But GAO says that although SEC examiners have developed processes for inspecting SRO programs, OCIE has failed to “document these processes or establish written policies relating to internal controls over these processes, such as supervisory review or standards for data collection.” Also, while OCIE officials focus their exams on areas of high risk, GAO says the risk-assessment process used “does not leverage the reviews that SRO internal and external auditors performed, which could result in duplication of SRO efforts or missed opportunities to direct examination resources to other higher-risk or less-examined programs.” GAO notes in its report that OCIE officials are now taking steps to remedy the situation and say they plan to begin assessing SRO internal audit functions in 2008, “including the quality of their work products, which would allow OCIE to assess the usefulness of these products for targeting its inspections.” Finally, GAO told the SEC that OCIE must begin tracking the implementation status of SRO inspection recommendations. “Without formal tracking,” GAO said in its report, “OCIE’s ability to efficiently and effectively generate and evaluate trend information, such as patterns in the types of deficiencies found or the implementation status of recommendations across SROs, or over time, may be limited.”
The GAO also pointed out in its report that SEC’s Division of Enforcement uses an electronic system to receive referrals of potential violations from SROs. However, SEC’s referral receipt and case tracking systems “do not allow Enforcement staff to electronically search all advisory and referral information, which may limit SEC’s ability to monitor unusual market activity, make decisions about opening investigations, and allow management to assess case activities, among other things,” the GAO said in its report.