This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
Securities and Exchange Commission
Office of Inspector General
Semiannual Report to Congress
During this reporting period (October 1, 1998 to March 31, 1999) the Office of Inspector General (Office) issued eight audit reports and five audit memoranda. The audits focused on the enforcement action memo process; international technical assistance; financial and administrative controls in three regional offices; implementation of the Government Performance and Results Act; year 2000 compliance efforts for Commission systems and EDGAR; the part-time employment program; control of computer equipment; contingency testing; password security; and electronic filing of ownership reports. The Audit Program section below describes these audits further.
The Commission is making substantial efforts to ensure that its information systems are year 2000 compliant. The conversion process entails significant risks and expenditures. We are monitoring the conversion and making recommendations, as appropriate.
Information resources management (IRM) continues to experience significant problems, which will complicate year 2000 efforts. Specifically, systems development contracting, IRM planning, and ADP security remain problem areas. The Office of Information Technology has reorganized and is increasing the use of out-sourcing to improve its performance. The Commission has also established a senior level information technology committee to monitor information technology investments.
Another previously reported significant problem involves controls over the collection of fees. Although statutory changes have eliminated many of the fees most at risk and the Commission has made many improvements in controls over the collection of filings fees, the overall control structure remains inadequate. This condition will remain until a new fee system, which is currently in development, is implemented.
The Office issued eight audit reports and five audit memoranda during the reporting period. The reports contained a total of 70 recommendations, which are further described below. Management generally concurred with the recommendations.
Enforcement Action Memo Process Audit 276, March 18, 1999
We conducted an audit of the Commission's Enforcement Action Memoranda Process. Action memoranda are the primary formal communications from the Enforcement staff to the Commissioners about investigations of alleged violations of securities laws. Commission instructions, based on the information in action memoranda, provide the Enforcement staff guidance concerning the case.
The objective of the audit was to determine how well the staff and Commissioners communicate through this process. The audit primarily consisted of 13 structured workshops, with approximately 19% of the Enforcement staff participating, and interviews with non-Enforcement staff involved in the process.
The workshop participants indicated that, generally, the staff is successfully obtaining case specific instructions from the Commission by providing it relevant information, although some obstacles are impairing the Commission's ability to fully achieve this objective.
Among the recommendations suggested by the participants were: (1) enhanced communication of Commission and Division information needs, policies, and procedures to the staff; (2) improved capability to research related previous action memoranda; (3) standardization of review procedures, especially those of interested offices and divisions; and (4) additional training on the Enforcement action memoranda process.
We recommended the establishment of an Enforcement Task Force on the Action Memoranda process to consider the participants' recommendations (and any the Task Force generates or identifies from other sources) and implement those recommendations that have merit. The Enforcement Division has already begun taking significant steps to improve the action memoranda process and we commended it for its timely efforts.
GPRA Performance Measures Audit 283, March 16, 1999
The Government Performance and Results Act of 1993 requires agencies to define their mission and goals, measure their performance toward those goals, and report to the Congress and the public on their progress. Agencies must develop five-year strategic plans, annual performance plans and annual performance reports. The fiscal year 1999 performance plan is the first required and the first performance report is due by March 31, 2000. Performance plans and reports should include quantitative performance measures, unless the agency obtains OMB approval for alternative measures.
The Commission organized a GPRA Task Force, composed of senior staff from the offices and divisions, to coordinate its efforts. The Chairman's Office, the Office of the Executive Director, and the Office of the Comptroller share overall responsibility for implementing GPRA requirements. These offices also oversee the Commission's proposed budget. As a result of the Task Force's efforts, the Commission has generally complied with GPRA requirements. It issued a five-year strategic plan in September 1997 and annual performance plans for 1999 and 2000.
Our objective was to determine whether fiscal year 1997 performance measures in the 1999 performance plan materially agreed with supporting records. We wanted to help ensure that reported data are adequately supported when the Commission makes its first performance report. We selected a judgment sample of 16 of 27 output performance measures in the FY 1999 performance plan, and examined supporting records, including computer print-outs and source documents. We did not evaluate whether the measures themselves were appropriate.
We found that the Commission can improve the support for performance measures in its 1999 performance plan. Half of the measures we reviewed (8 of 16) did not agree with supporting records. Like other federal agencies, the Commission apparently encountered difficulties in the definition, data collection, and reporting phases of performance measurement. Besides recommendations to improve the supporting records, we recommended additional GPRA training and guidance and improved controls in the tracking systems generating the measures. Commission offices and divisions have already taken several corrective actions in response to our findings and recommendations.
