Securities and Exchange Commission:

Systematically Assessing Staff Procedures and Enhancing Control Design Would Strengthen Internal Oversight

GAO-20-115: Published: Dec 19, 2019. Publicly Released: Dec 19, 2019.

Additional Materials:

Contact:

Michael Clements
(202) 512-8678
ClementsM@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Congress passed the Dodd-Frank Act in 2010 to enhance oversight of financial markets. Under the act, SEC must report annually on the effectiveness of its internal supervisory controls—used to oversee staff performing examinations, investigations, and reviews—and of staff procedures for these areas.

We found SEC has policies for internal supervisory controls. But we didn’t find consistent written policies or guidance for assessing the staff procedures, although SEC reported each year that the procedures were effective.

We recommended that SEC develop such policies.

Seal of the SEC

Seal of the SEC

Additional Materials:

Contact:

Michael Clements
(202) 512-8678
ClementsM@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

As of fiscal year 2018, the Securities and Exchange Commission's (SEC) internal supervisory control framework—which provides guidance for division and office staff responsible for assessing the effectiveness of internal supervisory controls —reflected federal internal control standards. GAO determined that SEC's framework included elements covering each of the five components of internal control—control environment, risk assessment, control activities, information and communication, and monitoring. However, SEC does not have written policies or guidance to ensure that relevant SEC divisions and offices systematically assess the effectiveness of procedures applicable to staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate securities filings. Establishing such policies would provide SEC greater assurance that these procedures are effective at achieving their objectives.

All the SEC controls GAO evaluated were designed consistent with standards, and a majority operated as intended. SEC guidance and federal internal control standards state that (1) controls should be designed to address objectives and respond to risks and (2) control activities should be implemented through policies, including documentation requirements, and include detail to enable management to monitor control execution.

Control design. All 39 controls GAO evaluated included design elements to achieve SEC's control objectives and respond to risks it identified. However, 10 of these 39 controls did not include key attributes, such as requirements to document, and set time frames for, control execution (see fig.).

Control operation. GAO could not assess the operation of three of 18 selected controls because documentation of control execution did not exist. Of the remaining controls, 12 operated as intended and three partially operated as intended. Examples of controls that operated as intended include SEC's approval of examinations and tracking of investigations.

By more consistently following SEC guidance and federal internal control standards for developing control activities, including documentation requirements, relevant SEC divisions and offices would enhance their ability to monitor and ensure the effectiveness of their internal supervisory controls.

Evaluation of Control Activity Attributes for Selected SEC Controls, Fiscal Year 2018

 

Total

OCIE

Corporation Finance

Enforcement

OCR

Number of controls that incorporated all attributes

29

6

6

7

10

Number of controls that lacked at least one attribute

10

2

2

3

3

Total number of controls reviewed

39

8

8

10

13

Legend: Corporation Finance = Division of Corporation Finance; Enforcement = Division of Enforcement; OCIE = Office of Compliance Inspections and Examinations; and OCR = Office of Credit Ratings.

Source: GAO analysis of Securities and Exchange Commission (SEC) documents. | GAO-20-115

Why GAO Did This Study

Section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs SEC to assess and report annually on internal supervisory controls and procedures applicable to staff performing examinations, investigations, and securities filing reviews. The act also contains a provision for GAO to report on SEC's internal supervisory control structure and staff procedures. GAO's last report was in 2016 (GAO-17-16).

This report examines SEC's internal supervisory control framework and assessment of staff procedures, the design of selected controls, and the operation of selected controls.

GAO analyzed SEC's internal supervisory control framework and related policies and guidance and evaluated the design and execution of a non-generalizable sample of controls selected because they addressed high-risk processes.

What GAO Recommends

GAO is making five recommendations to SEC related to developing policies to assess the effectiveness of staff procedures and ensuring that all relevant divisions and offices follow SEC guidance and federal internal control standards for implementing control activities through documented policies. SEC agreed with the recommendations.

For more information, contact Michael Clements at (202) 512-8678 or ClementsM@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: As of May 2020, SEC updated its Reference Guide for Compliance with Section 961 of the Dodd-Frank Act to require the Division of Corporation Finance, Division of Enforcement, Office of Compliance Inspections and Examinations, and Office of Credit Ratings to develop and maintain written policies and processes for conducting systematic assessments of the effectiveness of procedures applicable to the staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate financial securities filings. The added requirement for each division and office to develop policies and processes is a positive step toward addressing this recommendation. However, until the divisions and offices establish such policies and processes, this recommendation remains open. SEC staff stated that the divisions and offices are currently working on developing their individual frameworks for assessing staff procedures and will likely be done by the end of fiscal year 2020. We will continue to monitor these efforts.

    Recommendation: The SEC Chair should direct the Directors of the Division of Corporation Finance, Division of Enforcement, Office of Compliance Inspections and Examinations, and Office of Credit Ratings to develop written policies and processes to systematically assess the effectiveness of staff procedures (procedures applicable to staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate financial securities filings). Examples of elements SEC could include in the policies and processes are the steps necessary to conduct such assessments, including time frames in which the assessments should be performed and reviewed; assignment of responsibilities related to the assessments; requirements for documenting assessments; and steps for staff to take to mitigate and report deficiencies identified as a result of the assessments. (Recommendation 1)

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Open

    Comments: As of May 2020, SEC staff said that the Division of Corporation Finance is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Division of Corporation Finance provides documentation showing the implementation of responsive actions.

    Recommendation: The Director of the Division of Corporation Finance should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 2)

    Agency Affected: United States Securities and Exchange Commission: Division of Corporation Finance

  3. Status: Open

    Comments: As of May 2020, SEC staff said that the Division of Enforcement is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Division of Enforcement provides documentation showing the implementation of responsive actions.

    Recommendation: The Director of the Division of Enforcement should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 3)

    Agency Affected: United States Securities and Exchange Commission: Division of Enforcement

  4. Status: Open

    Comments: As of May 2020, SEC staff said that the Office of Compliance Inspections and Examinations is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Office of Compliance Inspections and Examinations provides documentation showing the implementation of responsive actions.

    Recommendation: The Director of the Office of Compliance Inspections and Examinations should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 4)

    Agency Affected: United States Securities and Exchange Commission: Office of Compliance Inspections and Examinations

  5. Status: Open

    Comments: As of May 2020, SEC staff said that the Office of Credit Ratings is working to address this recommendation through its normal Risk and Control Matrix review process. Staff said that SEC would have an update for GAO in the Fall 2020. We will update the status of the recommendation when the Office of Credit Ratings provides documentation showing the implementation of responsive actions.

    Recommendation: The Director of the Office of Credit Ratings should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 5)

    Agency Affected: United States Securities and Exchange Commission: Office of Credit Ratings

 

Explore the full database of GAO's Open Recommendations »

Jul 21, 2020

Jul 6, 2020

Apr 30, 2020

  • finance icon, source: Comstock

    Priority Open Recommendations:

    Department of the Treasury
    GAO-20-549PR: Published: Apr 23, 2020. Publicly Released: Apr 30, 2020.

Apr 27, 2020

Apr 21, 2020

Apr 20, 2020

Jan 24, 2020

Dec 19, 2019

Looking for more? Browse all our products here