Securities and Exchange Commission:
Management Has Enhanced Supervisory Controls and Could Further Improve Efficiency
GAO-17-16: Published: Oct 6, 2016. Publicly Released: Oct 6, 2016.
What GAO Found
As of the end of fiscal year 2015, the internal supervisory control framework of the Securities and Exchange Commission (SEC) reflected key components of federal internal control, including identifying and assessing risks; designing, implementing, monitoring, and evaluating controls; and reporting the results. Internal supervisory controls are management processes to help ensure that procedures applicable to staff are performed completely, consistent with applicable policies and procedures, and remain current. SEC's Divisions of Corporation Finance and Enforcement, and Offices of Compliance Inspections and Examinations and Credit Ratings (collectively, the divisions and offices) are subject to requirements of section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) to assess and certify the effectiveness of SEC's internal supervisory controls and report annually to Congress. GAO assessed the framework and each division and office's implementation and determined that it reflected key components of internal control. Since GAO's first review in 2013, the divisions and offices have taken steps to enhance the framework, including developing electronic workflow tracking systems and creating a permanent standards monitoring office.
GAO found that 52 of the 58 tested controls were operating as intended in fiscal year 2015. Of the six controls in which GAO identified deficiencies, none appeared likely to prevent the divisions and offices from achieving the controls' objectives (for reasons that included mitigating evidence or circumstances). For example, for three controls with deficiencies, GAO found that the supervisory control activities had occurred, so the controls' objectives were achieved. SEC officials said that the divisions and offices planned to or already have addressed most of the deficiencies. SEC also generally improved the design and operation of the tested controls. SEC implemented GAO's 2013 recommendation that it should make certain that existing and future supervisory controls have clearly defined activities and clear and readily available documentation demonstrating execution of the activities.
SEC's annual 961 reports to Congress during fiscal years 2013–2015 were consistent with Dodd-Frank Act requirements and the divisions and offices' processes for developing the annual reports reflected components of internal control. The divisions and offices shared information about the report development process through an informal working group. However, GAO found variations among divisions and offices in the design of controls addressing similar risks or objectives, and in testing approaches and documentation, among other differences. Federal internal control standards allow for variation but also emphasize the importance of efficiency and effectiveness. The variations illustrate that SEC has opportunities to improve efficiency and effectiveness through further information sharing about the design, implementation, and testing of internal supervisory controls. The variations occurred, in part, because the working group is informal and thus lacks a clear leadership structure and mandate to improve efficiency and effectiveness. Clarifying the working group's mandate in this way could enable the group to leverage its coordinating role and further promote information sharing with the goal of improving efficiency and effectiveness of filing reviews, investigations, and examinations.
Why GAO Did This Study
Section 961 of the Dodd-Frank Act directs SEC to assess and report annually on internal supervisory controls for staff performing corporate financial securities filing reviews, investigations, and examinations. The act also contains a provision for GAO to report at least every 3 years on SEC's framework for internal supervisory controls applicable to staff performing those activities. GAO first reported on this framework in 2013 (GAO-13-314).
This second triennial report examines (1) the extent to which SEC's framework during 2013–2015 and any changes since GAO's first review reflect key components of internal controls, (2) the extent to which selected controls operated as intended in fiscal year 2015, and (3) SEC's process for developing its annual report to Congress in 2013–2015.
GAO analyzed the internal supervisory control framework and the section 961 assessments and reports of the relevant divisions and offices; selected a nongeneralizable sample of 58 of a total of 104 supervisory controls for testing based on risk and prior deficiencies; and used random samples, inspections, and observations, as appropriate.
What GAO Recommends
The SEC Chair should formalize the informal 961 working group or otherwise establish a formal body to facilitate the coordination of compliance with section 961 of the Dodd-Frank Act across divisions and offices. SEC agreed with GAO's recommendation.
For more information, contact Michael Clements, 202-512-8678, firstname.lastname@example.org.
Recommendation for Executive Action
Comments: SEC concurred with this recommendation and said it would take steps to implement it. When we confirm what actions SEC has taken in response to this recommendation, we will update the information.
Recommendation: To improve and regularize consultation among Corporation Finance, Enforcement, Office of Compliance Inspections and Examinations, and Office of Credit Ratings, and make their internal supervisory controls more efficient and effective, the Chair of the Securities and Exchange Commission should formalize the Working Group or otherwise establish a formal body to enhance coordination of compliance with section 961 of the Dodd-Frank Act across the divisions and offices.
Agency Affected: United States Securities and Exchange Commission