International Technical Assistance Audit 284, October 27, 1998
The Office of International Affairs (OIA) coordinates Commission technical assistance (TA) to foreign countries. TA helps foster relationships with foreign regulators and improves the quality of securities regulation in foreign markets.
Technical assistance requests are screened based on the nature and timing of the requests and the potential demands on Commission resources. Each request is assigned to an OIA staff member. Where necessary, input from other Commission offices and divisions is obtained.
We reviewed the Commission's process for providing TA. The primary audit objective was to determine the efficiency and effectiveness of the process.
We reviewed a sample of TA request files to verify compliance with OIA policies and procedures and to assess controls over the requests. In addition, we reconciled TA expenditures under a reimbursable agreement and sent a survey to 11 foreign regulators to which the Commission provided TA. We also examined other documentation and interviewed Commission and foreign officials.
Overall, we found that the Commission's process for providing TA was operating efficiently and effectively. Additionally, foreign officials generally complimented the timeliness and professionalism of Commission staff.
We identified steps that would enhance the efficiency and effectiveness of the process. Specifically, we made recommendations to OIA regarding their organizational structure and use of resources, foreign regulator suggestions, recording and tracking of requests, fulfilling of requests, and evaluation forms and surveys.
Philadelphia District Office Audit 286, December 29, 1998
The Philadelphia District Office (PDO) assists the Northeast Regional Office in administering Commission programs in the northeast portion of the country. In carrying out its responsibilities, the PDO exercises a broad range of financial and administrative functions, including maintaining time and attendance records; procuring supplies and services; arranging for staff travel; maintaining an inventory of property; and recording budgeted and actual expenditures of the office.
We reviewed the financial and administrative controls of the Philadelphia District Office. The audit procedures were limited to interviewing PDO staff, reviewing supporting documentation, and conducting selected tests of transactions.
During the review, we made recommendations involving two material issues. Commission guidance for determining the appropriate size of imprest funds needs to be enhanced. To save money, the PDO should order only enough transit subsidy checks to cover yearly needs.
Otherwise, we found that the PDO's controls were generally adequate, implemented economically and efficiently, and in compliance with Commission policies and procedures.
Boston District Office Audit 287, October 23, 1998
The Boston District Office (BDO) also assists the Northeast Regional Office in administering Commission programs in the northeastern portion of the United States. In carrying out its responsibilities, the BDO exercises a broad range of financial and administrative functions.
We reviewed the financial and administrative controls of the BDO. The audit procedures were limited to interviewing BDO staff, reviewing supporting documentation, and conducting selected tests of transactions.
We identified material issues relating to the ordering of court reporter services; maintenance of blotter records; reimbursement of telephone calls; use of a property tracking system; and use of the government credit card.
Otherwise, our limited review indicated that the BDO's controls were adequate, implemented economically and efficiently, and in compliance with Commission policies and procedures.
Southeast Regional Office Audit 292, March 29, 1999
The Southeast Regional Office (SERO) in Miami, Florida administers Commission programs in the southeastern portion of the United States. In carrying out its responsibilities, the SERO exercises a broad range of financial and administrative functions.
We reviewed the financial and administrative controls of the SERO. The audit procedures were limited to analyzing representations made by SERO staff, reviewing supporting documentation, and conducting some tests of transactions.
During our limited audit, no material weaknesses in the SERO's financial and administrative controls came to our attention.
Year 2000 Compliance Efforts Audit 293, January 25, 1999
We continued to audit the Commission's efforts in making its internal computer systems year 2000 compliant. This report covered the period from July 16 to September 30, 1998.
During the audit, we interviewed staff, reviewed relevant documentation, and conducted a survey of offices and divisions remediating PC systems. We also followed-up on recommendations from our first year 2000 report (issued August 24, 1998).
We found that the Commission has taken numerous steps to address the year 2000 issue. It has intensified senior management involvement, enhanced project tracking mechanisms, identified the highest priority systems for remediation, finalized the year 2000 project management plan, and begun developing an independent verification and validation test plan. In addition, it is implementing recommendations from our prior report on year 2000 compliance.
We surveyed divisions and offices remediating non-OIT systems. Generally, we found that these PC-based systems are generally not at high risk.
Like many other federal agencies, the Commission continues to have difficulties meeting year 2000 deadlines established by the Office of Management and Budget. One major reason is long-standing weaknesses in the Office of Information Technology (OIT), which is primarily responsible for year 2000 remediation on mainframe and network systems. OIT has been restructured and is undertaking efforts to address these weaknesses.
We made several recommendations to improve the Commission's compliance efforts. These included supporting the year 2000 project separately from OIT's reorganization; consolidating documentation for business contingency planning; and enhancing OIT's decision-making processes.
