SECURITIES AND EXCHANGE COMMISSION

Updating Assessments of Staff Procedures Could Improve Key Agency Operations

Congressional Committees

March 2026

GAO-26-107823

United States Government Accountability Office

A report to congressional committees

For more information, contact: Michael Clements at clementsm@gao.gov.

What GAO Found

Section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs the Securities and Exchange Commission (SEC) to annually assess and report on (1) internal supervisory controls to oversee the work SEC staff perform and (2) procedures staff must follow in performing examinations, investigations, and securities filing reviews. Effective supervisory controls and staff procedures help ensure that SEC’s Divisions of Corporation Finance, Enforcement, and Examinations, and Office of Credit Ratings conduct their work with competence and integrity.

GAO determined that SEC’s framework for assessing the effectiveness of internal supervisory controls aligned with federal internal control standards. GAO also found that in fiscal year 2024, SEC’s three divisions and one office implemented processes generally consistent with this framework.

However, GAO identified needed improvements:

·         The Division of Enforcement did not always apply specific, measurable testing standards to evaluate whether controls were operating effectively. Using such standards would reduce the need for evaluators to use professional judgment to interpret ambiguous evidence, enabling them to draw clearer and more objective conclusions.

·         The Division of Corporation Finance did not have documented controls for supervisors to verify how staff conducted filing reviews. Instead, supervisors used undocumented oversight protocols. Establishing and using documented supervisory controls is important for ensuring consistent application of guidance and improving the quality of information available to investors.

GAO found that the divisions’ and office’s assessments of staff procedures generally were consistent with applicable SEC guidance. However, the Division of Enforcement and the Office of Credit Ratings did not document several assessment steps in their plans, as SEC guidance recommends. Doing so would help communicate responsibility for the assessment and retain organizational knowledge.

SEC’s section 961 Working Group—a staff-level coordination group for section 961 compliance—updated its guidance to encourage the divisions and office to adopt a framework for monitoring and revising staff procedures and to evaluate that framework. Adopting and evaluating such frameworks would help the divisions and office better identify and revise ineffective staff procedures.

As encouraged by the 961 Working Group, the Division of Examinations performed an evaluation for the fiscal year 2024 assessment, but the other divisions and office did not. As a result, they missed opportunities to help ensure that SEC carries out its examinations, investigations, and filing reviews consistently.

Why GAO Did This Study

Section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act contains a provision for GAO to report on SEC's internal supervisory control structure and staff procedures at least every 3 years.

Among its objectives, this report examines the extent to which SEC in fiscal year 2024 (1) assessed the design and operating effectiveness of its internal supervisory controls, and (2) assessed the effectiveness of its staff procedures.

GAO analyzed SEC’s policies and guidance for conducting section 961 assessments and developing and monitoring staff procedures, reviewed records supporting the fiscal year 2024 assessment processes, and interviewed SEC officials.

What GAO Recommends

GAO is making six recommendations to SEC, including to improve testing of controls, require documented supervisory controls to verify how staff conduct filing reviews, and update staff procedure assessment plans to reflect the latest guidance of the SEC working group. SEC agreed with the recommendations and plans to implement them.

 

 

 

Abbreviations
Dodd-Frank Act		Dodd-Frank Wall Street Reform and Consumer Protection Act
OCC-Compliance		Office of the Chief Counsel-Compliance
OCR		Office of Credit Ratings
OIG		Office of Inspector General
SEC		Securities and Exchange Commission

 

March 27, 2026

The Honorable Tim Scott
Chairman
The Honorable Elizabeth Warren
Ranking Member
Committee on Banking, Housing, and Urban Affairs
United States Senate

The Honorable French Hill
Chairman
The Honorable Maxine Waters
Ranking Member
Committee on Financial Services
House of Representatives

The Securities and Exchange Commission (SEC) views risk management and internal controls as integral to its mission of protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation. Internal control comprises the plans, methods, and procedures used to meet an agency’s mission, goals, and objectives. SEC maintains internal controls to help staff effectively manage its operations and financial resources and achieve its objectives.

Section 961 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) directs SEC to annually report to Congress on the conduct of SEC’s examinations, investigations, and securities filing reviews.[1] The report must contain an assessment of the effectiveness of (1) SEC’s internal supervisory controls and (2) staff procedures (those applicable to SEC staff who perform examinations of registered entities, enforcement investigations, and reviews of corporate financial securities filings).[2]

Effective staff procedures and internal supervisory controls help ensure that SEC meets the section 961 objectives of consistently conducting examinations, investigations, and reviews with professional competence and integrity.[3] The activities covered in section 961 fall within the purview of the Division of Corporation Finance, Division of Enforcement, Division of Examinations, and Office of Credit Ratings (OCR)—to which we refer collectively as the divisions and office.[4]

Section 961 includes a provision for GAO to review SEC’s internal supervisory control structure and staff procedures and report to Congress at least every 3 years.[5] We most recently reported that as of fiscal year 2021, SEC’s internal supervisory control framework generally was consistent with the monitoring component of federal internal control standards.[6] We also found the divisions and office had developed and implemented written plans to assess the effectiveness of staff procedures, but that the plans lacked key assessment steps. Our recommendations included that SEC provide guidance for using program data to help assess the effectiveness of staff procedures and for periodic and comprehensive reviews of program manuals. SEC implemented these recommendations in 2023.

