Compliance Examination Deficiency Letter Process
Sept. 23, 2003
Audit No. 364
This document is an HTML formatted version of a printed document. The printed document may contain agency comments, charts, photographs, appendices, footnotes and page numbers which may not be reproduced in this electronic version. If you require a printed version of this document contact the United States Securities and Exchange Commission, Office of Inspector General, Mail Stop 11-7, 450 Fifth Street N.W., Washington, D.C. 20549 or call (202) 942-4460.
COMPLIANCE EXAMINATION DEFICIENCY LETTER PROCESS
Audit No. 364
Our audit of the Compliance Examination Deficiency Letter process found that it is generally functioning effectively and efficiently. For instance, most of the registrants that we interviewed or surveyed found deficiency letters clear and easy to understand, especially if an exit conference had been held.
We are making several recommendations that we believe will improve the process, including: disclosing common deficiencies routinely and systematically, improving the Office of Compliance Inspections and Examinations (OCIE) liaison oversight of the Broker-Dealer Program, clarifying the guidance to the staff concerning what actions to take when violations are unclear, and identifying certain areas where OCIE could enhance examination procedures. During the audit, we discussed several immaterial issues with senior management.
Commission management concurred with our recommendations. During the audit, they began to implement many of the recommendations.
SCOPE AND OBJECTIVES
Our audit objectives were to evaluate the effectiveness and efficiency of the Compliance Examination Deficiency Letter process.
During the audit, we interviewed and surveyed Commission staff and registrants. We also analyzed a judgment sample of one hundred deficiency letters (and the registrant's response) issued in fiscal year 2002, and other supporting documentation. We did not review the Compliance Examination Program's ZYIndex computer system1 because they are developing an intranet site that will include this information. Once the intranet site is completed, the future usefulness of ZYIndex will be evaluated.
The audit was performed from September 2002 to March 2003 in accordance with generally accepted government auditing standards.
The Office of Compliance Inspections and Examinations (OCIE) and the field offices administer the Compliance Examination Program. Of the approximately 700 staff in the Program, approximately 105 are in OCIE, with the remainder in the field offices. According to OCIE, in fiscal year 2002, the Examination staff performed 626 Broker-Dealer (BD), 138 Transfer Agent, 3 Clearing Agency, 32 Self-Regulatory Organization (SRO), 1,570 Investment Advisor (IA), and 278 Investment Company (IC) examinations.
An examination can have one of three possible outcomes, which are not mutually exclusive. The outcomes are:
- Issue a letter to the registrant indicating that no deficiencies2 were identified;
- Issue a deficiency letter to the registrant describing the deficiencies and requiring the registrant to implement appropriate corrective actions, and submitting a written response describing the actions; or
- Refer the deficiencies to the Enforcement Program or other regulator (e.g., a state regulatory agency, SRO).
The Compliance Examination Program issues a deficiency letter in approximately 91% of the examinations.
Among the requirements that apply to the deficiency letter process are conducting an exit conference before the deficiency letter is sent (unless it would be inappropriate) and using some standardized language. For instance, all deficiency letters must now state:
The above findings are based on the staff's examination and are not findings or conclusions of the Commission.
We found that deficiency letters issued after July 2002 (when the language for deficiency letters was most recently revised) generally contained the required standard language.
After each examination is completed, an examination report is prepared. The report includes background information on the registrant, particular risks involving the registrant, scope of the examination, deficiencies from prior examinations, work performed, and deficiencies found. The deficiency letter is based on the examination report.
The staff examiner typically drafts the deficiency letter and the branch chief and other supervisors (e.g., the Assistant District Administrator) review the letter.3 Examination staff discuss novel, complex, etc. issues that are identified during the examination process with either the Divisions of Investment Management or Market Regulation.
The goal is to provide the registrant with a deficiency letter within 90 days of completing the fieldwork. The registrant is supposed to respond within 30 days. During our audit, we found that the 90 and 30 day goals were generally achieved.
If the registrant agrees to implement appropriate corrective actions, the examination is closed. The corrective actions and their implementation are typically reviewed during the registrant's next examination. If the registrant does not agree to implement adequate corrective actions, the Examination staff will typically attempt to resolve the disagreement either by issuing a second deficiency letter (e.g., clarifying the staff's position), having a telephone conference call or a meeting with the registrant, or referring the matter to the Enforcement Program.
We found that the Compliance Examination Deficiency Letter process is generally functioning effectively and efficiently. However, we are making several recommendations that we believe will improve the process, as discussed below.
DISCLOSING COMMON DEFICIENCIES
During the year, the Examination Program conveys to registrants (e.g., through SEC Speaks and other conferences) its current areas of focus (e.g., Disaster Contingency Planning, Regulation S-P, Money Laundering). However, the Examination Program does not routinely and systematically disclose the common types of deficiencies found at registrants for these focus areas.
