Securities And Exchange Commission:
Continued Management Attention Would Strengthen Internal Supervisory Controls
GAO-13-314: Published: Apr 18, 2013. Publicly Released: Apr 18, 2013.
What GAO Found
After the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) in 2010, the Securities and Exchange Commission's (SEC) Office of Compliance Inspections and Examinations, Division of Corporation Finance, and Division of Enforcement (herein "the offices") established a working group that developed an internal supervisory control framework. Internal supervisory controls include the processes established by management to help ensure that procedures applicable to staff are performed completely, consistent with applicable policies and procedures, and remain current. The overall control framework is generally consistent with federal internal control standards, which includes identifying and assessing risks, identifying and assessing internal controls, and reporting the results of testing to management and Congress.
As part of developing and applying an internal supervisory control framework, the offices each identified internal supervisory controls to mitigate risks that could undermine their ability to consistently and competently carry out their responsibilities. These internal supervisory controls are built into the offices' work processes--that is, the processes they use to carry out examinations, financial securities filing reviews, and investigations--and range from specific supervisory review and approval activities to management reports used to monitor the processes as a whole. For example, within Enforcement, supervisors must review and approve staff recommendations that a tip, complaint, or referral be closed without further investigation. Many of the offices' internal supervisory controls existed prior to the development of SEC's internal supervisory control framework; others were developed through the process of developing the framework.
GAO identified deficiencies in about half of the 60 internal supervisory controls it tested. Specifically, GAO found that for 27 internal supervisory controls (1) the description of the control activity did not accurately reflect policy or practice; (2) documentation demonstrating execution of the control was not complete, clear, or consistent; or (3) the controls lacked clearly defined control activities. These control deficiencies may not prevent management from detecting whether the activities of the offices are conducted completely and in accordance with policy. However, similarities in the nature of deficiencies across all three offices suggest that management attention to the design and operation of internal supervisory controls is warranted. Federal internal control standards state that control activities should enable effective operation and have clear, readily available documentation. The offices have addressed or have been taking steps to address all of the 27 identified deficiencies. Some steps have been taken based on the offices' section 961 assessments. SEC addressed other deficiencies during GAO's review after discussions with GAO detailing the identified deficiency. Not enough time has passed for GAO to assess the effectiveness of these changes. Ensuring that all internal supervisory controls have clearly defined activities and clear, readily available documentation demonstrating execution of the control would provide SEC management with better assurance that policies were being executed as intended and strengthen SEC's internal supervisory control framework.
Why GAO Did This Study
Recent high-profile securities frauds have raised questions about the internal controls that SEC has in place to help ensure that staff carry out their work completely and in a manner consistent with applicable policies and procedures. Section 961 of the Dodd-Frank Act directs SEC to annually assess and report on internal supervisory controls for staff performing examinations, corporate financial securities filing reviews, and investigations. The act also requires GAO to review SEC's structure for internal supervisory control applicable to staff working in those offices. This report examines the (1) steps the offices took to develop an internal supervisory control framework; (2) internal supervisory controls each office has implemented; and (3) extent to which the internal supervisory controls have operated as intended. GAO reviewed each office's section 961 assessments and reports; analyzed the offices' internal supervisory control framework; and tested a sample of 60 supervisory controls using random samples and nonprobability selections.
What GAO Recommends
To help ensure that controls are properly designed and operating effectively, SEC should make certain that existing internal supervisory controls and any developed in the future have clearly defined activities and clear and readily available documentation demonstrating execution of the activities. SEC agreed with GAO's recommendation.
Recommendation for Executive Action
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To help ensure that controls are properly designed and operating effectively, SEC should make certain that existing internal supervisory controls and any developed in the future have clearly defined activities and clear and readily available documentation demonstrating execution of the activities.
Agency Affected: United States Securities and Exchange Commission