U.S. Securities & Exchange Commission
SEC Seal
Home | Previous Page
U.S. Securities and Exchange Commission

Speech by SEC Staff:
The Importance of Strong Internal Controls
in a Changing World

Remarks by

Lori Richards

Director, Office of Compliance Inspections and Examinations
U.S. Securities & Exchange Commission

American Institute of Certified Public Accountants/
Securities Industry Association
National Conference on the Securities Industry
New York, New York

November 14, 2000

The Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any private publication or statement by any of its employees. The views expressed herein are those of Ms. Richards and do not necessarily reflect the views of the Commission, the Commissioners, or other members of the Commission's staff.

I. Introduction

Thank you. It's a pleasure to be here. The topics on your agenda today couldn't be timelier – from the impact of financial modernization post-Gramm-Leach-Bliley to T + 1 to credit risk management to ECNs and the Internet, it's clear to me that our industry is more dynamic than ever.

In my opinion, the securities industry has never seen such rapid change. Much of this change is being spurred by competition, which itself is being spurred by the investments in our markets made by millions of American investors. Financial services firms are all competing aggressively to meet the needs of their customers, and are anticipating the needs of future customers, by developing new and innovative products and services, and by using technology as a new tool to help clients invest in the markets. And, this competition is driving firms to combine to leverage their strengths in numbers and in combinations as never before.

The competitive environment for stock trading is also undergoing dramatic change. We're seeing new alliances, innovative trading systems, and sophisticated trading technologies announced routinely now. Over one-third of all trades in Nasdaq securities now occur on ECNs, and ECNs have recently begun to trade NYSE-listed securities. New firms are applying to become exchanges and self-regulatory organizations (SROs). In addition, competition has spurred the NYSE and Nasdaq to consider changing from private member organizations to for-profit companies controlled by shareholders.

The environment for trading listed options has also undergone dramatic change. Last year, options exchanges began to multiply-list many options classes. That, coupled with the Commission's approval of the International Stock Exchange, the first fully-electronic options exchange and newest self-regulatory organization, has created a very competitive environment between market centers for the trading of listed options.

I would submit to you that in this new and dynamic environment, we need to ensure that our attention to the fundamentals remain steady. That is, we need to ensure that compliance efforts and internal controls remain strong, even under the stress and strain of growth and competitive pressures. I want to talk with you today about the importance of strong internal controls in a changing world.

This issue is of critical importance to me, as a regulator, and to you, as members of the brokerage and accounting communities. The damage that can be caused by a single uncontrolled trader, the long-term losses that can be produced by a poorly supervised sales campaign, the business impact of accounting systems that fail, should all be on your short list of critical concerns. Indeed in many ways, you who are responsible for broker-dealers' risk management procedures and practices, and who ensure sound and careful financial controls, take on added responsibility in this period of growth and change.

But you know, the SEC too has an obligation to ensure that our oversight keeps pace with change in the industry. I want to talk with you today about how we at the SEC approach examination oversight of broker-dealers in this period of growth and change, and about your role in this dynamic period. Before I talk with you about the future, though, I'd like to review with you some of the history of where we've been. In looking ahead, I always think its helpful to know where we've come from.

II. The Development of the Securities Regulatory System

Let me give you a brief background on the development of the securities industry's regulatory structure.

Self-regulation has always been a cornerstone in the securities industry. Indeed, the fundamental principle of self-discipline predates the securities laws. At its most basic level, compliance is the manner in which all firms police themselves to make sure that they are meeting their fiduciary and other duties. One of the first judicial doctrines to arise under the federal securities laws is called the "Shingle Theory." It first appeared in 1939. It is founded on the principle that if you hold yourself out to the public as offering to do business, you are implicitly representing that you will do so in a fair and honest manner. You will not take customer funds and securities when you are facing insolvency. You will not take orders when you cannot handle them. You will not take advantage of your customers' ignorance of market conditions.

Even before the securities laws were adopted, firms had already banded together to create another layer of self-regulation – stock exchanges. By 1934, each of the stock exchanges had a constitution and bylaws, which prescribed collective rules for the admission, discipline, and expulsion of stock exchange members. These rules were regarded as a contract between the organization and the member. Very early on, the NYSE had implemented a substantial system of self-regulation: it was governed by a committee that appointed other committees to carry out the business of regulating the activities of its members.

The crash of 1929 created a demand for federal intervention to regulate the markets and thereby restore public confidence in them. The proper relationship between the exchanges and a new federal regulatory agency was the subject of many weeks of intense hearings before the congressional committees drafting the legislation that came to be known as the Securities Exchange Act of 1934. Many blamed the stock market crash of 1929 and the resulting economic depression on the members of the stock exchanges. As a result, Congress required the exchanges' separate regulatory regimes to be integrated into a new regulatory framework, under which there would be federal oversight of the self-regulatory system.

