Semiannual Report to Congress: October 1, 2003 to March 31, 2004
March 31, 2004
Securities and Exchange Commission Office of Inspector General
Semiannual Report to Congress
October 1, 2003 to March 31, 2004
During the first half of fiscal year 2004, the Office of Inspector General assisted the Commission in its efforts to:
- Curtail trafficking in lost and stolen securities,
- Strengthen the Commission's IT capital planning and investment controls,
- Improve its process for responding to investor inquiries,
- Enhance the integrity of the Commission and its staff by investigating allegations of misconduct,
- Strengthen controls over planning the enforcement of full disclosure rules,
- Reduce the risk of release of non-public, Investment Management documents,
- Enhance the effectiveness of the Commission's work/life program,
- Strengthen controls over the use of telephone cards by Commission employees,
- Obtain unclaimed property held in the Commission's name by state authorities,
- Enhance the operational effectiveness and efficiency of the Commission's regulation of public utility holding companies,
- Improve the controls that ensure compliance with small business exemptions
- Save travel funds by encouraging timely travel reservations and use of discount tickets,
- Enhance the effectiveness of x-ray screening machines in the field offices,
- Ensure appropriate consideration of rural areas during office relocations, as required by statute, and
- Assure the effectiveness of regional office administrative controls.
Executive Summary
During this period (October 1, 2003 to March 31, 2004), the Office of Inspector General (Office) issued nine audit reports, five audit memoranda, and one investigative memorandum on management issues. These evaluations focused on the Commission's plans for the enforcement of full disclosure rules; IT capital investment planning and control; the small business exemption process; regulation of public utility holding companies; Commission responses to investor inquiries; the telephone card program; the lost and stolen securities program; the Commission work/life program; administrative controls in the Central Regional Office; unclaimed Commission property; discounted airfare tickets; Commission-wide use of x-ray scanners; priority to rural areas for new offices; inappropriate release of non-public information; and web based e-mail accounts.
Ten investigations were closed during the period. Five subjects were referred to the Commission. Two subjects were referred to the Department of Justice, which declined prosecution. One subject referred to the Commission during a prior period was removed, and another resigned. In addition, a subject referred to the Commission during a prior period was suspended for 14 days. Eight subjects referred to the Commission during this period and prior periods are awaiting disposition. The Investigative Program section below describes the significant cases.
Information resources management (IRM) has been previously reported as a significant problem. During this period, the Commission continued to improve its management of these resources, but significant weaknesses remain. We intend to maintain our audit focus in this important area.
An audit completed in a prior period found that Commission financial management controls for fiscal year 2002 were effective in all material respects except for controls over property accountability, accounting and control of disgorgements, information system and security program controls, and the Disgorgement and Penalties Tracking System. Accordingly, we reported these exceptions, taken together, as a significant problem. Several high-level task forces have taken steps or are currently taking steps to correct these weaknesses. We commend the Commission for initiating prompt corrective actions and its continuing efforts to strengthen its financial management controls.
No management decisions were revised during the period. The Office of Inspector General agrees with all significant management decisions regarding audit recommendations.
Audit Program
The Office issued nine audit reports, five audit memoranda, and one investigative memorandum on management issues during the reporting period. These documents contained a total of 95 recommendations, which are further summarized below. Management generally concurred with the recommendations, and in many cases took corrective actions during the audits.
PLANNING THE ENFORCEMENT OF FULL DISCLOSURE RULES (AUDIT 356)
The Division of Corporation Finance (CF) develops disclosure requirements and reviews corporate filings to monitor compliance. Also, it occasionally reviews disclosures to evaluate compliance with specific rules. We evaluated CF's controls over how it plans to enforce its rules.
We found that CF develops numerical and timeliness goals for its reviews of filings. Also, CF told us that it has developed, and continues to revise, substantive preliminary review criteria to assist it in selecting filings for review.
We recommended that CF develop a methodology for assessing the benefits of these reviews that it could then use to develop results-based goals. To address this, CF is developing a report to evaluate review results. Also, we recommended that CF revise its rulemaking procedures as appropriate to reflect its practice of considering compliance monitoring during the drafting of rules.
We recommended that CF also use filing review data in its Filing Activity Tracking System (FACTS) more effectively and explore ways to link the various CF databases. In addition, we recommended that CF tell the Commission how it plans to monitor compliance with proposed rules when appropriate.
IT CAPITAL INVESTMENT DECISION MAKING-FOLLOW-UP (AUDIT 365)
In a prior review of the Information Technology (IT) Decision-Making Process (No. 334), we proposed a structured process for developing IT proposals and evaluating, prioritizing, and recommending IT investments for funding approval. In July 2001, the Commission revised its process based on our recommendations, and established an enhanced organizational control structure.
Our audit objective in this review was to evaluate the Commission's progress in implementing IT capital investment control and decision-making best practices, and to follow-up on our prior review.
