Skip to main content

Information Systems: Opportunities Exist to Strengthen SEC's Oversight of Capacity and Security

GAO-01-863 Published: Jul 25, 2001. Publicly Released: Sep 10, 2001.
Jump To:
Skip to Highlights

Highlights

Capacity problems and other disruptions at the securities and options exchanges have caused processing delays within the U.S. securities markets in recent years. These exchanges and clearing organizations have also been concerned about unwarranted access by hackers and other unauthorized users. To address these issues, the securities and Exchange Commission (SEC) created its automation review policy program in 1989. The program calls for the exchanges and clearing organizations that act as self-regulatory organizations to voluntarily follow SEC guidance and submit to oversight of their information systems. The program includes two key policy statements that provide voluntary guidelines to these organizations, periodic on-site inspections by SEC staff, and independent reviews of systems by internal auditors or external organizations. In addition, self-regulatory organizations are expected to provide SEC with reports of system outages and notices of system modifications. This report reviews SEC's effectiveness in its oversight roles. GAO found that the program reasonably ensures that self-regulatory organizations address capacity, security, and other information systems issues. However, SEC could improve its program oversight by consolidating criteria used by program staff into a comprehensive guide. Overall, SEC's inspections addressed the key areas of program guidance and often contained substantive recommendations designed to improve the organizations' procedures.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
United States Securities and Exchange Commission Because of the importance of the proper functioning of the self-regulatory organizations' information systems, the Acting Chairman, SEC, should ensure that the ARP program develops a consolidated inspection guide for the ARP staff that is updated on a periodic basis.
Closed – Implemented
According to SEC Market Regulation Division staff, they have begun using the Information System Audit and Control Association's Control Objectives for Information and related Technology as the basis for the reviews they conduct of information technology issues at exchanges and clearing organizations. This will ensure that the criteria they use will be consistent across reviews and among their staff. They plan to continue to supplement this with the latest standards in all areas of technology.
United States Securities and Exchange Commission Because of the importance of the proper functioning of the self-regulatory organizations' information systems, the Acting Chairman, SEC, should ensure that significant ARP program recommendations and concerns that have not been addressed by the self-regulatory organizations are brought to the attention of the Chairman and Commissioners.
Closed – Implemented
According to SEC Market Regulation Division staff, as a result of the November 2003 movement of the Automated Review Program (ARP) to the Office of Market Continuity--a new office within Market Regulation--the results of ARP examinations are regularly presented to the Commission for review. This serves to highlight to the Commissioners any unimplemented recommendations. Also, according to Market Regulation staff, ARP staff had worked very hard to get the organization to take actions on prior ARP recommendations and, as of August 2004, there were no unimplemented recommendations.
United States Securities and Exchange Commission Because of the importance of the proper functioning of the self-regulatory organizations' information systems, the Acting Chairman, SEC, should develop formal criteria for assessing the self-regulatory organizations' cooperation with the ARP program and perform an assessment to determine whether the voluntary status of the ARP program is appropriate.
Closed – Implemented
According to SEC Market Regulation Division staff, the SEC staff have made a determination that making compliance with the Automated Review Program (ARP) mandatory would improve their ability to oversee the markets. As a result they have drafted Regulation ARP, which will make compliance with the tenets of the ARP program mandatory for exchanges and clearing organizations. The regulation has completed its Division review and is now with SEC's Office of General Counsel. SEC's plan is to have Regulation ARP before the Commission by the end of 2006.

Full Report

Office of Public Affairs

Topics

Computer securityInformation systemsSelf-regulatory organizationsSecurities regulationStock exchangesSecuritiesInternal auditsInternal auditorsInformation technologyCommodities exchanges