In this report, we examine the extent to which the SEC divisions and office (1) assessed the design and operating effectiveness of their internal supervisory controls for the fiscal year 2024 section 961 report, (2) assessed the effectiveness of their staff procedures for the 2024 report, and (3) established activities to monitor and, as needed, revise staff procedures that are consistent with federal internal control standards.

For our first objective, we reviewed SEC’s framework for assessing internal supervisory controls, which includes the section 961 Working Group’s Reference Guide for Compliance with Section 961 of the Dodd-Frank Act and the Office of the Chief Operating Officer’s Risk Management and Internal Control Review Reference Guide.[7] We evaluated the extent to which this framework was consistent with the monitoring component of internal control and with the underlying principles that management should perform monitoring activities and elevate issues and remediate deficiencies.[8]

We also evaluated the extent to which the divisions and office implemented the framework to assess their internal supervisory controls in fiscal year 2024. We reviewed SEC’s section 961 report to Congress for fiscal year 2024. For each division and office, we obtained documentation of internal supervisory controls, as well as internal memorandums, testing sheets, and other records documenting the scope of its assessment, the work performed, and the conclusions reached about control effectiveness. We then used this documentation to evaluate how each division and office assessed the design and operation of its controls, documented the assessment results, and collected evidence to support the conclusions.

For our second objective, we evaluated the extent to which the divisions’ and office’s plans for assessing the effectiveness of staff procedures were consistent with applicable SEC guidance, including the 961 reference guide. We reviewed the divisions’ and office’s program manuals, performance metrics, and other program-related materials to evaluate the plans’ approaches for assessing staff procedures. To evaluate the extent to which the divisions and office followed their plans, documented their assessments, and supported their conclusions, we obtained and reviewed internal memorandums on the section 961 assessments and other records that the divisions and office used to document their fiscal year 2024 assessment of staff procedure effectiveness.

For our third objective, we reviewed documents about the divisions’ and office’s activities for monitoring and, as needed, revising staff procedures. These included program manuals, internal guidance websites, and other program-related materials. We evaluated the extent to which these activities were consistent with federal internal control standards, focusing on four components: control environment, risk assessment, control activities, and monitoring—and four principles associated with these components.

For all three objectives, we interviewed SEC staff from the divisions and office, as well as the chairperson and other members of SEC’s section 961 Working Group.

We conducted this performance audit from September 2024 to March 2026 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Background

SEC is the primary regulator of the U.S. securities markets and is responsible for protecting investors; maintaining fair, orderly, and efficient markets; and facilitating capital formation. To fulfill this mission, SEC requires public companies to disclose meaningful financial and other information to the public, examines firms it regulates, and investigates potential violations of the federal securities laws. SEC is organized into six divisions and 25 offices.

Section 961 of the Dodd-Frank Act

The Dodd-Frank Act was enacted to promote U.S. financial stability by improving accountability and transparency in the financial system and protecting consumers from abusive financial services practices. To help detect and prevent securities misconduct, section 961 of the Dodd-Frank Act promotes complete and consistent performance of SEC staff examinations, investigations and reviews, and appropriate supervision of these activities through internal supervisory controls.[9]

As of 2025, SEC had submitted 14 annual reports to Congress under section 961, all of which stated that both its internal supervisory controls and its staff procedures were effective for the period under review. In addition, all the reports stated that no significant deficiencies in internal supervisory controls had been identified.

As discussed previously, three divisions and one office are subject to section 961 of the Dodd-Frank Act (see table 1). These entities share information and coordinate compliance processes through the 961 Working Group, which includes one or more representatives from each division and office, as well as from the Office of the Chief Risk Officer. The 961 Working Group is responsible for establishing a common understanding and consistent approach to compliance and developing and updating guidance on implementing section 961.

SEC division or office	Roles and responsibilities
Division of Examinations	Administers a nationwide examination and inspection program for registered entities (including self-regulatory organizations, broker-dealers, transfer agents, clearing agencies, and investment companies and advisers) to improve compliance, prevent fraud, monitor risk, and inform policy.
Division of Enforcement	Conducts investigations of potential violations of federal securities laws, including the conduct of registered entities (such as broker-dealers and investment advisers) and unregistered entities (such as those offering unregistered and fraudulent securities); recommends, when appropriate, that SEC bring enforcement actions (in a federal court or in an administrative proceeding before an administrative law judge); litigates these actions; negotiates settlements on behalf of SEC; and works with criminal law enforcement agencies when warranted.
Division of Corporation Finance	Reviews corporate disclosures, assists companies in interpreting SEC’s disclosure rules, and recommends new rules for adoption.
Office of Credit Ratings	Conducts examinations of nationally recognized statistical rating organizations, which are SEC-registered credit rating agencies.

Dodd-Frank Act = Dodd-Frank Wall Street Reform and Consumer Protection Act; SEC = Securities and Exchange Commission

Source: SEC.  |  GAO‑26‑107823

In response to section 961 of the Dodd-Frank Act, the 961 Working Group established a framework that provides guidance for staff responsible for assessing the effectiveness of internal supervisory controls. SEC’s framework consists of three phases—risk assessment, internal supervisory control testing, and communication of results. It draws on external sources, such as federal internal control standards, and internal documents. These include the 961 Working Group’s charter and Reference Guide for Compliance with Section 961 of the Dodd-Frank Act and the Office of the Chief Operating Officer’s Risk Management and Internal Control Review Reference Guide.