The Securities Exchange Act of 1934 created the SEC and codified the existing self-regulatory system for broker-dealers, and gave the SEC oversight responsibility for the SROs. The drafters of the Exchange Act also recognized that broker-dealers must not conduct their business on a "shoestring" and must have adequate capital in order to conduct business, as a protection for their customers.

In 1964, Congress amended the Exchange Act to codify broker-dealers' duty of supervision. This important duty has since been extended to investment advisers and to transfer agents. Under this duty, a securities firm must have effective supervisory procedures, and a working system for applying the procedures. It must also respond to any red flags demonstrating potential problems. Otherwise, if a supervised person takes advantage of the lax supervision to commit a violation, the firm will be subject to discipline by the SEC.

One of the primary reasons for adopting the self-regulatory structure was that individual firms and SROs are better able to respond to problems than a government agency. Compliance within a firm, and self-regulation within an industry, the logic goes, is closer to the action, more flexible, and supported by professionals who are more knowledgeable about the intricacies of the marketplace. This results in a more precise regulatory function.

Involving the industry in the regulatory process may be more effective than direct regulation. As former SEC Chairman William O. Douglas said, "self-discipline is always more welcome than discipline imposed from above." He summarized the benefits of self-regulation in an address before the Bond Club of Hartford in 1938 as follows:

From the broad public viewpoint, such regulation can be far more effective [than direct regulation]…self-regulation…can be persuasive and subtle in its conditioning influence over business practices and business morality. By and large, government can operate satisfactorily only by proscription. That leaves untouched large areas of conduct and activity; some of it susceptible of government regulation but in fact too minute for satisfactory control; some of it lying beyond the periphery of the law in the realm of ethics and morality. Into these large areas self-government, and self-government alone, can effectively reach. For these reasons, self-regulation is by far the preferable course from all viewpoints.

The ability of individual firms and SROs to develop ethical standards that go beyond those which can be imposed by law is an important benefit of self-regulation in the securities industry.

III. The SEC's Examination Approach in a Changing Environment

It is clear that our securities framework is premised on the concept that broker-dealers have a first line duty to ensure that they are self-policing their own activities. And in this, the securities industry has done an admirable job – in no other area of commercial activity that I know of is compliance and internal controls so integral and so embedded a part of the business. Why is this true?

I believe that the broker-dealer community fully recognizes that the key to success is investor confidence, and that long term, investor confidence is won by firms who ensure that investors' interests come first, and take precedence over all else. Many firms have recognized this and have taken steps to invest in and build the infrastructure to ensure that risks are monitored and measured, and that internal controls are vigorous and broad. Many firms have invested in good people, new technology and new ideas, and we at the SEC applaud these firms for taking steps to strengthen their infrastructure. But we want to encourage all firms to do so, and we also want to ensure that our examinations reflect the fact that many firms are making significant improvements in their internal controls infrastructure. How do we do this? How do we encourage the growth and development of sound controls outside of the rulemaking process, and at the same time, acknowledge the efforts of the firms that have particularly sound controls?

In our examinations of broker-dealers, we're placing greater reliance on firms' own internal compliance and control systems. This is a result of our effort to shift away from comprehensive, top-to-bottom examinations. We feel that the government's limited resources are best spent focusing on areas where there are greater risks of violations, abuses, or systemic problems. No government regulator can be everywhere at once, or should even try to be, given the size of markets we regulate. We call these more focused examinations "smart" or "risk-based" exams.

For this approach to work, our examiners need to develop some confidence in your internal compliance systems. To do so, we must understand what these systems are and how they work. Because one-size does not fit all, this means that we will spend time in each examination talking with you about how your firm's particular control and compliance systems work. We also review reports and other output, such as checklists, exception reports and management reports.

Our goal in the risk-based review is to answer several interrelated questions.

  • Is a system of internal controls in place and operating?  A compliance or procedures manual gathering dust on a bookshelf will not serve anyone's interests.

  • Is the system working as designed?  No matter how good your formal system may be, you should expect informal systems to spring up around it. Many of these ad hoc methods are harmless. In fact, when you find them, some may be improvements over the formal system. In other instances, however, employees may circumvent important procedures in the interest of getting their work done more quickly or more easily.

  • Are exceptions and problems identified and resolved promptly?  Of course, this is of critical importance. Once a potential problem is identified, prompt and effective resolution is the essence of compliance.

  • Is the system of controls reviewed periodically?  Mergers, acquisitions, reorganizations, new staff and other changes necessitate that controls be frequently reviewed for continued effectiveness.

In addition to these global issues, we also ask some more detailed questions that may give us additional assurance that your firm's internal control systems are effective. Among other things, we ask:

  • Are your procedures in writing and made available to all appropriate personnel? 

  • Are all appropriate staff trained in implementing the procedures? 

  • Are remedial actions fully documented?  If our examiners cannot determine how a problem was corrected, they will wonder how your management is doing so.
If our examiners determine that they can take some comfort from your in-house preventative systems, they may decide to limit their detailed testing of source documents and accounting records. Of course, you should also understand that examiners will continue to request many of the standard books and records, both to test check the implementation of your controls and to focus on particular areas where those controls appear to be weak. The auditors in the audience will be very familiar with the necessity for test-checking.

