Securities and Exchange Commission:

Opportunities Exist to Improve Oversight of Self-Regulatory Organizations

GAO-08-33: Published: Nov 15, 2007. Publicly Released: Dec 17, 2007.

Additional Materials:

Contact:

Orice M. Williams
(202) 512-5837
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Self-regulatory organizations (SRO) are exchanges and associations that operate and govern the markets, and that are subject to oversight by the Securities and Exchange Commission (SEC). Among other things, SROs monitor the markets, investigate and discipline members involved in improper trading, and make referrals to SEC regarding suspicious trades by nonmembers. For industry self-regulation to function effectively, SEC must ensure that SROs are fulfilling their regulatory responsibilities. This report (1) discusses the structure of SEC's inspection program for SROs, (2) evaluates certain aspects of SEC's inspection program, and (3) describes the SRO referral process and evaluates SEC's information system for receiving SRO referrals. To address these objectives, GAO reviewed SEC inspection workpapers, analyzed SEC data on SRO referrals and related investigations, and interviewed SEC and SRO officials.

To help ensure that SROs are fulfilling their regulatory responsibilities, SEC's Office of Compliance Inspections and Examinations (OCIE) conducts routine and special inspections of SRO regulatory programs. OCIE conducts routine inspections of key programs every 1 to 4 years, inspecting larger SROs more frequently, and conducts special inspections (which arise from tips or the need to follow up on prior recommendations or enforcement actions) as warranted. More specifically, OCIE's inspections of SRO surveillance, investigative, and disciplinary programs (enforcement programs) involve evaluating the parameters of surveillance systems, reviewing the adequacy of policies and procedures for handling the resulting alerts and investigations, and reviewing case files to determine whether SRO staff are complying with its policies and procedures. GAO identified several opportunities for SEC to enhance its oversight of SROs through its inspection program. First, although examiners have developed processes for inspecting SRO enforcement programs, OCIE has not documented these processes or established written policies relating to internal controls over these processes, such as supervisory review or standards for data collection. Such documentation could strengthen OCIE's ability to provide reasonable assurances that its inspection processes and products are subject to key quality controls. Second, OCIE officials said that they focus inspections of SRO enforcement programs on areas judged to be high risk. However, this risk-assessment process does not leverage the reviews that SRO internal and external auditors performed, which could result in duplication of SRO efforts or missed opportunities to direct examination resources to other higher-risk or less-examined programs. OCIE officials told us that they plan to begin assessing SRO internal audit functions in 2008, including the quality of their work products, which would allow OCIE to assess the usefulness of these products for targeting its inspections. Finally, OCIE currently does not formally track the implementation status of SRO inspection recommendations; rather, management consults with staff to obtain such information as needed. Without formal tracking, OCIE's ability to efficiently and effectively generate and evaluate trend information, such as patterns in the types of deficiencies found or the implementation status of recommendations across SROs, or over time, may be limited. SEC's Division of Enforcement uses an electronic system to receive referrals of potential violations from SROs. These referrals undergo multiple stages of review and may lead Enforcement to open an investigation. From fiscal years 2003 to 2006, SEC received an increasing number of advisories and referrals from SROs, many of which involved insider trading. However, SEC's referral receipt and case tracking systems do not allow Enforcement staff to electronically search all advisory and referral information, which may limit SEC's ability to monitor unusual market activity, make decisions about opening investigations, and allow management to assess case activities, among other things.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To enhance SEC oversight of SROs, the SEC Chairman should as part of the agency's ongoing efforts to improve information technology capabilities, ensure that any software developed for tracking SRO inspections includes the ability to track and report SRO responses to and implementation status of OCIE inspections recommendations.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: SEC's Office of Inspections and Examinations has developed an electronic examination workbook, the Tracking and Reporting Examinations National Documentation System ("TRENDS"), for all staff to use when conducting examinations. TRENDS is a web-based program that creates a uniform examination process and record-retention function for the National Examination Program. TRENDS captures each examination's purpose, scope, risk assessment, findings, and appropriate statistical data, as well as responses to deficiency letters and corrective actions taken. The Office of Market Oversight, which supervises self regulatory organizations, implemented TRENDS on or about July 9, 2012.

    Recommendation: To enhance SEC oversight of SROs, the SEC Chairman should ensure that Market Regulation makes certain that SROs include in their periodic risk assessment of their IT systems a review of the security of their enforcement-related databases, and that Market Regulation reviews the comprehensiveness and completeness of the related SRO-sponsored audits of their enforcement-related databases.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: SEC's Division of Trading and Markets (formerly Market Regulation) has implemented this recommendation by incorporating a review of the efforts by the SRO audit function, including their periodic risk assessments, over enforcement-related databases into its regular Automation Review Policy (ARP) inspection process.

    Recommendation: To enhance SEC oversight of SROs, the SEC Chairman should establish a written framework for conducting inspections of SRO enforcement programs to help ensure a reliable and consistent source of information on SRO inspection processes, minimum standards, and quality controls; and, as part of this framework, broaden current guidance to SRO inspection staff on the use of SRO internal audit reports to direct examiners to consider the extent to which they will rely on reports and reviews of internal and external audit and other risk-management systems when planning SRO inspections.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: This recommendation has been implemented. In August 2008, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations issued written guidance for those examiners that conduct inspections of self-regulatory organization (SRO) operations, including the enforcement programs of the SROs. This examination guidance outlines inspection processes, minimum standards, and quality controls. It also broadens current guidance to SRO inspection staff on the use of SRO internal audit reports by directing examiners to consider the extent to which they will rely on reports and reviews of internal and external audit and other risk-management systems when planning SRO inspections.

    Recommendation: To enhance SEC oversight of SROs, the SEC Chairman should as part of the agency's ongoing efforts to improve information technology capabilities, consider system improvements that would allow Enforcement staff to electronically access and search all information in advisories and referrals submitted by SROs and generate reports that would facilitate monitoring and analysis of trend information and case activities.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: On August 27,2008 staff from the Securities and Exchange Commission's Division of Enforcement confirmed that they implemented the recommendation by asking the Office of Information Technology to make system improvements that would allow enforcement staff to electronically access and search all information in advisories and referrals submitted by self-regulatory organizations. These system improvements will also allow the Enforcement managers to generate management reports.

    Apr 7, 2014

    Jan 8, 2014

    Dec 11, 2013

    Nov 14, 2013

    Oct 29, 2013

    Sep 6, 2013

    Jul 18, 2013

    Jul 8, 2013

    Looking for more? Browse all our products here