OIG Turns Spotlight on SEC Exam Program, Data Center Management Problems
Every six months, the SEC’s Office of the Inspector General issues a report to Congress in which it updates its progress in investigating aspects of the Commission’s activities. In its latest report, released December 1, the watchdog arm of the SEC takes aim at, among other things, the Office of Compliance Inspections and Examinations’ investment adviser exam controls, and the agency’s management of its data centers.
"We . . . identified deficiencies in OCIE’s investment adviser examination completion controls that warrant management’s attention," the OIG said in its Semiannual Report to Congress, covering the period from April 1, 2017 to September 30, 2017. In words that may bring a touch a schadenfreude to the heart of at least some investment advisers, the report found that "these deficiencies occurred because sufficiently robust policies and procedures were not in place to prevent the deficiencies’ occurrence."
As for management of the SEC’s data centers, the OIG reiterated conclusions from a past report that the agency wasted several hundred thousand dollars by failing to implement steps in a plan to relocate those centers that the SEC itself paid for. Further, it said that if the agency does not take corrective action to validate certain costs, among other things, the SEC is on a path to incur about $2.7 million in additional costs.
Beyond these two areas, the OIG report provides updates on a wide range of audits and investigations. Inspector general Carl Hoecker noted that the OIG’s investigations "resulted in 11 referrals to the Department of Justice, one of which was accepted for prosecution, and six referrals to management for administrative action."
"The most recent OIG report is a good reminder that the SEC has an internal office that is dedicated to conducting audits, evaluations, investigations, and other reviews of the agency’s programs and activities," said Ropes & Gray counsel David Tittsworth. "As such, the OIG serves a watchdog function that provides independent reports to Congress and the public."
The examination program audit
While the OIG found that controls over OCIE’s investment adviser examination completions process "are generally effective," it said that further improvements are needed. In reaching its conclusions, the OIG said that it reviewed documents from all closed adviser corrective action reviews between fiscal years 2015 and 2016, as well as a statistical sample of 240 of 2,443 closed investment adviser exams.
While it overall found that "controls over OCIE’s investment adviser examination completion process were ‘generally effective,’" it said that certain improvements are needed. Specifically, the OIG audit found that:
Two investment adviser examination completion controls regarding control sheets and post-exam fieldwork lacked adequate segregation of duties,
Examiners did not always document preliminary exit interviews with examined advisers, and that
Examiners either did not assign final risk ratings or may have assigned final risk ratings inaccurately.
These three findings were the ones that the OIG attributed to a lack of sufficiently robust policies and controls.
"If OCIE does not appropriately review and consistently document investment adviser examination results and risk assessments," the report said, three things may result:
Examination work products may be more susceptible to error,
OCIE examiners’ ability to sufficiently review prior examination findings and perform comprehensive risk assessments may be reduced, and
OCIE may not effectively consider the results of examinations during its evaluation of risk for future examinations.
The OIG suggested that OCIE improve its investment adviser examination completion process and internal controls by "updating or documenting policies and procedures consistent with the Standards for Internal Control in the Federal Government."
"Examiners already are extremely busy on the paperwork front, sending out initial request letters, preparing letters to registrants summarizing exam findings and completing other paperwork," said Stradley Ronon partner Lawrence Stadulis. "The exit interview often comes at a time when examiners already are turning to other matters and it is not surprising that their exit interview write-ups are sometimes forgotten or not fully completed." He said that he does not disagree with the recommendations, however.
The watchdog agency also noted that it will be monitoring to see if OCIE implements OIG recommendations to improve the adviser examination completion process made in a July 2017 report.
Those recommendations were that OCIE:
Design control activities related to the review and approval of examination work products to require adequate segregation of duties,
Update National Exam Program policies and procedures to more clearly define the requirements for documenting examination meetings and interviews in the agency’s Tracking and Reporting Examination National Documentation System, and
Develop and disseminate to OCIE staff guidance for assigning final examination risk ratings before closing examinations.
"My reading of the report indicates that the deficiencies were relatively minor, technical violations rather than revealing some systemic or widespread problems with adviser examination documentation," said Tittsworth. "A bigger challenge for OCIE is how to increase the number – and enhance the quality – of investment adviser examinations during 2018 – one of the key SEC priorities already announced by SEC chairman Jay Clayton."
The data center management audit
The OIG said that it conducted this audit "to assess the SEC’s management of its data centers, ensure the data centers have adequate physical and environmental controls, and determine whether SEC personnel properly monitored the contractors’ performance."
What the audit found were some significant problems. For instance, the report says that the SEC, in 2008, paid $162,000 for a contractor-developed plan to relocate the agency’s data center, but "did not follow the plan’s recommended steps or timeline to ensure the 2012-2013 data center relocations were properly executed and that the data center providers . . . could meet the agency’s needs before awarding contracts and migrating data, thereby exposing the SEC data to vulnerabilities."
The OIG said it was unable to determine why these recommendations were not followed "because the current officials responsible for the SEC’s data centers were not aware of the relocation plan, many key officials responsible for the data center relocations no longer work at the SEC, and . . . contract files were incomplete."
Advisers learning of these reasons may wonder what SEC examiners would do if they were given similar reasons by advisory firms as a reason for compliance deficiencies.
"Because the agency derived little, if any, benefit from the 2008 data center relocation plan, we believe the $162,000 paid for the plan represents funds that the SEC may have wasted," the report states.
Beyond this find, the OIG audit found some agency equipment at one of the data centers was exposed to "certain physical and environmental control vulnerabilities since the inception of the contract." These vulnerabilities, the watchdog agency said, "have disrupted SEC operations and resulted in increased costs to the agency," an amount that it estimated to be approximately $370,000 spent in questioned costs since 2014 to mitigate the damages.
In addition, the OIG report said that it found the following:
The SEC did not adequately manage or monitor its data center contracts,
The agency paid $217,159 in overpayments (which have since been refunded) to one of its data center providers because of invoices containing formula errors, and approximately $2.8 million in unsupported costs paid to one data center.
"These findings certainly are not helpful as the SEC is currently dealing with another high-profile investigation related to the hack of the EDGAR system that occurred in 2016," said Tittsworth.
As far as the hacking investigation (ACA Insight, 9/25/17) is concerned, the OIG said that it is conducting an evaluation and expects to issue a report in its next reporting period. That should be in about six months.