Securities and Exchange Commission: Systematically Assessing Staff Procedures and Enhancing Control Design Would Strengthen Internal Oversight
Fast Facts
Congress passed the Dodd-Frank Act in 2010 to enhance oversight of financial markets. Under the act, SEC must report annually on the effectiveness of its internal supervisory controls—used to oversee staff performing examinations, investigations, and reviews—and of staff procedures for these areas.
We found SEC has policies for internal supervisory controls. But we didn’t find consistent written policies or guidance for assessing the staff procedures, although SEC reported each year that the procedures were effective.
We recommended that SEC develop such policies.
Seal of the SEC
Highlights
What GAO Found
As of fiscal year 2018, the Securities and Exchange Commission's (SEC) internal supervisory control framework—which provides guidance for division and office staff responsible for assessing the effectiveness of internal supervisory controls —reflected federal internal control standards. GAO determined that SEC's framework included elements covering each of the five components of internal control—control environment, risk assessment, control activities, information and communication, and monitoring. However, SEC does not have written policies or guidance to ensure that relevant SEC divisions and offices systematically assess the effectiveness of procedures applicable to staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate securities filings. Establishing such policies would provide SEC greater assurance that these procedures are effective at achieving their objectives.
All the SEC controls GAO evaluated were designed consistent with standards, and a majority operated as intended. SEC guidance and federal internal control standards state that (1) controls should be designed to address objectives and respond to risks and (2) control activities should be implemented through policies, including documentation requirements, and include detail to enable management to monitor control execution.
Control design. All 39 controls GAO evaluated included design elements to achieve SEC's control objectives and respond to risks it identified. However, 10 of these 39 controls did not include key attributes, such as requirements to document, and set time frames for, control execution (see fig.).
Control operation. GAO could not assess the operation of three of 18 selected controls because documentation of control execution did not exist. Of the remaining controls, 12 operated as intended and three partially operated as intended. Examples of controls that operated as intended include SEC's approval of examinations and tracking of investigations.
By more consistently following SEC guidance and federal internal control standards for developing control activities, including documentation requirements, relevant SEC divisions and offices would enhance their ability to monitor and ensure the effectiveness of their internal supervisory controls.
Evaluation of Control Activity Attributes for Selected SEC Controls, Fiscal Year 2018
|
|
Total |
OCIE |
Corporation Finance |
Enforcement |
OCR |
|
Number of controls that incorporated all attributes |
29 |
6 |
6 |
7 |
10 |
|
Number of controls that lacked at least one attribute |
10 |
2 |
2 |
3 |
3 |
|
Total number of controls reviewed |
39 |
8 |
8 |
10 |
13 |
Legend: Corporation Finance = Division of Corporation Finance; Enforcement = Division of Enforcement; OCIE = Office of Compliance Inspections and Examinations; and OCR = Office of Credit Ratings.
Source: GAO analysis of Securities and Exchange Commission (SEC) documents. | GAO-20-115
Why GAO Did This Study
Section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs SEC to assess and report annually on internal supervisory controls and procedures applicable to staff performing examinations, investigations, and securities filing reviews. The act also contains a provision for GAO to report on SEC's internal supervisory control structure and staff procedures. GAO's last report was in 2016 (GAO-17-16).
This report examines SEC's internal supervisory control framework and assessment of staff procedures, the design of selected controls, and the operation of selected controls.
GAO analyzed SEC's internal supervisory control framework and related policies and guidance and evaluated the design and execution of a non-generalizable sample of controls selected because they addressed high-risk processes.
Recommendations
GAO is making five recommendations to SEC related to developing policies to assess the effectiveness of staff procedures and ensuring that all relevant divisions and offices follow SEC guidance and federal internal control standards for implementing control activities through documented policies. SEC agreed with the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Securities and Exchange Commission | The SEC Chair should direct the Directors of the Division of Corporation Finance, Division of Enforcement, Office of Compliance Inspections and Examinations, and Office of Credit Ratings to develop written policies and processes to systematically assess the effectiveness of staff procedures (procedures applicable to staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate financial securities filings). Examples of elements SEC could include in the policies and processes are the steps necessary to conduct such assessments, including time frames in which the assessments should be performed and reviewed; assignment of responsibilities related to the assessments; requirements for documenting assessments; and steps for staff to take to mitigate and report deficiencies identified as a result of the assessments. (Recommendation 1) |
Closed – Implemented
As of May 2020, SEC updated its Reference Guide for Compliance with Section 961 of the Dodd-Frank Act to require the Division of Corporation Finance, Division of Enforcement, Office of Compliance Inspections and Examinations, and Office of Credit Ratings to develop and maintain written policies and processes for conducting systematic assessments of the effectiveness of procedures applicable to the staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate financial securities filings. As of September 2021, the four divisions and offices had developed policies and procedures to conduct an assessment of the effectiveness of staff procedures.
|
| Division of Corporation Finance | The Director of the Division of Corporation Finance should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 2) |
Closed – Implemented
In November 2020, SEC staff provided GAO with Division of Corporation Finance policy and procedure documentation demonstrating that its internal supervisory controls included documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility. Incorporating these key attributes will enhance control monitoring and help ensure effective execution of the controls.
|
| Division of Enforcement | The Director of the Division of Enforcement should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 3) |
Closed – Implemented
In March 2021, SEC staff provided GAO with Division of Enforcement policy and procedure documentation demonstrating that its internal supervisory controls included documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility. Incorporating these key attributes will enhance control monitoring and help ensure effective execution of the controls.
|
| Office of Compliance Inspections and Examinations | The Director of the Office of Compliance Inspections and Examinations should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 4) |
Closed – Implemented
In August 2021, SEC staff provided GAO with Division of Examinations (formerly the Office of Compliance Inspections and Examinations) documentation demonstrating that its internal supervisory controls included documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility. Incorporating these key attributes will enhance control monitoring and help ensure effective execution of the controls.
|
| Office of Credit Ratings | The Director of the Office of Credit Ratings should ensure that all internal supervisory controls include documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility, in accordance with SEC guidance and federal internal control standards for implementing control activities through documented policies. (Recommendation 5) |
Closed – Implemented
In March 2021, SEC staff provided GAO with Office of Credit Ratings policy and procedure documentation demonstrating that its internal supervisory controls included documentation requirements, detailed procedures, identified follow-up actions, implementation time frames, and assignment of control execution responsibility. Incorporating these key attributes will enhance control monitoring and help ensure effective execution of the controls.
|