computer specialists to help oversee automated market systems and facilities.
|
Full Report
Office of Public Affairs
Topics
Brokerage industryComputer securitySoftwareEmergency preparednessIndependent regulatory commissionsInformation systemsInternal auditsSecurities regulationSystems managementData automation