According to several examiners, staff and senior management disclose this type of information in speeches. Also, the SRO's and securities industry associations occasionally provide this information to their members.
We found that common types of deficiencies exist. For instance, in our sample of deficiency letters involving IA Examinations (56 such examinations), the Examination staff identified approximately 18 (32%) instances of the registrant not having written procedures regarding Disaster Contingency Planning.
We believe that routinely and systematically providing registrants with information on common deficiencies found at other registrants would enhance compliance. For instance, registrants could improve their operations before the staff conducts the examination. In addition, registrants who are not examined
would be able to improve their operations. Improved operations help to protect investors. According to the registrants we interviewed and surveyed, most believed that this information would be beneficial.
OCIE, in consultation with the field offices, should routinely and systematically disclose common deficiencies found at registrants.
Recently at an IA conference, the Director of OCIE discussed some of the current common deficiencies. In May 2000, OCIE issued (and posted on the Commission's web site) an open letter to the Investment Adviser community describing the common deficiencies found in examinations. We believe that this document is an excellent example of the spirit and intent of our recommendation.
IMPROVING OCIE LIAISON OVERSIGHT
The IA/IC and the BD programs in each field office are assigned a liaison in OCIE. The liaisons provide oversight (among other responsibilities) of the Examination Program. For instance, they receive a copy of examination reports and deficiency letters, and review them for quality. However, they do not necessarily receive the registrant's response to the deficiency letter. We found that the IA/IC examiners generally instruct the registrant in the deficiency letter to send a copy of their response to the OCIE liaison, while the BD examiners generally do not.
OCIE liaison review of the registrant's response could identify potential inconsistencies in the Examination Program, an improper interpretation of a rule, or other issues. For example, a registrant's disagreement with a deficiency could indicate that the staff is improperly interpreting a rule. In our sample of 100 deficiency letters, approximately 28% of the registrants disagreed with at least one of the deficiencies. However, many of these registrants agreed to implement corrective actions anyway.
OCIE, in consultation with the field offices, should have BD examiners instruct registrants (in the deficiency letter) to send a copy of their response to the applicable OCIE liaison.
During the audit, OCIE began to implement this recommendation.
In July 2002, OCIE issued guidance to the Examination staff that stated, in part:
We think it is appropriate to say that we found a deficiency of a specific section(s) of the law or rule(s) thereunder when we feel fairly certain that a deficiency has occurred. If (sic) is not clear that a deficiency has occurred, we can still use words such as "appears" or "may have" violated.4
According to OCIE management, examiners should be proactive and mention control weaknesses that could lead to violations even if a violation has not yet occurred. Similarly, OCIE management believes examiners should mention high-risk situations even if the evidence of a violation is inconclusive. This type of proactive and preventive action is an integral part of the Commission's Compliance Examination Program.
We found that approximately 12% of the deficiency letters in our sample (issued after July 2002) contained language such as "appears" or "may have" violated. In some of these instances, the registrant disagreed with the deficiency, although they may have agreed to implement appropriate corrective actions anyway. It is not clear whether the use of "appears" or "may have" violated contributed to the registrant disagreeing with the deficiency. After reviewing the registrant's response, the Examination staff generally believed that a deficiency still existed. OCIE management indicated that it believes that many registrants disagree with a finding to avoid making an admission of wrongdoing. The Examination staff does not challenge these statements provided that the registrant takes prompt and effective corrective actions.
OCIE, in consultation with the field offices, should take steps to ensure that examiners fully utilize the exit conference and other available examination procedures to attempt to resolve any doubts about whether a violation has occurred before stating that a violation "appears" or "may have" occurred.
OCIE should modify the brochure delivered to registrants at the beginning of every examination to explain the exit conference process including that the registrant will have an opportunity to discuss any finding that the staff intends to make.
PROVIDING ADDITIONAL INFORMATION
Based on our sample of one hundred deficiency letters and our interviews and surveys of Commission staff and registrants, we found that certain procedures should be considered. These include:
- Most of the registrants requested that they receive some notice from the Examination staff that their response to the deficiency letter was acceptable. Currently, if they do not hear from the staff for a few months, they assume that the response was acceptable. During the audit, OCIE began to implement a method to provide registrants with notification.
- We found that only approximately 18% of the deficiency letters informed the registrant that information regarding IA/IC or BD regulation could be found on the Commission's web site. OCIE should consider additional methods to notify registrants of the web site.
OCIE, in consultation with the field offices and the Office of Investor Education and Assistance, should consider the above issues.
1 ZYIndex is a searchable database of previous examination reports and deficiency letters. The database helps to ensure consistency throughout the Program.
2 Deficiencies refer to either violations of laws or rules, or internal control weaknesses.
3 Based on our staff interviews and surveys, it appears that review comments are generally substantive and adequately communicated.
4 Prior to July 2002, some staff used words like "appears" and "may have" violated because they believed that only the Commission or a judge could state that a deficiency has occurred.