Federal Internal Control and Financial Management Standards

Standards for Internal Control in the Federal Government provides the overall framework for establishing and maintaining internal control in federal agencies.[10] Agency management is responsible for adapting the framework. An agency may use the standards to organize its development and implementation of internal controls through policies and procedures throughout the agency or at an office level.

Five interrelated components and associated principles establish requirements for developing and maintaining an effective internal control system: (1) control environment, (2) risk assessment, (3) control activities, (4) information and communication, and (5) monitoring. To be effective, an agency’s internal control system must incorporate the five components in an integrated manner throughout its operations and on an ongoing basis. Once in place, internal control provides reasonable, not absolute, assurance of meeting agency objectives.

When evaluating the design of internal control, management determines if controls individually and in combination are capable of achieving an objective and addressing related risks. To the extent a control does not fully achieve an objective or address related risks, it is deficient. Such deficiencies may be associated with a control’s design, implementation, or operation.

In addition to section 961 requirements, SEC must establish and maintain effective internal control and financial management systems that meet the objectives of the Federal Managers’ Financial Integrity Act of 1982.[11] The act requires agencies to annually assess and report on internal controls that protect the integrity of their programs and on whether financial management systems conform to related requirements.[12]

SEC’s internal controls for financial management systems are reported in its annual financial audit, but we do not include them in this report because SEC does not consider them internal supervisory controls.[13] Nonetheless, all of SEC’s internal controls—including internal supervisory controls—fall within the scope of the Federal Managers’ Financial Integrity Act of 1982.

SEC Assessed Internal Supervisory Controls, but Two Divisions Could Strengthen Their Approach

SEC’s Framework for Assessing Internal Supervisory Controls Was Consistent with Applicable Standards

SEC’s framework for assessing the effectiveness of internal supervisory controls, which includes the 961 reference and risk management guides, was consistent with the monitoring component of federal internal control standards and the underlying principles that management perform monitoring activities, evaluate issues, and remediate deficiencies.[14] The framework included guidance on identifying changes to risks or controls, evaluating control design and operation, identifying and documenting deficiencies, and taking corrective action to remediate deficiencies. Figure 1 depicts SEC’s process for annual internal supervisory control assessments, as described in relevant guidance.

Since our last review (which focused on fiscal year 2021), the 961 Working Group revised its reference guide in September 2024 to add a provision that defined the objective of section 961 assessments and potentially reduced their scope.[15] The provision instructs the divisions and office to focus their assessments on the internal supervisory controls and staff procedures most relevant and important to achieving the section 961 objectives of consistently conducting examinations, investigations, and reviews with professional competence and integrity.[16] The working group also revised its definition of internal supervisory control to align with this focus.[17] SEC officials said the new definition more closely aligns with federal internal control standards and uses language from both those standards and the statute, emphasizing oversight of section 961’s core objectives.

In fiscal year 2024, Examinations reclassified two controls that, after review, no longer met the updated definition of internal supervisory controls, according to Examinations officials. The officials said these controls will no longer be assessed under section 961 but are still in scope for assessment under the Federal Managers’ Financial Integrity Act of 1982. Officials from Enforcement said they have been considering whether to streamline the scope of their section 961 assessments by covering fewer internal controls but that they did not reclassify any controls in fiscal year 2024. Corporation Finance and OCR officials said they did not make any changes as a result of the revised guidance on assessment scope.[18]

SEC Implemented Processes Generally Consistent with Its Framework to Conduct Assessments

The divisions and office developed and implemented processes that generally were consistent with SEC’s framework to assess the design and operating effectiveness of their internal supervisory controls for fiscal year 2024. In general, each division or office did the following:

·         Identified internal supervisory controls addressing the highest risks to its objectives,[19]

·         Described control activities in detail,

·         Periodically reviewed control activities and related procedures,

·         Assigned independent evaluators to assess control design and operation,

·         Obtained relevant evidence,

·         Documented testing procedures and results,[20] and

·         Communicated the work performed and results to the division or office director.

As shown in table 2, the divisions and office determined that the design and operation of their internal supervisory controls were effective in fiscal year 2024. The division and office directors certified the effectiveness of these controls in SEC’s annual section 961 report to Congress, as required.[21] Because none of the divisions and office identified significant internal supervisory control deficiencies in fiscal years 2022, 2023, or 2024, none implemented corrective action plans during that period. However, as discussed below, we identified weaknesses in the assessment of some of the internal supervisory controls.

Division or office	Number of internal supervisory controls	Number tested for effectiveness	Number found effective
Division of Examinations	12	12	12
Division of Enforcement	25	25	25
Division of Corporation Finance	6	6	6
Office of Credit Ratings	15	15	15

Source: GAO summary of Securities and Exchange Commission (SEC) information.  |  GAO‑26‑107823

Enforcement Did Not Identify Testing Standards for Some Controls

According to SEC guidance, staff evaluating controls should develop a detailed testing plan that includes control elements to test, evidence to use, and specific, measurable testing standards to apply to determine whether a control is functioning as intended. To the extent possible, testing standards should be written in the form of a yes or no question.