We found that the Commission has made progress in establishing an IT investment process that complies with applicable laws and regulations, and incorporates best practices from the public and private sectors. However, the Commission's process still does not meet the minimum criteria of GAO's Information Technology Investment Management Maturity Model and is not in full compliance with applicable laws and regulations.
We made a number of recommendations to strengthen the governance of this function. We indicated that the Commission needs to assign specific responsibility, and delegate appropriate authority, for establishing a compliant and effective decision-making process. To ensure that the necessary changes are completed timely, we also recommended that the Commission implement a performance accountability process.
SMALL BUSINESS REGULATION D EXEMPTION PROCESS (AUDIT 371)
Regulation D contains specific requirements to exempt a sale of securities from registration under the 1933 Act. We evaluated the Division of Corporation Finance's process for assessing whether companies appropriately used the Regulation D exemptions.
We found that the Division's Office of Small Business Policy provides guidance to industry on Regulation D questions and conducts annual conferences to discuss matters affecting small businesses. Also, the Office has proposed revising and requiring electronic filing of the Form D notice to make it more useful.
We found that the Division could improve the controls that ensure compliance with Regulation D. We recommended that the Division compare the Form D notice to the disclosure of unregistered sales of securities in other filings, and that the Division coordinate with the Office of Compliance Inspections and Examinations on Regulation D issues. Also, we recommended that the Form D be revised to include certain information to show compliance with Regulation D.
REGULATION OF PUBLIC UTILITY HOLDING COMPANIES (AUDIT 372)
The Public Utility Holding Company Act (PUHCA) generally bars non-utilities from owning utilities and prohibits public utility holding companies from owning utilities in different parts of the country. The Act was designed to protect consumers and investors against abuses by holding companies. The Office of Public Utility Regulation (OPUR) in the Division of Investment Management administers PUHCA.
We evaluated the operational effectiveness and efficiency of OPUR's activities, including its oversight of companies subject to regulation, the examination process and office organization.
We observed that the number of accountants and financial analysts in OPUR may not be sufficient and recommended that OPUR hire staff with accounting or financial analysis backgrounds, as resources permit. We also made recommendations to enhance the timeliness and tracking of OPUR work products, update obsolete rules and forms, monitor exempt companies more proactively, provide additional guidance to regulated companies on OPUR's examination process and PUHCA requirements, and enhance OPUR's operational effectiveness.
COMMISSION RESPONSES TO INVESTOR INQUIRIES (AUDIT 373)
The Investor Education and Assistance Program (IEAP) consists of 35 staff in the Office of Investor Education and Assistance (OIEA) and 14 Investor Assistance Specialists in the field offices. The IEAP responds to investor inquiries, assists investors with complaints, and conducts investor educational activities.
Investors can obtain answers to their questions either by using the Commission's web site to locate information that the staff has posted, or by asking questions to the staff by telephone calls, letters, faxes, and e-mails.
We evaluated the effectiveness and efficiency of Commission responses to investor inquiries. We found that the staff responds to investor inquiries timely. Also, we did not identify any instances of OIEA providing investors with inaccurate information.
We made several recommendations to improve the inquiry response process, including evaluating the effectiveness of the process, improving search results, considering the appropriate level of quality assurance reviews, increasing the use of technology, and enhancing the separation of duties.
TELEPHONE CARD PROGRAM (AUDIT 376)
Commission employees are issued a telephone card as needed for business-related purposes (e.g., telework or travel). We reviewed whether controls over the calling cards were adequate, and implementation of the program was cost effective.
We recommended several enhancements to the program, including issuance of program guidance, expanded use of the program, written use agreements, and enhanced procedures for identifying and preventing misuse and overcharges.
An unrelated issued developed during our review concerned apparently erroneous charges totaling $132,000 for regional telephone service. We recommended that these charges be recovered from the General Services Administration (GSA), and future billings from GSA be reviewed for accuracy.
LOST AND STOLEN SECURITIES PROGRAM (AUDIT 377)
Under the Securities and Exchange Act of 1934, the Commission administers a Lost and Stolen Securities Program (LSSP) to curtail trafficking in lost, stolen, missing and counterfeit securities certificates. To achieve the Program's objective, the Commission awarded a contract to the Securities Information Center (SIC) to operate a computerized database of lost, stolen, missing and counterfeit certificates.
We found that the Division of Market Regulation (MR), which is responsible for overseeing the Program, and members of the LSSP Advisory Board (an informal discussion group) are generally satisfied with the operation of the Program. We also found that SIC, the contractor since the Program's inception in 1977, generally appears to be in compliance with the most recent contract (awarded in 2003).
We recommended that MR: ensure banks' compliance with the Program's registration requirement; suggest to SIC that it include bank regulatory agencies on the LSSP Advisory Board and increase the frequency of Board meetings; request additional financial and Program information from SIC; review the current allocation of Program fees among participants to determine if it should be revised; and ensure that fees for voluntary reports to the database are reasonable and consistent with the contract with SIC.
