The Government Accountability Office (GAO) recently told the SEC to beef up its oversight of self-regulatory organizations (SROs).
The GAO wants the securities regulator to do so by establishing a written framework for conducting SRO inspections, expanding the use of SRO internal review products, and enhancing information technology to improve the SEC’s ability to track and analyze SROs’ implementation of inspection recommendations and SRO referral data.
SEC’s Office of Compliance Inspections and Examinations (OCIE) is responsible for conducting routine and special inspections of SRO regulatory programs. OCIE conducts inspections of key programs every one to four years, and inspects larger SROs more frequently. Special exams arise from tips or prior recommendations for follow-ups or enforcement actions, the GAO notes in its report.
But GAO says that although SEC examiners have developed processes for inspecting SRO programs, OCIE has failed to “document these processes or establish written policies relating to internal controls over these processes, such as supervisory review or standards for data collection.” Also, while OCIE officials focus their exams on areas of high risk, GAO says the risk-assessment process used “does not leverage the reviews that SRO internal and external auditors performed, which could result in duplication of SRO efforts or missed opportunities to direct examination resources to other higher-risk or less-examined programs.” GAO notes in its report that OCIE officials are now taking steps to remedy the situation and say they plan to begin assessing SRO internal audit functions in 2008, “including the quality of their work products, which would allow OCIE to assess the usefulness of these products for targeting its inspections.” Finally, GAO told the SEC that OCIE must begin tracking the implementation status of SRO inspection recommendations. “Without formal tracking,” GAO said in its report, “OCIE’s ability to efficiently and effectively generate and evaluate trend information, such as patterns in the types of deficiencies found or the implementation status of recommendations across SROs, or over time, may be limited.”
The GAO also pointed out in its report that SEC’s Division of Enforcement uses an electronic system to receive referrals of potential violations from SROs. However, SEC’s referral receipt and case tracking systems “do not allow Enforcement staff to electronically search all advisory and referral information, which may limit SEC’s ability to monitor unusual market activity, make decisions about opening investigations, and allow management to assess case activities, among other things,” the GAO said in its report.