For each of its 25 internal supervisory controls, Enforcement created a plan describing the procedures for testing a control and a cover sheet for documenting control testing and evaluation results. Officials said the cover sheets were new for fiscal year 2024 and were intended to consolidate information about the control and testing information.

Enforcement’s cover sheets generally identified the control objective, control activity, and testing procedures, including the source of evidence, test type, and sampling methodology. However, we found that 11 of the 25 cover sheets did not identify specific, measurable standards against which to evaluate a control’s operating effectiveness. Without such standards, evaluators rely on their professional judgment to interpret ambiguous evidence and determine whether a control is operating effectively and as designed. Examples include the following:

·         Tips, complaints, and referrals. To ensure that Enforcement considered tips, complaints, and referrals in a timely manner, a control identified three activities: (1) weekly generation of an aging report for tips, complaints, and referrals; (2) weekly emails to groups responsible for tips, complaints, and referrals on the aging report that did not have a documented reason for delay; and (3) weekly emails to staff and supervisors responsible for tips, complaints, and referrals that appeared repeatedly on the aging report. The related testing procedure instructed the evaluator to review “weekly reports and/or emails” but did not describe what condition would constitute an example of noncompliance. Accordingly, it did not provide a specific, measurable testing standard to determine if the control was effective or not effective.[22]

·         Investigative plans. A control activity generally required each ongoing investigation to have an investigative plan. The cover sheet described the test procedure as a review of “investigative plans/notes” in the case management system but did not describe what kind of notes could be used instead of a plan. Accordingly, the test procedure did not provide a specific, measurable testing standard to determine if the control was effective or not effective.[23]

·         Top five case reviews. The control activity required staff to designate high-priority investigations, known as “top five cases,” for identification in quarterly review reports. The test procedure involved verifying if top five cases were listed in the reports and if supervisors certified the reports. However, the cover sheet did not identify a specific, measurable testing standard to determine if a top five case was correctly identified in the quarterly review reports.[24]

The weaknesses in Enforcement’s testing standards reflect the division’s ongoing challenges in complying with section 961 requirements. In our 2022 review, we found documentation weaknesses in three of Enforcement’s controls, which the division corrected before we issued our report. The division also had not updated a key document to align with new guidance implementing one of our prior recommendations.[25] As we discuss below, our current review similarly found Enforcement had not updated another key document—its written plan for assessing staff procedures—to reflect new guidance issued in response to two of our prior recommendations.[26]

By identifying specific and measurable standards in its testing plans, Enforcement would reduce the need for evaluators to use professional judgment to interpret ambiguous evidence to determine whether controls are effective. Such action would reduce the risk that evaluators will determine controls are effective when they are not. As a result, Enforcement would obtain greater assurance that its controls are operating effectively and that it is consistently conducting investigations with professional competence and integrity.

Corporation Finance Lacked Documented Policies for Supervisors to Check How Staff Conduct Filing Reviews

Federal internal control standards state that management should design control activities to mitigate risks to achieving the entity’s objectives and should implement those control activities through policies and procedures. As discussed earlier, SEC defines internal supervisory controls as the process supervisors perform during examinations, investigations, and reviews to provide reasonable assurance that section 961 objectives—to conduct such activities with professional competence and integrity—are achieved.

Corporation Finance’s fiscal year 2024 risk assessment identified staff noncompliance with filing review policies and procedures as one of the highest risks to achieving the division’s objectives. According to the risk assessment, improperly performed filing reviews could waste resources, impose undue burdens on companies, or miss instances of material noncompliance with securities laws.

Examples of Undocumented Protocols for Supervising Corporation Finance Filing Reviews Officials of the Division of Corporation Finance told us that supervisors managed filing reviews to promote professional competence and integrity through protocols not documented in policy, such as the following: ·       Review teams raised with supervisors any novel issues they encountered. ·       Review teams notified their supervisor before contacting another SEC division or office in the course of a review. ·       Supervisors generally served as second-level reviewers at least once per fiscal year for each of the staff they supervised. ·       Supervisors sometimes chose to serve as second-level reviewers based on factors such as staff experience level or the type of review. ·       In some groups, supervisors approved outgoing comment letters or examined review records in the documentation and reporting system. Source: GAO presentation of Securities and Exchange Commission (SEC) information.  |  GAO-26-107823

However, Corporation Finance’s fiscal year 2024 risk and control matrix does not include an internal supervisory control for supervisors to approve key actions, examine review records, or otherwise check that staff acted in compliance with policies and procedures during a filing review. Officials told us supervisors managed filing reviews through a risk-based supervisory framework that includes internal controls integrated with protocols not documented in policies (see sidebar). But these protocols did not produce evidence that could be tested for the section 961 assessment.

Corporation Finance officials told us it would be impractical and inefficient for supervisors to approve every action taken during filing reviews or examine every filing review record. They cited the large volume of filings SEC receives and the limited ratio of supervisors to staff. According to officials, in fiscal year 2024, each accounting staff member reviewed an average of 35 corporate annual reports, and each accounting supervisor oversaw an average of five staff.[27]

But well-designed controls could allow supervisors to oversee how staff conduct filing reviews without requiring them to approve or evaluate every decision. For example, controls could focus on higher-risk reviews or involve selecting a sample of reviews.[28] Alternatively, Corporation Finance could incorporate some of the undocumented protocols supervisors already use in its policies as internal controls—such as periodically serving as a second-level reviewer for each staff member they supervise. Such action would strengthen supervisory oversight without creating substantial new burdens on supervisors’ time.