In addition, we recommended that the Offices of Information Technology (OIT), Filing and Information Services (OFIS), and Financial Management (OFM) determine the applicability of federal information technology, records management, and financial management laws and regulations to the LSSP.
COMMISSION WORK/LIFE PROGRAM (AUDIT 379)
The Office of Human Resources and Administrative Services (OHRAS) administers the Commission's work/life program. OHRAS has implemented many of the Office of Personnel Management's (OPM) suggested policies and procedures to help employees balance the demands of work and life, including family leave, part-time employment, alternative work schedules, and telework.
We reviewed the program to determine if it was effective and efficient, meeting its intended goals and objectives, consistent with OPM guidance, and compared favorably with work life programs at other agencies.
We found that the program was generally effective, efficient, and in compliance with applicable guidance. Our recommended enhancements included: reviewing the results of our employee survey, and conducting similar surveys in the future; adding E-learning to the authorized permissible uses of telework; adding a sample of courses typically approved for reimbursement to the tuition assistance guidelines; and assigning Work/Life coordinator duties to an employee in each field office.
CENTRAL REGIONAL OFFICE (AUDIT 382)
The Central Regional Office (CRO) exercises a broad range of financial and administrative functions, including maintaining time and attendance records; procuring supplies and services; arranging for staff travel; maintaining an inventory of property; and recording budgeted and actual expenditures of the office. We conducted a limited audit of the financial and administrative controls of the CRO.
Our limited review indicated that the controls of the CRO were generally adequate, implemented economically and efficiently, and in compliance with Commission policies and procedures. We discussed some non-material findings and informal recommendations with CRO's management.
In addition, we recommended that the Office of Information Technology reconcile its inventory records with the actual inventory of ADP equipment maintained by the CRO. We found that CRO and other field offices were not using their x-ray scanning machines to scan incoming mail and packages. We addressed this issue in Audit Memorandum No. 35 (see below).
UNCLAIMED COMMISSION PROPERTY (AUDIT MEMORANDUM 33)
Based on an allegation, we found that an Internet web site listed numerous instances of unclaimed property being held in the Commission's name by state authorities. The grand total of unclaimed Commission property identified through our search was $46,650.06.
We recommended that the Office of Financial Management send letters to the appropriate state authorities, requesting a refund of any unclaimed funds belonging to the Commission.
DISCOUNTED AIRFARE TICKETS (AUDIT MEMORANDUM 34)
During our review of an allegation concerning Commission travel, we learned that the General Services Administration now asks agencies to encourage their employees to reserve their trips within required timeframes. Agencies can then purchase discounted tickets when the airlines offers them, if the tickets would result in a lower total cost to the government.
We recommended that the Office of Financial Management (OFM) tell employees to make travel arrangements within required timeframes, so as to qualify for available discounted tickets. We also recommended that OFM ask the Commission's travel management centers to use discount fares when appropriate.
COMMISSION-WIDE USE OF X-RAY SCANNERS (AUDIT MEMORANDUM 35)
We performed a survey to evaluate Commission-wide use of x-ray machines, which are used to scan incoming mail and packages. These machines were installed in the Operations Center, Headquarters and all the field offices in fiscal year 2002.
We found that Headquarters attempts to scan all mail that was not previously scanned or irradiated. However, the Operations Center and most of the field offices do not use the machines daily to scan incoming mail and packages. Only three of the eleven field offices use the machines daily to screen mail. Several offices use it only when they identify a suspicious package. The Operations Center staff use the machine when an item looks suspicious and to scan all mail when the United States Government is operating under a "code orange" alert.
We recommended that the Office of Human Resources and Administrative Services (OHRAS) provide written guidance to Headquarters, the Operations Center and the field offices on how often and under what circumstances to use the x-ray machines and what to do if a suspicious item is identified. We also recommended that OHRAS provide additional training on the proper use of the x-ray machines for those offices needing it.
PRIORITY TO RURAL AREAS FOR NEW OFFICES (AUDIT MEMORANDUM 36)
In Audit Memorandum No. 30, issued June 19, 2003, we recommended that the Office of Human Resources and Administrative Services (OHRAS), establish and maintain policies and procedures giving first priority to the location of new offices and other facilities in rural areas, as required by the Rural Development Act of 1972 (RDA), 7 U.S.C. § 2204b-1. We also recommended that OHRAS comply with the RDA requirement (and the policies and procedures they established to implement the requirement) when deciding on the location of Commission offices and other facilities.
The Consolidated Appropriations Act of 2004 (Public Law 108-199) Division F, Title V1 Section 636 enacted January 23, 2004, requires the Inspector General of each agency to submit a report to the Committee on Appropriations. The report should provide details on the policies and procedures the agency has in place to give first priority to the location of new offices in rural areas, as directed by the RDA.
We found that OHRAS is in the process of implementing our prior recommendations. It has drafted an update to the Commission's space management guidance (SECR 5-8) to incorporate the RDA requirements. OHRAS considered the RDA requirement by preparing needs analysis when the Boston District Office's lease for office space recently needed to be renewed. We recommended that OHRAS should finalize its update to the space management guidance incorporating the RDA requirements.
