Information Systems:

Opportunities Exist to Strengthen SEC's Oversight of Capacity and Security

GAO-01-863: Published: Jul 25, 2001. Publicly Released: Sep 10, 2001.

Additional Materials:

Contact:

Richard J. Hillman
(202) 512-5431
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Capacity problems and other disruptions at the securities and options exchanges have caused processing delays within the U.S. securities markets in recent years. These exchanges and clearing organizations have also been concerned about unwarranted access by hackers and other unauthorized users. To address these issues, the securities and Exchange Commission (SEC) created its automation review policy program in 1989. The program calls for the exchanges and clearing organizations that act as self-regulatory organizations to voluntarily follow SEC guidance and submit to oversight of their information systems. The program includes two key policy statements that provide voluntary guidelines to these organizations, periodic on-site inspections by SEC staff, and independent reviews of systems by internal auditors or external organizations. In addition, self-regulatory organizations are expected to provide SEC with reports of system outages and notices of system modifications. This report reviews SEC's effectiveness in its oversight roles. GAO found that the program reasonably ensures that self-regulatory organizations address capacity, security, and other information systems issues. However, SEC could improve its program oversight by consolidating criteria used by program staff into a comprehensive guide. Overall, SEC's inspections addressed the key areas of program guidance and often contained substantive recommendations designed to improve the organizations' procedures.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: According to SEC Market Regulation Division staff, they have begun using the Information System Audit and Control Association's Control Objectives for Information and related Technology as the basis for the reviews they conduct of information technology issues at exchanges and clearing organizations. This will ensure that the criteria they use will be consistent across reviews and among their staff. They plan to continue to supplement this with the latest standards in all areas of technology.

    Recommendation: Because of the importance of the proper functioning of the self-regulatory organizations' information systems, the Acting Chairman, SEC, should ensure that the ARP program develops a consolidated inspection guide for the ARP staff that is updated on a periodic basis.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: According to SEC Market Regulation Division staff, as a result of the November 2003 movement of the Automated Review Program (ARP) to the Office of Market Continuity--a new office within Market Regulation--the results of ARP examinations are regularly presented to the Commission for review. This serves to highlight to the Commissioners any unimplemented recommendations. Also, according to Market Regulation staff, ARP staff had worked very hard to get the organization to take actions on prior ARP recommendations and, as of August 2004, there were no unimplemented recommendations.

    Recommendation: Because of the importance of the proper functioning of the self-regulatory organizations' information systems, the Acting Chairman, SEC, should ensure that significant ARP program recommendations and concerns that have not been addressed by the self-regulatory organizations are brought to the attention of the Chairman and Commissioners.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: According to SEC Market Regulation Division staff, the SEC staff have made a determination that making compliance with the Automated Review Program (ARP) mandatory would improve their ability to oversee the markets. As a result they have drafted Regulation ARP, which will make compliance with the tenets of the ARP program mandatory for exchanges and clearing organizations. The regulation has completed its Division review and is now with SEC's Office of General Counsel. SEC's plan is to have Regulation ARP before the Commission by the end of 2006.

    Recommendation: Because of the importance of the proper functioning of the self-regulatory organizations' information systems, the Acting Chairman, SEC, should develop formal criteria for assessing the self-regulatory organizations' cooperation with the ARP program and perform an assessment to determine whether the voluntary status of the ARP program is appropriate.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Sep 29, 2016

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Looking for more? Browse all our products here