Corporation Finance officials also told us the division relies on a second-level review process to ensure disclosures are properly evaluated against the federal securities laws and applicable accounting standards. Supervisors assign a staff member—called the examiner—to conduct each filing review. Unless the examiner is a supervisor, supervisors also assign themselves or a second staff member as a second-level reviewer. The examiner and the reviewer form a review team to complete the filing review (see fig. 2). Supervisors assign staff to filing reviews by considering their experience and competence, industry and topical expertise, the type of filing or transaction under review, and staff availability, according to officials. As the majority of second-level reviews are not conducted by a supervisor, Corporation Finance officials said supervisors delegate internal control responsibilities to non-supervisor reviewers.[29]

Notes: Initial screening by the industry office identifies issues for the review team to consider. Depending on the nature of the filing and the issues identified, an accounting review team, a legal review team, or both may review the filing. If the examiner is a supervisor, no reviewer is required.

Federal internal control standards state that managers in key roles can delegate authority for internal control to roles below them in the organizational structure. However, even if they delegate such authority, managers retain ownership for fulfilling their overall internal control responsibilities. In addition, the standards note that effective documentation assists in management’s design of internal control by communicating the who, what, when, where, and why of internal control execution to personnel. SEC guidance similarly states that controls should be documented and supported by policies and procedures.

Corporation Finance’s manual for conducting filing reviews does not fully describe the second-level reviewer’s internal control responsibilities and does not communicate expectations for performing control activities. Instead, it generally directs its guidance to examiners or review teams and does not separately describe reviewers’ duties. The manual encourages the examiner to consult with the reviewer in various situations but does not document the reviewer’s internal control role. Corporation Finance officials told us review teams are collaborative in nature. Reviewers provide a second set of eyes on a filing under review and serve as a source of feedback for the examiner conducting the review, according to the officials. But without express guidance supporting their role in internal control, the manual’s focus on collaboration and consultation may obscure reviewers’ responsibility for ensuring compliance with filing review policies and procedures.

Updating Corporation Finance’s manual to more fully communicate second-level reviewers’ internal control responsibilities would help ensure staff in that role understand and consistently execute their duties. Furthermore, because supervisors retain responsibility for mitigating the risk of improperly performed filing reviews, establishing an internal supervisory control or controls for supervisors to check how staff conduct filing reviews would strengthen supervisory oversight. These steps would provide greater assurance that staff consistently conduct reviews with professional competence and integrity, ultimately improving the quality of information available to investors.

SEC Assessed Staff Procedures, but Some Plans for These Assessments Are Not Fully Consistent with Applicable Guidance

SEC’s Fiscal Year 2024 Staff Procedures Assessments Generally Were Consistent with Applicable Guidance

Each division and office assessed its staff procedures in fiscal year 2024 and determined they met section 961 objectives of consistently conducting examinations, investigations, or reviews with professional competence and integrity. We found the assessments generally were consistent with the 961 reference guide. Figure 3 illustrates the staff procedure assessment process as described in the guide. For example, each division and office identified its central program manual as the main record of its staff procedures relevant to the section 961 objectives and conducted at least one phase of a periodic program manual review.[30]

In addition to reviewing their program manuals, the divisions and office gathered information from other activities and sources as part of their fiscal year 2024 staff procedure assessments (see table 3). They did not identify any significant deficiencies in the effectiveness of their staff procedures based on the analysis of the activities and sources described below. In turn, they documented their conclusions in a memorandum to their respective directors, who certified the results of the fiscal year 2024 assessments.

Division or office	Activity or source
Division of Examinations	·          Reviewed and updated inventory of 961 staff procedures. ·          Received and reviewed feedback from staff about staff procedures collected by two management committees, a division mailbox, staff training, monthly newsletters, and townhalls. ·          Tested the operating effectiveness of an internal supervisory control over policy updates. ·          Reviewed program data related to timeliness and monitoring. ·          Conducted a phase of a periodic, comprehensive program manual review and other ad-hoc reviews. ·          Reviewed available and relevant public commentary. ·          Reviewed Office of Inspector General (OIG) and GAO recommendations.
Division of Enforcement	·          Reviewed Quarterly Case Reviews (meetings held during investigations to facilitate communication) for Senior Officer certification. ·          Received and reviewed feedback from internal stakeholders and any available and relevant public commentary. ·          Conducted a phase of a periodic, comprehensive program manual review. ·          Reviewed and updated supplemental guidance found on EnforceNet (Enforcement’s intranet site) periodically and as needed. ·          Reviewed program data related to timeliness. ·          Reviewed internal control activities and internal control test results. ·          Reviewed OIG and GAO recommendations.
Division of Corporation Finance	·          Tested four staff procedures identified as relevant to 961 objectives. ·          Reviewed program data related to timeliness, compliance with annual review goals, and compliance with Sarbanes-Oxley Act of 2002. ·          Conducted a phase of a periodic, comprehensive program manual review and other ad-hoc reviews. ·          Reviewed Federal Managers’ Financial Integrity Act of 1982 Management Assurance Assessment results. ·          Reviewed OIG and GAO recommendations.
Office of Credit Ratings	·          Held annual After Action Review meeting (a forum for managers to collect feedback from staff) and discussed the fiscal year 2024 staff procedure assessment. ·          Reviewed program data related to documentation requests sent to nationally recognized statistical rating organizations and their responses. ·          Completed annual review of the program manual and began process to update the manual.