INAPPROPRIATE RELEASE OF NON-PUBLIC INFORMATION (AUDIT MEMORANDUM 37)
We learned that non-public internal Commission documents had been posted on an Internet web site. Subsequently, we conducted a limited evaluation of the Division of Investment Management's (IM) internal controls designed to prevent the release of non-public no-action letter documents to the public.
We found that, in almost all cases, the release of documentation in our sample of no-action letters was appropriate. However, we found one additional case of an internal Commission document being inappropriately posted on the Internet.
We recommended several steps to improve Commission controls, including: updating the written procedures used by IM and the Office of Filings and Information Services (OFIS); stamping internal memorandum "non-public," as appropriate; and scanning materials sent to OFIS to detect non-public materials.
WEB BASED E-MAIL ACCOUNTS (INVESTIGATIVE REPORT ON MANAGEMENT ISSUES G-376)
During several investigations conducted by our office, we learned that employees under investigation had routinely accessed web-based e-mail accounts from Commission computers. These employees indicated that this practice is widespread in the Commission.
We recommended that the Office of Information Technology (OIT) either block Commission employees from accessing web-based accounts, or else remind employees that such access is contrary to Commission policy because of the threat of viruses. OIT subsequently issued a notice to all staff regarding this issue.
Investigative Program
Ten investigations were closed during the period. Five subjects were referred to the Commission. Two subjects were referred to the Department of Justice, which declined prosecution. One subject referred to the Commission during a prior period was removed, and another resigned. In addition, a subject referred to the Commission during a prior period was suspended for 14 days. Eight subjects referred to the Commission during this period and prior periods are awaiting disposition. The most significant cases closed during the period are described below.
UNAUTHORIZED DISCLOSURE
The Office investigated allegations that Commission staff, on several separate occasions, may have improperly disclosed to reporters non-public information concerning Commission enforcement investigations and related matters. The evidence developed during the investigations failed to substantiate the allegations of unauthorized disclosure by Commission staff.
CONFLICT OF INTEREST
An investigation found evidence that a Commission official had participated in matters, despite the appearance of a personal conflict of interest. The Department of Justice declined prosecution, and administrative action is pending.
MISREPRESENTATION
An Office investigation developed evidence that a staff member had misrepresented the staff member's professional credentials in an application for a promotion, as well as on other occasions. The Department of Justice declined prosecution and administrative action is pending.
FALSE STATEMENT AND CONFLICT OF INTEREST
The Office investigated allegations that a staff member may have falsified information in the staff member's employment application and had a conflict of interest in a matter assigned to the staff member. The evidence developed during the investigation failed to substantiate the allegations.
ABUSIVE AND INTIMIDATING CONDUCT
An Office investigation developed evidence that a staff member had engaged in a pattern of abusive and inappropriate behavior in the workplace over a substantial period of time. Administrative action is pending.
ASSAULT AND MISLEADING STATEMENTS
An investigation disclosed evidence that a Commission employee had assaulted a co-worker during a work-related dispute. We also obtained evidence that the employee made misleading and malicious statements against the co-worker. Administrative action is pending.
Significant Problems
No new significant problems were identified during the period.
Significant Problems Identified Previously
FINANCIAL MANAGEMENT SYSTEMS CONTROLS
An OIG contractor completed an audit of Commission financial management systems controls during a prior period (Audit No. 362). The audit found that Commission financial management controls for fiscal year 2002 were effective in all material respects 1 except for three material weaknesses and one material non-conformance. The exceptions concerned property accountability, accounting and control of disgorgements, information system and security program controls, and the Disgorgement and Penalties Tracking System. We reported that, taken together, these financial management exceptions are a significant problem for the Commission.
Management concurred with our recommendations to strengthen these financial controls, and several high-level task forces have taken actions or are taking actions to correct the weaknesses. GAO will review the corrective actions taken by the task forces as part of its audit of the Commission's financial statements.
We commend the Commission for its prompt actions to address the identified weaknesses in financial management systems controls.
INFORMATION RESOURCES MANAGEMENT
Since April 1996, we have reported information resources management (IRM) as a significant problem based on weaknesses identified by audits, investigations, and management studies. Significant IRM weaknesses of continuing concern include IT capital investment decision-making; information systems security; administration of IT contracts; IT project management; and strategic management of IT human capital.
During this reporting period, the Chairman appointed a full-time Chief Information Officer (CIO). The CIO reports to the Chairman. Also, under the direction of the CIO, the Office of Information Technology (OIT) continued making progress to correct weaknesses in its IRM controls and processes. Over the past six months, OIT:
- Published an Information Technology Strategic Plan, and finalized policy governing the introduction of new technology within the SEC;
- Drafted an Information Officers Council charter, developed IT investment approval thresholds, and began drafting IT investment selection criteria;
- Continued to certify and accredit the Commission's general support and financial information systems;
- Recommended closure of 15 audit recommendations based on actions taken to correct reported weaknesses in the areas of IRM planning and execution, network security, telecommunications security, disaster recovery, computer-related general controls, IT contract administration, and IT capital planning;
- Established a staffing plan to fill the significant number of personnel vacancies within OIT (over 30 unfilled positions); and
- Began mapping Federal IRM policies to the Commission's internal IRM policies, implementing procedures and processes to identify areas requiring management attention and improvement.