Edgar Year 2000 Status Report Audit 297, March 19, 1999
The Office of Inspector General continued to audit the Commission's efforts in making EDGAR year 2000 compliant. This report covered our review of the period from June 16, 1998 to February 9, 1999. It follows-up on Audit Memorandum No. 8, issued May 18, 1998, and the Status Report on Year 2000 Compliance, issued August 24, 1998 (Audit Nos. 274, 275, and 282). Our audit work consisted of interviews with Commission and contractor staff and review of available documentation.
We found that the Commission has made several decisions regarding EDGAR year 2000 compliance. It has decided to certify the existing EDGAR code, based on a code review and the fact that the code was written to be year 2000 compliant. The Commission plans to hire a contractor to oversee development and testing of the modernized EDGAR code, and will allow filer testing in the summer of 1999.
We recommended that the Office of Information Technology prepare a final EDGAR test plan (with the concurrence of the Chairman and the Executive Director); that the Commission strengthen EDGAR contract administration; and that the Contracting Officer consider revising EDGAR contract provisions on year 2000 compliance.
Part-time Employment Program Audit Memorandum 11, october 21, 1998
Under the Federal Employees Part-Time Career Employment Act of 1978, agencies are required to establish by regulation a program for part-time career employment. By memorandum dated July 11, 1994, the President directed agencies to establish a program to encourage and support family-friendly work arrangements, including part-time employment.
The Commission had not formally established a part-time employment program as required, although a number of employees currently work part-time. Also, the Office of Administrative and Personnel Management is planning to establish a focus group to consider positions which may be suitable for part-time employment.
We recommended that the Office of Administrative and Personnel Management establish a part-time employment program that complies with regulatory and statutory requirements, and the President's directive.
Control of Computer Equipment Audit Memorandum 12, December 29, 1998
In October 1998, computer, processing chips valued at $35,000 were reported missing and presumed stolen. Further review located the missing chips. However, the incident highlighted weaknesses in the controls over computer equipment.
We interviewed staff and toured the areas used to store computer and other equipment.
Management is not satisfied with current procedures for controlling computer equipment. They also believe that communication and coordination between responsible organizations could be improved. While regulations have been issued covering computer equipment, the regulations are apparently not functioning as intended.
We recommended that the offices involved address these issues through the Property Task Force that the Office of the Executive Director recently convened.
Contingency Testing Audit Memorandum No. 14, March 15, 1999
Contingency testing of Commission information systems should be performed on a systematic, ongoing basis. As the Office of Management and Budget stated in Circular A-130:
Experience has demonstrated that testing a contingency plan significantly improves its viability. Indeed, untested plans or plans not tested for a long period of time may create a false sense of ability to recover in a timely manner.
The Commission has not performed a contingency test of its mainframe computers since August 1996. Since that time, the water cooled mainframes have been replaced by smaller air cooled models.
According to the Office of Information Technology (OIT), the EDGAR system was last tested in January 1998. When we requested documentation of the test plans, results, and analysis, only the contractor had it. OIT has since obtained the documentation for its files.
The local area and data communication networks have not been tested since November 1994. Meanwhile, the Office of Information Technology has been undergoing a reorganization, with significant personnel changes.
OIT has drafted guidance on contingency testing. We recommended that the guidance be finalized, and that OIT periodically test Commission contingency plans.
Password Security Audit Memorandum No. 15, March 15, 1999
This audit memorandum described an access control weakness in the Federal Financial System (FFS), the Commission's primary accounting system. The Office of Inspector General identified the weakness when its staff sought access to FFS for entering travel authorizations. No unauthorized access or loss was attributed to the weakness.
The security risk has been mitigated by the Comptroller's Office, based on our recommendation. In addition, the Office of Information Technology indicated that it expanded its draft technical bulletin covering passwords.
Electronic Filing of Ownership Reports Audit Memorandum No. 16, March 31, 1999
The EDGAR rules allow, but do not require, electronic filing of ownership reports on Forms 3, 4, and 5, and notices of proposed sales of restricted securities on Form 144. Currently, many of these reports and notices are being filed on paper, rather than electronically.
The Commission has generally mandated electronic filing to improve disclosure to the investing community, except when overriding considerations are present. Purchases and sales of company stock by insiders are of keen interest to the investing community.
Accordingly, we recommended mandatory electronic filing of these forms after EDGAR modifications are completed to implement a new format for electronic filings. Officials from the Division of Corporation Finance and the Office of Filings and Information Services agreed with our recommendation.