Source: GAO analysis of Securities and Exchange Commission (SEC) information.  |  GAO‑26‑107823

Divisions and Office Updated Their Staff Procedures Assessment Plans, but Some Plans Did Not Incorporate All Applicable Guidance

Each division and office updated its written plan for assessing staff procedures in fall 2024, after the 961 Working Group revised its reference guide in 2024.[31] We found that each plan documented processes to identify relevant staff procedures, analyze current evidence, describe activities and sources used to assess procedures, assign responsibilities, and outline methods for assessing procedure effectiveness. However, Enforcement, Corporation Finance, and OCR did not incorporate all the reference guide’s requirements and recommendations.

Plans for Assessing Staff Procedures

According to the reference guide, each division or office should maintain a written plan that documents the process for systematically assessing staff procedures, including how it

·         identifies the procedures applicable to the staff and the objective of those procedures;

·         identifies, monitors, and evaluates relevant and available program data to gain insight into the effectiveness of staff procedures;

·         reviews its program manual of staff procedures on a periodic and comprehensive basis and incorporates the review results into the annual staff procedures assessment; and

·         documents the assessment, including preparing a written memorandum to the director.

Although Enforcement’s and OCR’s fiscal year 2024 assessments of their staff procedures were consistent with the 961 reference guide, their assessment plans did not incorporate some of the guide’s processes.

·         Enforcement’s plan did not document how it would conduct periodic manual reviews and incorporate the results into its assessment or monitor and evaluate program data.

·         OCR’s plan did not document how it would identify the objective of its staff procedures; identify, monitor, and evaluate program data; document its assessment; and prepare a memorandum to the director.

The Enforcement and OCR evaluators responsible for the fiscal year 2024 assessment had conducted section 961 assessments for several years and thus were familiar with the staff procedure assessment process. While such experienced staff may be able to execute the assessment process without reference to a written plan, maintaining a complete and updated plan can help preserve institutional knowledge in the event of staff turnover. Although a division or office could use the 961 Working Group’s reference guide as a map for assessing staff procedures, the guide requires each division and office to develop its own written plan tailored to its particular needs.[32]

By maintaining a written plan that fully documents the processes for systematically assessing staff procedures, Enforcement and OCR would more clearly establish and communicate the “who, what, when, where, and why” of internal control execution to their staff. Moreover, such documentation would help retain organizational knowledge and mitigate the risk of having that knowledge limited to a few individuals.

Evaluating Staff Procedure Development Frameworks

In its September 2024 revision to its reference guide, the 961 Working Group recommended that the divisions and office adopt and evaluate a staff procedure development framework. According to the guide, such a framework would

·         provide a process for management to assess procedure development and implementation, so that management can better identify and correct ineffective procedures and use assessment results to inform the development of new procedures; and

·         include an evaluation of the effectiveness of the assessment process.

Officials told us the first element—the process for assessing procedure development— encompasses the activities the divisions and office use to monitor and, as needed, revise staff procedures. They said they intended the second element—the evaluation of that process—to take place as part of the section 961 staff procedures assessment. According to the officials, the 961 Working Group added this suggestion because a good process for monitoring and, as needed, revising staff procedures can help demonstrate that those procedures are effective. Such a process aligns with federal internal control standards that organizations should establish and operate monitoring activities for the internal control system and evaluate the results.

As we discuss later in this report, the divisions and office have activities for monitoring and, as needed, revising staff procedures. Through their fiscal year 2024 assessments, the divisions and office assessed, to varying degrees, the effectiveness of those activities—consistent with the 961 Working Group’s recommendation that they adopt and evaluate a staff procedure development framework.

Examinations expressly evaluated its framework as part of the section 961 assessment for 2024, but Enforcement, Corporation Finance, and OCR did not.[33] In addition, we found that Enforcement, Corporation Finance, and OCR did not document in their staff procedure assessment plans whether and how they will evaluate the effectiveness of their staff procedure development framework for the assessment. During our review, Examinations updated its assessment plan to incorporate this information.

Because the 961 Working Group did not add the recommendation on staff procedure development frameworks until September 2024, the divisions and office had limited time to implement it for the fiscal year 2024 assessment. Furthermore, the 961 reference guide did not provide clear guidance for scoping and implementing such evaluations.[34] Officials said the Working Group plans to revise the reference guide to clarify the recommendation and provide additional guidance for implementing it.

Although the staff procedure development framework is a recommendation and not a requirement, it aligns with federal internal control standards for establishing and operating monitoring activities for the internal control system and evaluating results. Incorporating evaluations of the staff procedure development framework into written plans would help ensure evaluations are appropriately scoped and consistently executed. Annually evaluating the frameworks as part of the section 961 assessment would help the divisions and office better identify and correct ineffective procedures and use assessment results to inform the development of new ones.[35] This in turn could help staff consistently perform their duties with professional competence and integrity.