During this period, we issued an audit report on the follow-up of the Commission's IT capital investment decision-making process (Report No. 365). The audit showed that IT investment decision-making remains a "significant problem" for the Commission (see above). Audits of the Commission's controls over IT contractor billings and its enterprise architecture management framework and implementation plan are ongoing. We intend to continue our oversight of the Commission's progress in correcting the many weaknesses in its IRM business processes and management controls.
Access to Information
The Office of Inspector General has received access to all information required to carry out its activities. No reports to the Chairman, concerning refusal of such information, were made during the period.
Other Matters
AUDIT OF COMMISSION FINANCIAL STATEMENTS
Under the Accountability of Tax Dollars Act of 2002, the Commission is now required to prepare audited financial statements. The Office of Management and Budget has waived this requirement for fiscal years 2002 and 2003. The U.S. General Accounting Office is currently performing the initial financial audit of the Commission for fiscal year 2004. Our Office is evaluating how future audits will be performed.
EXECUTIVE COUNCIL ON INTEGRITY AND EFFICIENCY
The Office actively participates in the activities of the Executive Council on Integrity and Efficiency (ECIE). The Inspector General attends ECIE meetings, is an active member of its Financial Institutions Regulatory Committee, and serves as the ECIE member on the Integrity Committee (established by Executive Order No. 12993).
The Counsel to the Inspector General is an active member of the PCIE Council of Counsels. The Council considers legal issues relevant to the Inspector General community.
Questioned Costs
| DOLLAR VALUE (IN THOUSANDS) |
|||||
|---|---|---|---|---|---|
| NUMBER | UNSUPPORTED COSTS |
QUESTIONED COSTS |
|||
| A | For which no management decision has been made by the commencement of the reporting period | 0 | 0 | 0 | |
| B | Which were issued during the reporting period | 0 | 0 | 0 | |
| Subtotals (A+B) | 0 | 0 | 0 | ||
| C | For which a management decision was made during the reporting period | 0 | 0 | 0 | |
| (i) | Dollar value of disallowed costs | 0 | 0 | 0 | |
| (ii) | Dollar value of costs not disallowed | 0 | 0 | 0 | |
| D | For which no management decision has been made by the end of the period | 0 | 0 | 0 | |
| Reports for which no management decision was made within six months of issuance | 0 | 0 | 0 | ||
Recommendations That Funds Be Put To Better Use
| NUMBER | DOLLAR VALUE (IN THOUSANDS) |
|||
|---|---|---|---|---|
| A | For which no management decision has been made by the commencement of the reporting period | 0 | 0 | |
| B | Which were issued during the reporting period | 1 | 132 | |
| Subtotals (A+B) | 1 | 132 | ||
| C | For which a management decision was made during the period | 0 | 0 | |
| (i) | Dollar value of recommendations that were agreed to by management | 0 | 0 | |
| - | Based on proposed management action | 0 | 0 | |
| - | Based on proposed legislative action | 0 | 0 | |
| (ii) | Dollar value of recommendations that were not agreed to by management | 0 | 0 | |
| D | For which no management decision has been made by the end of the reporting period | 1 | 132 | |
| Reports for which no management decision was made within six months of issuance | 0 | 0 |
Reports with No Management Decisions
Management decisions have been made on all audit reports issued before the beginning of this reporting period (October 1, 2003).
Revised Management Decisions
No management decisions were revised during the period.
Agreement with Significant Management Decisions
The Office of Inspector General agrees with all significant management decisions regarding audit recommendations.
1 Based on criteria established under the Federal Managers Financial Integrity Act (FMFIA).
MANAGEMENT RESPONSE OF THE SECURITIES AND EXCHANGE COMMISSION ACCOMPANYING THE SEMIANNUAL REPORT OF THE INSPECTOR GENERAL FOR THE PERIOD OCTOBER 1, 2003 THROUGH MARCH 31, 2004
Introduction
The Semiannual Report of the Inspector General (IG) of the Securities and Exchange Commission (SEC) was submitted to the Chairman on April 30, 2004 as required by the Inspector General Act of 1978, as amended. The report has been reviewed by the Managing Executive for Operations, Executive Director, General Counsel, and Director of the Division of Enforcement. The management response is based on their views and consultation with the Chairman.
The management response is divided into four sections to reflect the specific requirements listed in Section 5(b) of the Inspector General Act of 1978, as amended.
Section I
Comments Keyed to Significant Sections of the IG Report
A. Audit Program
During the reporting period, the IG issued nine audit reports, five audit memoranda, and one investigative memorandum. Management generally concurred with the findings and recommendations in the IG's reports.
