The Securities and Exchange Commission (SEC) oversees financial markets. Each year, SEC assesses if a set of staff procedures for examinations, investigations, and securities filings reviews were well-designed, current, and effective.
FY 2021 was the first year that SEC had written guidance to ensure the consistency of these assessments. While the guidance generally helped, we found opportunities for enhancement. For example, SEC could use program data to help evaluate the effects of its procedures.
Our recommendations to SEC include developing guidance on using program data.
What GAO Found
The Securities and Exchange Commission (SEC) is statutorily required to assess the effectiveness of its internal supervisory controls and staff procedures. An SEC working group issued a guide to establish a consistent approach to compliance with the requirement across the Divisions of Corporation Finance, Enforcement, and Examinations and Office of Credit Ratings. The guide defines internal supervisory controls as actions management establishes to monitor that staff follow and consistently perform procedures.
In fiscal year 2021, SEC generally followed its guidance for conducting risk assessments and establishing internal supervisory controls. For example, the divisions and office assessed and documented the risks of staff not following procedures for examinations, investigations, and filing reviews and established internal supervisory controls to mitigate the risks.
SEC's framework for assessing the effectiveness of internal supervisory controls generally was consistent with federal internal control standards. In turn, the divisions and office implemented processes consistent with SEC's framework to assess the effectiveness of their internal supervisory controls for fiscal year 2021. They generally documented the work performed, including evidence collected and analyzed, and supported the results of their assessments. The divisions and office determined that the design and operations of their internal supervisory controls were effective in fiscal year 2021.
Division and office plans to assess the effectiveness of staff procedures generally were consistent with internal control standards and were implemented accordingly. But the Division of Enforcement did not document its work performed and results in a memorandum used to inform the division director about the staff procedures assessment. SEC guidance specifies that the methodology and testing results should be documented. Including such information in the memorandum would help ensure that management receives the information needed to certify compliance with section 961. GAO also found the written plans did not include potentially useful steps for assessing staff procedures.
- Use of program data. The divisions and office collect data about their programs but do not consistently use the data to help assess the effectiveness of staff procedures. The development and monitoring of program metrics could enable the divisions and office to monitor trends and understand the extent to which such trends, including changes, positively or negatively relate to staff procedures.
- Review of staff procedures. The written plans lack steps to periodically and comprehensively review staff procedures. Including such a review in the plans would help ensure that all staff procedures receive regular scrutiny and program manuals are kept current.
This was the first year the divisions and office implemented written plans for assessing staff procedures. The plans and associated processes will continue to evolve, as the divisions and office gain experience.
Why GAO Did This Study
Section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs SEC to assess and report annually on internal supervisory controls and procedures applicable to staff performing examinations, investigations, and securities filing reviews. The act also contains a provision for GAO to report on SEC's internal supervisory control structure and staff procedures at least every 3 years. GAO's last report was in 2019 (GAO-20-115).
This report examines SEC's processes for assessing (1) risks of staff not following procedures (such as program manuals), (2) the effectiveness of its internal supervisory controls, and (3) the effectiveness of its staff procedures.
GAO analyzed SEC's policies and guidance for assessing the effectiveness of its internal supervisory controls and staff procedures, reviewed records supporting SEC's fiscal year 2021 assessment processes, and interviewed SEC officials.
GAO is making three recommendations to SEC about section 961 assessments. They are to direct that the Division of Enforcement documents work performed and results, develop guidance on using program data, and develop guidance for periodic reviews of program manuals. SEC agreed with the recommendations and plans to implement them.
Recommendations for Executive Action
|United States Securities and Exchange Commission||The Director of the Division of Enforcement should ensure that the division's memorandum regarding certification under section 961 of the Dodd-Frank Act include a summary of the work performed for and results of the assessment of the effectiveness of staff procedures. (Recommendation 1)|
|United States Securities and Exchange Commission||The 961 Working Group should revise its Reference Guide for Compliance with Section 961 of the Dodd-Frank Act to include guidance on using program data to help assess the effectiveness of staff procedures. (Recommendation 2)|
|United States Securities and Exchange Commission||The 961 Working Group should revise its Reference Guide for Compliance with Section 961 of the Dodd-Frank Act to require the relevant divisions and office to include in their written plans for assessing the effectiveness of staff procedures a requirement that they review their program manuals on a periodic and comprehensive basis. (Recommendation 3)|