Summary
Self-regulatory organizations (SRO) are exchanges and associations that operate and govern the markets, and that are subject to oversight by the Securities and Exchange Commission (SEC). Among other things, SROs monitor the markets, investigate and discipline members involved in improper trading, and make referrals to SEC regarding suspicious trades by nonmembers. For industry self-regulation to function effectively, SEC must ensure that SROs are fulfilling their regulatory responsibilities. This report (1) discusses the structure of SEC's inspection program for SROs, (2) evaluates certain aspects of SEC's inspection program, and (3) describes the SRO referral process and evaluates SEC's information system for receiving SRO referrals. To address these objectives, GAO reviewed SEC inspection workpapers, analyzed SEC data on SRO referrals and related investigations, and interviewed SEC and SRO officials.
To help ensure that SROs are fulfilling their regulatory responsibilities, SEC's Office of Compliance Inspections and Examinations (OCIE) conducts routine and special inspections of SRO regulatory programs. OCIE conducts routine inspections of key programs every 1 to 4 years, inspecting larger SROs more frequently, and conducts special inspections (which arise from tips or the need to follow up on prior recommendations or enforcement actions) as warranted. More specifically, OCIE's inspections of SRO surveillance, investigative, and disciplinary programs (enforcement programs) involve evaluating the parameters of surveillance systems, reviewing the adequacy of policies and procedures for handling the resulting alerts and investigations, and reviewing case files to determine whether SRO staff are complying with its policies and procedures. GAO identified several opportunities for SEC to enhance its oversight of SROs through its inspection program. First, although examiners have developed processes for inspecting SRO enforcement programs, OCIE has not documented these processes or established written policies relating to internal controls over these processes, such as supervisory review or standards for data collection. Such documentation could strengthen OCIE's ability to provide reasonable assurances that its inspection processes and products are subject to key quality controls. Second, OCIE officials said that they focus inspections of SRO enforcement programs on areas judged to be high risk. However, this risk-assessment process does not leverage the reviews that SRO internal and external auditors performed, which could result in duplication of SRO efforts or missed opportunities to direct examination resources to other higher-risk or less-examined programs. OCIE officials told us that they plan to begin assessing SRO internal audit functions in 2008, including the quality of their work products, which would allow OCIE to assess the usefulness of these products for targeting its inspections. Finally, OCIE currently does not formally track the implementation status of SRO inspection recommendations; rather, management consults with staff to obtain such information as needed. Without formal tracking, OCIE's ability to efficiently and effectively generate and evaluate trend information, such as patterns in the types of deficiencies found or the implementation status of recommendations across SROs, or over time, may be limited. SEC's Division of Enforcement uses an electronic system to receive referrals of potential violations from SROs. These referrals undergo multiple stages of review and may lead Enforcement to open an investigation. From fiscal years 2003 to 2006, SEC received an increasing number of advisories and referrals from SROs, many of which involved insider trading. However, SEC's referral receipt and case tracking systems do not allow Enforcement staff to electronically search all advisory and referral information, which may limit SEC's ability to monitor unusual market activity, make decisions about opening investigations, and allow management to assess case activities, among other things.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
Orice M. Williams
Government Accountability Office: Financial Markets and Community Investment
(202) 512-5837
Recommendations for Executive Action
Recommendation: To enhance SEC oversight of SROs, the SEC Chairman should establish a written framework for conducting inspections of SRO enforcement programs to help ensure a reliable and consistent source of information on SRO inspection processes, minimum standards, and quality controls; and, as part of this framework, broaden current guidance to SRO inspection staff on the use of SRO internal audit reports to direct examiners to consider the extent to which they will rely on reports and reviews of internal and external audit and other risk-management systems when planning SRO inspections.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - implemented
Comments: This recommendation has been implemented. In August 2008, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations issued written guidance for those examiners that conduct inspections of self-regulatory organization (SRO) operations, including the enforcement programs of the SROs. This examination guidance outlines inspection processes, minimum standards, and quality controls. It also broadens current guidance to SRO inspection staff on the use of SRO internal audit reports by directing examiners to consider the extent to which they will rely on reports and reviews of internal and external audit and other risk-management systems when planning SRO inspections.
Recommendation: To enhance SEC oversight of SROs, the SEC Chairman should ensure that Market Regulation makes certain that SROs include in their periodic risk assessment of their IT systems a review of the security of their enforcement-related databases, and that Market Regulation reviews the comprehensiveness and completeness of the related SRO-sponsored audits of their enforcement-related databases.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - implemented
Comments: SEC's Division of Trading and Markets (formerly Market Regulation) has implemented this recommendation by incorporating a review of the efforts by the SRO audit function, including their periodic risk assessments, over enforcement-related databases into its regular Automation Review Policy (ARP) inspection process.
Recommendation: To enhance SEC oversight of SROs, the SEC Chairman should as part of the agency's ongoing efforts to improve information technology capabilities, ensure that any software developed for tracking SRO inspections includes the ability to track and report SRO responses to and implementation status of OCIE inspections recommendations.
Agency Affected: United States Securities and Exchange Commission
Status: Open
Comments: GAO staff spoke with staff from the Securities and Exchange Commission's Office of Compliance Inspections and Examinations (OCIE) on August 20, 2008, and January 25, 2009 for an update on the status of this recommendation. OCIE staff informed us that SEC's Office of Information Technology is still developing the software that will eventually allow them to track and report Self-Regulatory Organizations (SROs) responses to and the implementation status of OCIE inspection recommendations. As this effort is part of a larger project, it is unclear when the software will become functional. In the interim, OCIE is using an excel spreadsheet to track recommendations resulting from SRO inspections and SRO responses to these recommendations.
Recommendation: To enhance SEC oversight of SROs, the SEC Chairman should as part of the agency's ongoing efforts to improve information technology capabilities, consider system improvements that would allow Enforcement staff to electronically access and search all information in advisories and referrals submitted by SROs and generate reports that would facilitate monitoring and analysis of trend information and case activities.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - implemented
Comments: This recommendation is closed. On August 27,2008 staff from the Securities and Exchange Commission's Division of Enforcement confirmed that they decided to implement the recommendation and asked the Office of Information Technology to make system improvements that would allow enforcement staff to electronically access and search all information in advisories and referrals submitted by self-regulatory organizations. These system improvements will also allow the Enforcement managers to generate management reports.