In addition to audits performed by the agency's IG, the General Accounting Office (GAO) actively reviewed program and administrative functions of the SEC. A complete listing of all GAO audit activity involving the SEC is attached as Appendix A.
B. Response to Significant Problems
No new significant problems were identified by the IG during this reporting period.
C. Response to Significant Problems Previously Identified
The IG's Semiannual Report discusses the following significant problems that were previously identified:
- Financial Management System Controls. The IG's Semiannual Report continues to identify the financial management exceptions reported in both the SEC's Federal Manager's Financial Integrity Act certification and a contractor's audit of Commission financial management system controls as a significant problem for the Commission. The SEC is addressing all of the audit recommendations as it completes preparation for fiscal 2004 audited financial statements. The recommendations to strengthen internal controls and financial reporting on sensitive and accountable property have been implemented. The SEC continues to implement a multi-year program to bring its information system security program into compliance with all relevant statutory and regulatory requirements. As part of the preparations for the financial statement audit, the general support systems and financial systems are being strengthened to meet the objectives of certification and accreditation in the fall of 2004. Finally, the SEC's Division of Enforcement has modified its case tracking system to integrate tracking and accounting for disgorgements and penalties arising from SEC enforcement cases. Program and financial management staffs currently continue to enter data into the new system. Additional data entry, modification, and testing of the system and management controls are planned in fiscal 2004.
- Information Resources Management. SEC management is continuing to improve its management of information resources. During this reporting period, we concluded a nationwide search for a new Chief Information Officer (CIO) and Director of Information Technology to oversee a comprehensive review of all of the agency's information technology efforts and lead the development of a comprehensive, multi-year IT strategic plan. This search concluded with our new CIO taking up his duties in January.
Under the new CIO, the Office of Information Technology (OIT) continues to make progress to strengthen IRM controls and processes. Among other things, OIT published an Information Technology Strategic Plan and finalized policy governing the introduction of new technology within the agency; developed IT investment approval thresholds; began drafting IT investment selection criteria; continued to strengthen the Commission's general support and financial systems to meet the objectives of certification and accreditation; and began an effort to ensure that the Commission's internal IRM policies address the criteria contained in federal laws and guidance such as the Clinger-Cohen Act, the Federal Information Security Management Act, Section 508 of the Rehabilitation Act, and Office of Management and Budget Circular A-130.
D. IG Recommendations Concerning Use of Funds
On November 17, 2003, the IG issued a report concerning the Commission's telephone card program. During the review, the IG found that the General Services Administration (GSA) had incorrectly billed the Commission approximately $132,000 for unused telephone lines. SEC management is following up with GSA on the appropriate resolution.
E. Reports with No Management Decisions
Management decisions have been made on all audits issued prior to the beginning of the reporting period (October 1, 2003).
F. Revised Management Decisions
No management decisions were revised during the reporting period.
SECTION II
Disallowed Costs
As of March 31, 2004
| Number | Dollar Value (in thousands) |
||
|---|---|---|---|
| A. | For which final action has not been taken by the commencement of the reporting period | 0 | $0 |
| B. | On which management decisions were made during the reporting period | 0 | $0 |
| (Subtotal A+B) | 0 | $0 | |
| C. | For which final action was taken during the reporting period | 0 | $0 |
| (i) Recovered by management | 0 | $0 | |
| (ii) Disallowed by management | 0 | $0 | |
| D. | For which no final action has been taken by the end of the reporting period | 0 | $0 |
SECTION III
Funds Put to Better Use
As of March 31, 2004
| Number | Dollar Value (in thousands) |
||
|---|---|---|---|
| A. | For which final action has not been taken by the commencement of the reporting period | 1 | $132 |
| B. | On which management decisions were made during the reporting period | 0 | $0 |
| C. | For which final action was taken during the reporting period | 0 | $0 |
| (i) Dollar value of recommendations that were agreed to by management | 0 | $0 | |
| (ii) Dollar value of recommendations that management has subsequently concluded should/could not be implemented or completed | 0 | $0 | |
| D. | For which no final action has been taken by the end of the reporting period | 1 | $132 |
SECTION IV
Open Audit Reports Over One Year Old
As of March 31, 2004
| Audit # | Audit Title | Issued | Funds Put to Better Use (in thousands) | Questioned Costs (in thousands) | Reason Final Action Not Taken |
|---|---|---|---|---|---|
