What GAO Found
The Securities and Exchange Commission (SEC) is statutorily required to assess the effectiveness of its internal supervisory controls and staff procedures. An SEC working group issued a guide to establish a consistent approach to compliance with the requirement across the Divisions of Corporation Finance, Enforcement, and Examinations and Office of Credit Ratings. The guide defines internal supervisory controls as actions management establishes to monitor that staff follow and consistently perform procedures.
In fiscal year 2021, SEC generally followed its guidance for conducting risk assessments and establishing internal supervisory controls. For example, the divisions and office assessed and documented the risks of staff not following procedures for examinations, investigations, and filing reviews and established internal supervisory controls to mitigate the risks.
SEC’s framework for assessing the effectiveness of internal supervisory controls generally was consistent with federal internal control standards. In turn, the divisions and office implemented processes consistent with SEC’s framework to assess the effectiveness of their internal supervisory controls for fiscal year 2021. They generally documented the work performed, including evidence collected and analyzed, and supported the results of their assessments. The divisions and office determined that the design and operations of their internal supervisory controls were effective in fiscal year 2021.
Division and office plans to assess the effectiveness of staff procedures generally were consistent with internal control standards and were implemented accordingly. But the Division of Enforcement did not document its work performed and results in a memorandum used to inform the division director about the staff procedures assessment. SEC guidance specifies that the methodology and testing results should be documented. Including such information in the memorandum would help ensure that management receives the information needed to certify compliance with section 961. GAO also found the written plans did not include potentially useful steps for assessing staff procedures.
Use of program data. The divisions and office collect data about their programs but do not consistently use the data to help assess the effectiveness of staff procedures. The development and monitoring of program metrics could enable the divisions and office to monitor trends and understand the extent to which such trends, including changes, positively or negatively relate to staff procedures.
Review of staff procedures. The written plans lack steps to periodically and comprehensively review staff procedures. Including such a review in the plans would help ensure that all staff procedures receive regular scrutiny and program manuals are kept current.
This was the first year the divisions and office implemented written plans for assessing staff procedures. The plans and associated processes will continue to evolve, as the divisions and office gain experience.
Why GAO Did This Study
Section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs SEC to assess and report annually on internal supervisory controls and procedures applicable to staff performing examinations, investigations, and securities filing reviews. The act also contains a provision for GAO to report on SEC’s internal supervisory control structure and staff procedures at least every 3 years. GAO’s last report was in 2019 (GAO-20-115).
This report examines SEC’s processes for assessing (1) risks of staff not following procedures (such as program manuals), (2) the effectiveness of its internal supervisory controls, and (3) the effectiveness of its staff procedures.
GAO analyzed SEC’s policies and guidance for assessing the effectiveness of its internal supervisory controls and staff procedures, reviewed records supporting SEC’s fiscal year 2021 assessment processes, and interviewed SEC officials.