SEC’s Activities for Monitoring and Revising Staff Procedures Were Consistent with Applicable Standards

The divisions’ and office’s activities for monitoring and, as needed, revising staff procedures were consistent with applicable federal internal control standards.[36] Specifically, we observed that each division and office evaluated the results of ongoing monitoring, assigned roles and responsibilities for each activity, established mechanisms to respond to change, and periodically reviewed staff procedures. These practices are important in achieving an effective internal control system.

Ongoing Monitoring

Each division and office uses a variety of ongoing monitoring activities to gather information to inform staff procedure development and considers results of their section 961 assessments of staff procedures in doing so. We describe examples of ongoing monitoring activities below.

·         Examinations. Examinations collects feedback on staff procedure effectiveness from two governance committees (see textbox), a dedicated mailbox, and in response to training sessions, monthly newsletters, and townhalls. In addition, the division reviews its staff procedures manual every 4 years.

The Exam Process Advisory Committee The Exam Process Advisory Committee, in SEC’s Division of Examinations, helps monitor and improve the division’s processes for examining registered entities. Its responsibilities include reviewing existing examination processes, proposing policy changes to the director, evaluating proposed changes, and helping to revise the examination manual. The committee is composed of 25 managers from different program areas and regions. Members report at least quarterly to the division’s Management Committee, a forum for senior managers. In fiscal year 2024, the Exam Process Advisory Committee met 16 times and contributed to three major examination manual revisions. Division of Examinations officials told us that this committee is a unique and valuable forum because it brings together working managers who have direct knowledge of trends and problem areas in the examination process. Officials described several ways it has contributed to monitoring and, as needed, revising staff procedures and making examinations more efficient. For example, input from its members led to updating or removing outdated procedures on two occasions in fiscal year 2024. Members also provide perspectives on Examinations’ key operational risks and most important staff procedures to inform the division’s annual section 961 assessment.

Source: GAO analysis of Securities and Exchange Commission (SEC) information.  |  GAO‑26‑107823

 

·         Enforcement. Enforcement collects feedback from staff using an email address shared with the director’s office. Officials told us that members of the division’s Case Management Systems and Reporting group, which is responsible for maintaining the division’s supplemental guidance, also attend meetings between the division and the Commission when issues involving staff procedures may be discussed. These officials will then work with staff designated as subject matter experts to update supplemental guidance.

·         Corporation Finance. Managers in Corporation Finance use dashboards with program data to gain real-time insights into the effectiveness of staff procedures. For example, officials told us the dashboards provide information on compliance with division policy or statutory requirements, as well as any workload changes that would affect how staff procedures are used during filing reviews. Staff also should contact the office responsible for overseeing the periodic review process with any issues.

·         OCR. OCR managers and staff meet annually for After Action Review meetings at the end of an examination cycle. During these meetings, staff and managers suggest improvements and identify issues with the effectiveness of staff procedures. Officials told us that staff and managers also can use these meetings to share issues with senior managers.

Assignment of Roles and Responsibility for Key Activities

Each division and office assigned roles and responsibilities, especially to senior managers, for activities used to monitor and, as needed, revise staff procedures.

·         Examinations. One central office, Office of Chief Counsel-Compliance (OCC-Compliance), generally manages all staff procedure development framework activities. OCC-Compliance officials told us they collaborate with other managers across the division, including managers assigned to governance committees. The office also oversees the periodic manual review, collaborating with senior managers who approve changes to staff procedures. In addition, OCC-Compliance collects input from staff and reviews program data when assessing staff procedures.

·         Enforcement. Multiple offices and individuals are responsible for Enforcement’s framework activities. For example, one office maintains a website with supplemental guidance, while individual subject matter experts are assigned to update and review specific procedures. Several groups in the division and across SEC review and update the publicly available procedures manual.

·         Corporation Finance. Responsibility for monitoring and revising staff procedures is shared between two offices and managers across the Disclosure Review Program, which monitors compliance with applicable disclosure and accounting requirements. For example, one office collects staff feedback using a standardized form and coordinates periodic reviews of staff procedures. Officials told us that the program managers are responsible for monitoring program data to determine whether updates to staff procedures are warranted and are responsible for approving these changes.

·         OCR. Three offices manage OCR’s activities for monitoring and revising staff procedures. For example, officials told us that management from one office leads After Action Review discussions conducted with staff and managers at the end of an examination cycle. Two offices oversee the periodic review of the procedure manual.

Activities to Respond to Change

Each division and office provided examples of how they identified and responded to internal and external changes that affected staff procedures.

·         Examinations. Officials described how OCC-Compliance initiated a review of specialized procedures after learning from a governance committee that examination teams generally preferred standard procedures. In response, OCC-Compliance removed the specialized practices from the manual to streamline the procedures without introducing risk to examinations.

·         Enforcement. Officials described how staff from the Case Management Systems and Reporting group responded to a Supreme Court opinion—and a related change in law—that affected how disgorgements are calculated. In response, they modified the relevant supplemental staff guidance.

·         Corporation Finance. Through a review of program data, Corporation Finance managers observed a surge of filings in 2021 that affected staff workload. In response, they issued temporary guidance modifying staff procedures to provide flexibility and enhance efficiency in the filing review process. Officials told us that managers monitored the impact using program data and later incorporated aspects of the temporary guidance into the permanent manual.