In addition to conducting more risk-based examinations, we're also continuing our focus on reviewing firms' internal controls and risk management systems. As you may know, the SEC along with the NYSE and the NASDR issued a joint statement in July 1999 outlining our approach to these examinations and listing some examples of sound control practices, and some of the weak controls we saw as well. We believe that focusing on internal controls over trading, credit, liquidity and internal audit is appropriate for large organizations where we couldn't possibly review every aspect of their business. We want to have assurance that the firm has sound controls such that we can have confidence in its systems between examinations. We look for active oversight of risk parameters by senior management; we look at internal audit and funding, liquidity and credit controls. And we look at physical security and operations. We expect that this type of examination will become an increasingly important part of our oversight program. For those of you who work for bank-affiliated broker-dealers, you'll recognize that this approach is very similar to that used by bank regulators.

For those of you who have experienced it, you know that this type of review requires firms to communicate openly with examiners about the systems you have developed to manage and measure risk. We expect to have a candid dialogue with you, so that we can really understand your approach to risk monitoring. This approach requires some time and thoughtfulness on both our parts. On your part, it requires that you ensure that we are discussing your internal control systems with firm employees who are intimately familiar with those systems and are comfortable discussing how they work. On our part, it requires that we be sensitive to the fact that firms are providing us with access to confidential and business-sensitive information, and as a result, that we be very discriminating in our requests for information. In this regard, you should know that our examinations are non-public and that we do not publicly-release information we obtain during the examination process.

One question that some firms have had in these internal controls examinations is what about examiners' access to internal audits? I know that you would agree that internal audit is a critical aspect of a strong system of internal controls. But we recognize that registrants are sensitive about these reports, and we want to encourage a strong internal audit function, not chill the process of self-audit. So given that, we try to be very judicious in our requests. In some circumstances, such as an examination of a firm's overall internal controls, reviewing a sample of internal audit reports is essential.

A third area of SEC examination oversight that bears mention is with respect to net capital and customer reserve. We are redoubling our attention during examinations to reviewing compliance with net capital and customer reserve rules. I believe that these are "bread and butter" requirements for all firms, and are among the most important investor protections we have. You may have noticed that the SEC (and the SROs) have brought enforcement actions recently against broker-dealers for net capital and customer reserve violations – this reflects the fact that we view these rules as critical to a firm's ability to do business with investors, and we will not hesitate to bring enforcement action in appropriate cases.

Please know that we recognize that compliance and risk management controls do not come without cost. Quality assurance isn't cheap. Yet, I think we all want high quality planes and cars and tires. Similarly, investors want high quality financial products. By preventing problems, or stopping them before they get big enough to cause serious damage, compliance and internal controls should pay for themselves. They protect investors, and the firm. They make good business sense.

Let's explore this a little more, and how this idea plays out in this time of dynamic change. When your firms compete for customer business – whether retail or institutional, trading, underwriting or banking, you are competing on the basis of the quality of your product. As markets evolve with greater and greater transparency, your customers will be more and more knowledgeable and more and more demanding. Those firms who do business in this new environment are competing for the business of these customers. You must compete on the basis of yes, your product, your trading ability, your advice, and your return, but just as importantly, you must also show your customers and your clients that you are protecting their interests with a vigilant self-discipline. Aggressive advertising and performance claims may attract the initial notice of potential customers, but long-term, to remain your customers, they need to have confidence that their interests come first. They need to have confidence that your compliance controls will ensure that they are treated fairly. They need to have confidence that your internal controls will ensure that you will be solvent, and have the financial wherewithal to keep the promises you make.

As accounting officers for your firms, you play an important role in this. You help ensure that your firms have adequate internal controls, that they properly supervise employees, and that problems are detected and corrected promptly and fairly. You play a key role in the success of your firm because firms that fail to exercise rigorous self-discipline risk losing their customers' trust and their business. They risk financial failure, lawsuits, and reputational harm. Again, good compliance and internal controls are good, prudent business.

As you can see, as a regulator, I also have a part in this. We carefully scrutinize securities firms' compliance systems and internal controls. In recent years we have enhanced our focus on this area. Our examinations are increasingly risk-based. We want to spend our time looking where we think your controls may be lax. Our goal is not to "get you." Our goal is to bolster your efforts. We want to validate the important role you play. We want to make sure that when you recommend enhanced internal controls, or enhanced measures to reduce the risk of liability and loss from poorly supervised employees, the SEC stands behind you in the boardroom.

IV. Conclusion

In conclusion, this industry has come a long way since 1934, but it is premised on, and has thrived on self-regulation and discipline. Vigilant self-discipline can and will increase the competitiveness and further the business interests of competing firms in today's world too. I believe that the investing public will migrate to those firms that inspire trust and confidence. And the best way to inspire trust and confidence is by ensuring strong and steadfast internal controls.