Survey of Reported Management Control Weaknesses
Sept. 9, 1996
Audit No. 252
This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
|TO:||Honorable Arthur Levitt,Chairman|
|SUBJECT:||Survey of Reported Management Control Weaknesses|
|DATE:||September 9, 1996|
At your request, we surveyed the progress made this year in addressing the six management control weaknesses reported in your December 29, 1995 certification letter to the President and Congress. We conducted interviews and gathered documentation, but did not perform detailed testing.
Our survey results are described below. For each weakness, we describe corrective actions taken to date and corrective actions planned. Management estimates that by the end of calendar year (CY) 1996,1 corrective actions for four weaknesses will be complete, while those for the other two will be in progress.
ADP Security: In Progress at the End of CY 1996
The Commission is receiving assistance from the National Security Agency in developing security policies and procedures. Management expects to issue guidance in phases, with summary guidance to be issued first, by year end. Detailed guidance will follow. Completion of the phase-in of detailed guidance will not occur until after the end of calendar year 1996, as will implementation of an ADP security review program and certification of automated systems.
EDGAR Disaster Recovery: Scheduled for Completion in CY 1996
The Commission has acquired computer equipment to maintain continuity of its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) operations in the event of a disaster. Management indicated that a contractor will install and test the equipment at headquarters by the end of this calendar year.
Transaction Fees: Scheduled for Completion in CY 1996
The Division of Market Regulation and the Office of Economic Analysis have submitted plans to assess the reasonableness of reported market values on which transaction fees are based; to monitor transaction reporting; and to assure that all brokers have reported transactions and remitted fees due. The Office of the Executive Director expects to review and approve the plans by the end of this calendar year. Also, a related computer interface problem is scheduled to be corrected by then.
Filing Fees: In Progress at the End of CY 1996
Improvements to many management controls over filing fees (including separation of duties and audit trails) have already been implemented. Additionally, a contract to develop a new filing fee automated system is scheduled to be awarded by the end of this calendar year, with the new system to be implemented in 1997.
Disgorgements: Scheduled for Completion in CY 1996
A contractor was issued a purchase order to provide the Office of the Comptroller and the Division of Enforcement with inquiry access to the Disgorgement Payments Tracking System (DPTS). The contractor is also enhancing the DPTS to provide the Comptroller's Office with needed information. In addition, the Office of the Secretary is making arrangements with the Division of Enforcement to provide the Office of the Secretary with information on settlements in a more uniform format. These corrective actions are scheduled to be completed by the end of this calendar year.
Access Restrictions: Scheduled for Completion in CY 1996
Action has already been taken to reduce unnecessary access to application program libraries, to improve password protection, and to monitor mainframe access rights. The only remaining corrective action is the issuance of ADP security guidance. Since security guidance is included as part of the material weakness "ADP Security" discussed above, the corrective actions relating to "Access Restrictions" can be reported as corrected.
1The due date for the 1996 certification letter.