·         OCR. In an After Action Review meeting, managers flagged situations when certain draft examination findings were submitted for review before others. Officials told us there are potential benefits to reviewing all findings together. Specifically, examination teams sometimes discussed potential findings with nationally recognized statistical rating organizations but provided the final written findings only after all findings were finalized. Managers flagged the issue during After Action meetings with senior management, who said they would consider it. Officials also told us that managers and staff met with representatives of registrants to monitor developments in the credit rating industry.

Periodic and Ad Hoc Review of Staff Procedures

SEC requires each division and office to review its manual of staff procedures at least once every 5 years. The divisions and office also conduct ad hoc reviews as needed. These reviews are separate from the annual section 961 staff procedure assessments.

·         Examinations. Reviews the manual every 4 years.

·         Enforcement. Reviews the manual every 5 years, and supplemental guidance every 2 years.

·         Corporation Finance. Reviews the manual every 4 years.

·         OCR. Reviews the manual annually.

Conclusions

While the divisions and office generally followed SEC’s internal supervisory control assessment framework, we identified weaknesses. Without specific and measurable testing standards, Enforcement evaluators face greater risk of determining controls to be effective when they are not. Corporation Finance supervisors oversaw filing reviews using undocumented protocols. Documenting supervisory review processes would provide evidence to test control effectiveness and, thus, greater assurance that staff consistently conduct filing reviews with professional competence and integrity.

The divisions’ and office’s fiscal year 2024 staff procedure assessments generally were consistent with the 961 Working Group’s guidance. However, Enforcement and OCR did not incorporate some key guidance elements into their written plans for assessing staff procedures. Documenting such information in plans would decrease the risk that future procedure assessments will be inconsistently performed, especially if organizational knowledge is lost because of staff turnover.

Enforcement, Corporation Finance, and OCR did not fully implement the 961 Working Group’s recommendation to adopt and evaluate a staff procedure development framework. Evaluating these frameworks would help ensure these divisions and office can effectively monitor and, as needed, revise ineffective procedures. Furthermore, incorporating the recommended framework evaluation into written plans for assessing staff procedures would help ensure future evaluations of the framework are appropriately scoped and consistently executed.

Recommendations for Executive Action

We are making the following six recommendations to SEC.

The Chairman of SEC should ensure that the Director of the Division of Enforcement test the operating effectiveness of internal supervisory controls using specific, measurable testing standards. (Recommendation 1)

The Chairman of SEC should ensure that the Director of the Division of Corporation Finance document policies for delegating control activities to second-level reviewers and provide guidance for second-level reviewers to perform their responsibilities during filing reviews. (Recommendation 2)

The Chairman of SEC should ensure that the Director of the Division of Corporation Finance establish and document one or more controls for supervisors to check how staff conduct filing reviews and test the design and operating effectiveness of the control(s) for the section 961 assessment. (Recommendation 3)

The Chairman of SEC should ensure that the Directors of the Division of Enforcement and Office of Credit Ratings update their respective written plans for assessing staff procedures to include all recommended elements of the Reference Guide for Compliance with Section 961 of the Dodd-Frank Act. (Recommendation 4)

The Chairman of SEC should ensure that the Directors of the Division of Enforcement, Division of Corporation Finance, and Office of Credit Ratings update their written plans for assessing staff procedures to include an evaluation of their respective staff procedure development frameworks. (Recommendation 5)

The Chairman of SEC should ensure that the Directors of the Division of Enforcement, Division of Corporation Finance, and Office of Credit Ratings evaluate their respective staff procedure development frameworks for the section 961 assessment. (Recommendation 6)

Agency Comments

We provided a draft of the report to SEC for review and comment. In its comments, reproduced in appendix I, SEC agreed with our recommendations and described planned actions and timeframes for implementing them. SEC also provided technical comments, which we incorporated as appropriate.

We are sending copies of this report to the appropriate congressional committees, the Chairman of SEC, and other interested parties. In addition, the report is available at no charge on the GAO website at http://www.gao.gov.

If you or your staff have any questions about this report, please contact me at clementsm@gao.gov. Contact points for our Offices of Congressional Relations and Media Relations may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix II.

Michael Clements
Director, Financial Markets and Community Investment

GAO Contact

Michael Clements, clementsm@gao.gov

Staff Acknowledgments

In addition to the contact named above, Stefanie Jonkman (Assistant Director), Loren Lipsey (Analyst in Charge), Dahlia Darwiche, Megan Johnson, Jill Lacey, Alberto Lopez, Scott McNulty, Marc Molino, Barbara Roesmann, Grant Simmons, and Richard Tsuhara contributed to the report.

GAO’s Mission

The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost is through our website. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. You can also subscribe to GAO’s email updates to receive notification of newly posted products.

Order by Phone

The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, https://www.gao.gov/ordering.htm.

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.

Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO

Connect with GAO on X, LinkedIn, Instagram, and YouTube.
Subscribe to our Email Updates. Listen to our Podcasts.
Visit GAO on the web at https://www.gao.gov.

To Report Fraud, Waste, and Abuse in Federal Programs

Contact FraudNet:

Website: https://www.gao.gov/about/what-gao-does/fraudnet

Automated answering system: (800) 424-5454

Media Relations

Sarah Kaczmarek, Managing Director, Media@gao.gov

Congressional Relations

David A. Powner, Acting Managing Director, CongRel@gao.gov

General Inquiries

https://www.gao.gov/about/contact-us