| 220 | IRM Planning and implementation | 3/26/1996 | $0 | $0 | Policy development and Execution are continuing. However, the process has been slowed by a shortage of staff resources and an increased workload in the IT area. A plan has been developed to fill the significant number of vacancies in the SEC's Office of Information Technology. |
| 243 | SECOA Local Area Network | 3/21/1997 | $0 | $0 | As part of the preparations for audited financial statements, the SEC's systems are being strengthened to meet the objectives of certification and accreditation. |
| 250 | Enhancing Excellence-- Integrity Program | 1/22/1997 | $0 | $0 | Formal policies and procedures are being developed. |
| 257 | Client Server | 9/9/1997 | $0 | $0 | The IT Capital Planning Committee is considering changes to the capital planning process. |
| 298 | Commission Review of Periodic Reports | 2/23/2000 | $0 | $0 | Management is attempting to identify review goals that include areas such as quality and complexity of reviews in addition to number of reviews. |
| 309 | Telecom- munication Vulnerabilities |
3/31/2000 | $0 | $0 | A policy document is being developed. |
| 314 | Payroll Conversion | 9/22/2000 | $0 | $0 | A link is being established to the DOI web page. |
| 320 | General Computer Controls | 12/26/2000 | $0 | $0 | See explanation for audit #220. |
| 327 | General Computer Controls - Regions | 2/28/2001 | $0 | $0 | See explanation for audit #220. |
| 329 | GPRA Performance Reports | 3/20/2002 | $0 | $0 | The Commission is in the process of revising its GPRA Strategic Plan. |
| 330 | Real Property Leasing | 5/31/2001 | $0 | $0 | The leasing regulation is being updated. |
| 333 | Sensitive Information Follow-up | 3/8/2002 | $0 | $0 | Most of the recommendations have been implemented. Currently, efforts are underway to enhance orientation materials. |
| 337 | IT Project Management | 1/24/2002 | $0 | $0 | Implementation of the audit recommendations was delayed because of a shortage of IT staff. |
| 346 | Commission Oversight of NAFI | 3/7/2002 | $0 | $0 | Various alternatives are being explored to determine the most efficient approach to overseeing and structuring the SEC Recreation and Welfare Association. |
| 350 | Administration of IT Contracts | 8/28/2002 | $0 | $0 | See explanation for audit #220. |
| 351 | EDGAR Utility to Commission Staff | 1/15/2003 | $0 | $0 | Seven of the eight audit recommendations have been implemented. Action on the remaining recommendation-conduct a study-has been delayed due to limited resources and other priorities. |
| 353 | Regional Telecom- munication Security |
8/20/2002 | $0 | $0 | A policy document is being prepared. |
| 354 | Broker-dealer Risk Assessment Program | 8/13/2002 | $0 | $0 | A process has been developed to address the two remaining recommendations. Implementation will begin during the 3rd quarter, when increased staff resources become available through the arrival of new hires. |
| 357 | Purchase Cards | 11/25/2002 | $0 | $0 | The purchase card regulation is being updated. |
| 362 | Financial Management System Controls | 3/27/2003 | $0 | $0 | The recommendations are being addressed during the preparation for audited financial statements. |
| M14 | Contingency Testing | 3/15/1999 | $0 | $0 | See explanation for audit #220. |
| M22 | Rural Office Location Policy | 3/28/2002 | $0 | $0 | The SEC is complying with the Rural Development Act. A formal policy document is being finalized. |
| M27 | NRSI Password Management | 1/29/2003 | $0 | $0 | See explanation for audit #220. |
| M28 | Personnel Guidance | 3/20/2003 | $0 | $0 | A comprehensive set of more user friendly, easily accessible personnel policies is being developed for SEC staff. |
| G335 | Public Transportation Subsidy Program | 9/27/2001 | $0 | $0 | The Public Transportation Subsidy Regulation is being revised. |
APPENDIX A
General Accounting Office Audit Activity Involving the Securities and Exchange Commission
Reports Issued During the Reporting Period
1. Bank Tying: Additional Steps Needed to Ensure Effective Enforcement of Tying Prohibitions, GAO-04-3 (October 2003).
2. Community and Economic Development Loans: Securitization Faces Significant Barriers, GAO-04-21 (October 2003).
3. Farmer Mac: Some Progress Made, but Greater Attention to Risk Management, Mission, and Corporate Governance Is Needed, GAO-04-116 (October 2003).
4. Public Accounting Firms: Required Study on the Potential Effects of Mandatory Audit Firm Rotation, GAO-04-216 (November 2003).
5. Private Pensions: Publicly Available Reports Provide Useful But Limited Information on Plans' Financial Condition, GAO-04-395 (February 2004).
6. International Taxation: Information on Federal Contractors with Offshore Subsidiaries, GAO-04-293 (February 2004).
7. Mandatory Audit Firm Rotation Study: Study Questionnaires, Responses, and Summary of Respondents' Comments, GAO-04-217 (February 2004).
8. Private Pensions: Publicly Available Reports Provide Useful but Limited Information on Plans' Financial Condition, GAO-04-395 (March 2004).
9. SEC Operations: Oversight of Mutual Fund Industry Presents Management Challenges, GAO-04-584T (April 2004).
Audits in Progress as of March 31, 2004
1. Nasdaq and NYSE Listing Programs (250075). A review of Nasdaq and NYSE listing programs and the SEC's oversight of these programs.
2. Reference Rates for Defined Benefit Pension Plans (130140). A study of the reference rate that single-employer defined benefit pension plans must use, by law, to limit or set discount rates in ERISA minimum and full funding, lump sum, and PBGC variable rate premium calculations.