Ten investigations were closed during the period. Four cases were referred to the Commission; one was also referred to the Department of Justice (which declined prosecution). Eight referrals to Commission management remain pending.
At the close of the period, five investigations were pending. The pending investigations included allegations of violation of computer security rules, a prohibited personnel practice, misrepresentation, bribery, and theft of Commission property. The most significant cases closed during the period are described below.
We investigated allegations that Commission Enforcement staff brought legal action in bad faith for discriminatory reasons. In addition, the complainant alleged that a guilty party was not charged and that the Commission improperly used this party to testify against the complainant. The evidence developed in our investigation failed to substantiate any of the allegations against Commission staff.
An investigation developed evidence that a Commission staff member secretly tape-recorded a conversation with a supervisor, in violation of a state statute. We referred the matter to the District Attorney and Commission management. The District Attorney declined prosecution. Administrative action by Commission management is under consideration.
At our request, the Office of Inspector General of another Federal agency conducted an investigation of a senior Commission official. Allegations were received that the Commission official accepted a bribe to influence decisions concerning a securities investigation. The evidence developed in that Office of Inspector General's investigation failed to substantiate the allegations.
We investigated allegations that a senior Commission manager retaliated against an employee who furnished information to our Office. The complainant was not selected for a promotion. Evidence developed in our investigation failed to substantiate the allegation that the non-selection was retaliatory.
We developed evidence that a Commission employee disseminated non-public information to a former employee. Commission management is considering administrative action against the current employee.
Conflict of interest
We investigated allegations that a senior Commission official participated personally and substantially in a matter in which the official had a financial interest. Our investigation developed evidence that the official lacked actual knowledge of the financial interest at the time the official participated in the matter.
No new significant problems were identified, based on work completed during the period.
Significant Problems Identified Previously
During the reporting period, we continued to audit the Commission's efforts to make its systems year 2000 compliant (see above, audits 293 and 297). The scope of the audits includes EDGAR and Commission internal systems.
Year 2000 conversion will require significant resources and pose material risks for the Commission. The Commission is making substantial efforts to address the problem. However, these efforts are complicated by operational problems in the Office of Information Technology (described below). We intend to monitor the entire conversion process and are sharing our findings and recommendations with OIT as they are developed.
Information Resources Management
Information resources management remains a significant concern, particularly the areas of contracting for systems development, information resources planning, and ADP security. SEC management is, however, undertaking efforts to strengthen these areas. Management has established a senior level information technology committee to oversee information technology investments, begun to outsource much of the more routine operational information technology activities, and recently completed a restructuring of its Office of Information Technology. The restructured organization has begun to focus on core agency activities such as technical architecture, strategic planning, project management, security, and customer support.
Significant improvements have already been made in the ADP security area. Management has issued an agency-wide information technology security policy; provided training to SEC staff and contractors on security issues; instituted a security review program to regularly assess the agency's security posture and monitor the results of those assessments; and developed an internal security website that contains security alerts, technical bulletins, and approved software patches that eliminate identified vulnerabilities.
Collection of Filing Fees
A prior audit of the collection of filing fees confirmed the Commission's previous assessment that the management controls were not in material conformance with accounting standards. Although statutory changes have eliminated many of the fees most at risk and Commission management has made significant progress in correcting the most serious weaknesses, some corrective actions must await the implementation of a new computerized collection system.
The fee system is being redesigned and implemented under the EDGAR modernization contract. A working group of managers and users is working with the contractors and developers to ensure that the new fee system contains adequate financial controls and meets the agency's and filers' requirements. Until these corrective actions are fully implemented, the overall control structure will continue to fail to provide assurance that accountability over filing fees is adequate.
Access to Information
The Office of Inspector General has received access to all information required to carry out its activities. No reports to the Chairman, concerning refusal of such information, were made during the period.
Executive Council on Integrity and Efficiency
The Office actively participates in the activities of the Executive Council on Integrity and Efficiency (ECIE). The Inspector General attends ECIE meetings, is an active member of its Financial Institutions Regulatory Committee, and serves as the ECIE representative to, and member of, the Integrity Committee of the President's Council on Integrity and Efficiency (PCIE).
The Counsel and Associate Counsel to the Inspector General are active members of the PCIE Council of Counsels. The Council considers legal issues relevant to the Inspector General community.
Reports with No Management Decisions
Management decisions have been made on all audit reports issued before the commencement of this reporting period (October 1, 1998).
Revised Management Decisions
No management decisions were revised during the period.
Agreement with Significant Management Decisions
The Office of Inspector General agrees with all significant management decisions regarding audit recommendations, including "Funds put to Better Use" and "Questioned Costs."