3. 4. Environmental Disclosures (360299). A review regarding disclosure of environmental information under the securities regulations.
5. Elder Insurance Assistance (250112). A study of the issues and problems that senior citizens are facing in the insurance marketplace as they try to manage their retirement assets and income. Of particular concern are the regulatory challenges created as financial institutions introduce new "hybrid" types of products into the marketplace that cross industry lines (e.g., products with insurance and securities features to them).
6. Business-Owned Life Insurance (250121). A review of life insurance purchased and owned by businesses, banks, or trusts. Specifically, a review of the uses of such policies, reporting requirements, and oversight, as well as alternative means of obtaining such policies' benefits.
7. Enterprise Architectures (310248). A government-wide review of agencies' progress with implementing enterprise architectures.
8. Financial Services Regulation Structure and Processes (250151). A review of the structure and processes-capital requirements, supervision, reliance on transparency, and market discipline-of financial services regulation in the United States.
9. SEC Operations II (250138). A review of the SEC's efforts to address issues raised in the GAO reports, Securities and Exchange Commission: Human Capital Challenges Require Management Attention (GAO-01-947) and SEC Operations: Increased Workload Creates Challenges (GAO-02-302).
10. Fannie Mae (194335). A review of Fannie Mae's financial statements and any related issues raised during Fannie Mae's financial audits, supervisory examinations, or other internal or Board-directed studies.
11. Follow-up on Potential Terrorist Attacks (250126). A review of the progress made by financial regulators and market participants in readying the U.S. markets to minimize damage and recover from terrorist attacks.
12. Proxy Voting and Fiduciary Obligations Under ERISA (130243). A study of proxy voting and fiduciary obligations under ERISA. GAO's objectives are to: (1) describe the fiduciary requirements relative to proxy voting under ERISA, (2) identify the DOL's actions to enforce these requirements, and (3) describe proxy voting practices that public and private sector pension plans have adopted to protect against fiduciary conflict of interests.
13. Terrorist Financing Investigations (440259). A review to determine how the May 2003 Memorandum of Agreement between the Department of Homeland Security and the Department of Justice regarding investigations of terrorist financing has impacted relevant law enforcement agencies and the financial community.
14. U.S. Coordination with International Organizations (320201). An assessment of how the U.S. government works with international organizations, counterparts in foreign governments, and the financial services industry to locate, freeze, and seize worldwide illegal financial assets.
15. Pricing of Loan Commitments (250177). A study to (1) determine how pricing on unfunded commitments compares to pricing on funded commitments; (2) collect and report publicly available data on the trading of credit facilities, and available comparisons of differences, if any, in internal and external reporting loan commitment prices; (3) determine what data is publicly available about the use of credit derivative instruments for hedging risks of unfunded loan commitments and what this indicates about loan commitment pricing; and (4) discuss steps taken by FASB to improve financial reporting for loan commitments.
16. Accounting Firms and Auditing Publicly-Traded Corporations (450283). A review of accounting firms that provide auditing services to publicly-traded corporations while also providing tax-related services, including possible tax shelter services, to those corporations, their directors, or their officers.
17. SEC Resources: Mutual Fund Oversight (250192). A review of SEC's resources to available to address mutual fund trading abuses.
18. Mutual Fund Inspections (250185). A review of the current mutual fund inspection process for gaps and the adequacy of resources devoted to fund examination.
19. Implementation of USA Patriot Act's Anti-money Laundering Provisions (250179). A review of (1) the status of implementation of sections 326 and 314, (2) the Treasury's and regulators' procedures for assessing compliance and enforcement, (3) plans to sustain efforts to educate the industry about the new regulations, and (4) extent to which regulators have revised examination guidance and applied it.
20. Career Appointments of Former Political Appointees (450274). A government-wide review of executive branch agencies and departments to assess career appointments of former political appointees.
21. Survey of Consumers' Financial Literacy (250186). A review of the state of consumer knowledge and awareness of credit reports, credit scores, and the dispute resolution process and methods of improving consumers' financial literacy.
22. WorldCom/MCI Debarment (120315). A review of GSA's debarment processes and associated regulations, and the source and timing of the factors that GSA used when considering whether to debar WorldCom/MCI.
23. SEC Budget Allocation (250189). An examination of SEC's (1) allocation of funding increases in its fiscal 2003 actual budget and fiscal 2004 planned appropriations, (2) process for distributing positions among its various program offices, (3) allocation of resources to information technology, and (4) status in developing an Office of Global Security Risk.
24. SEC Resources & Mutual Fund Abuses (250192). A review of the SEC's resources available to address mutual fund trading abuses. GAO will review recent resource and budget levels, how SEC determines resources needed to address mutual fund abuses, and challenges SEC faces in filling relevant positions and obtaining technology to help address mutual fund concerns.
25. FY 2004 Financial Statement Audit (198241). An audit of the SEC's fiscal year 2004 financial statements.