OIG Recommends Seven Changes in SEC Use of External Experts
The SEC has had its eye on advisory firm use of external experts and taken enforcement action when it found problems. Now the agency itself is under the spotlight. The OIG recently recommended seven steps it wants the SEC to take in its own use of external experts.
While stating, in its "Audit of the SEC’s Internal Controls for Retaining External Experts and Foreign Counsel in the Division of Enforcement," that it did not find any fraud, waste or significant mismanagement of the funds spent on expert services, fees and expenses, the OIG did come to the conclusion that "the SEC can better manage [the Enforcement Division’s] contracts for expert services."
The report lists the seven specific recommendations based on its audit findings, which cover the Enforcement Division’s use of external experts from April 1, 2015 through March 31, 2017. During that period, the SEC awarded 197 contracts for expert services, totaling more than $35 million. Of those contracts, the OIG "judgmentally selected and reviewed" 21 of them.
The audit findings come after the OIG on June 7 addressed the topic of external experts in a much more general way, along with a number of other subjects, in its "Semiannual Report to Congress" (ACA Insight, 6/18/18), in which it said it would issue its audit on the subject within the coming six-month reporting period. It released the audit eight days later.
Purpose of the audit
The OIG, which acts as a sort of internal watchdog on SEC activities, said that it conducted the audit to determine whether the agency implemented effective controls in two areas:
Reviewing and approving requests for expert services, including selecting experts; and
Managing contracts with experts and the funds spent on experts’ services, fees and expenses.
The SEC now has 45 days to provide the OIG with a written corrective action plan in terms of implementing the seven recommendations. The OIG wants some specificity in the action plan, including the name of the responsible official/point of contact, the timeframe for completing required actions, and the milestones that will identify how the agency is addressing the recommendations.
Advisers, funds and broker-dealers that have been subject to SEC settlement agreements should be able to relate.
"Given the well-publicized data breach the SEC suffered in 2016, it is a bit surprising that the agency does not already have more robust protection of personally identifiable information provided to outside experts," said Paul Hastings partner Nicolas Morgan. "Also surprising is the discrepancy between the SEC’s policies with regard to experts and actual practice regarding those experts. For example, the failure to obtain status reports and invoices with sufficient detail from experts fell short of what the SEC required of itself. If the staff encountered such shortcomings during an examination or investigation of an investment adviser or broker, the results could be quite serious."
Proskauer partner and former SEC Division of Investment Management deputy director Robert Plaze said that, in the final analysis, external experts know that "if they don’t do a good job, they won’t be hired again. That’s the discipline."
That said, prosecutors depend on experts in their cases, he said. "The idea of firing them would make their cases more difficult."
The OIG audit resulted in two significant findings, one of which resulted in two recommendations, and the other of which resulted in five. Following is a summary of the findings and the recommendations, along with the SEC’s responses.
Surveillance of expert performance
The audit found that surveillance of contracted experts by contracting officer representatives (CORs) "was limited."
While the SEC required experts to submit monthly status reports, the experts generally did not do so, "and agency personnel did not enforce the requirements to do so," the OIG said. "In addition, some experts submitted invoices with little or no detail about the work performed and the personnel who performed it."
Only two of the 21 contracts that the OIG reviewed found that experts were submitting monthly status reports, the audit said. "For the remaining 19 contracts, we determined that contract files and COR files did not include contractors’ monthly status reports, and we confirmed with CORs, [Division of Enforcement] attorneys, and other contract points-of-contact that they did not receive monthly status reports."
One of the underlying problems, according to the audit report, was that most of the CORs believed that the Enforcement Division attorneys, who worked closely with the experts and were responsible for inspecting and accepting the experts’ work, were the ones who received the reports. "However," the OIG said, "[Division of Enforcement] attorneys either interpreted the status report requirement loosely or did not believe receiving monthly status reports was in the best interest of the SEC."
"For half of the 21 contracts we reviewed, [Enforcement Division] attorneys stated that they maintained continuous communication with experts and, therefore, obtained status orally rather than from a formal report," the watchdog agency said. "[Division of Enforcement] attorneys associated with seven of the 21 contracts we reviewed told us that experts’ invoices met the intent of the monthly status report. Moreover, four [Enforcement Division] attorneys we interviewed stated that SEC contracts should not require experts to submit monthly status reports because potential litigation risk."
The audit also found invoices that did not identify labor categories or rates charged, that billed for labor categories or labor rates that were not approved by the corresponding contract, and that resulted in the SEC being over-billed, "albeit by small amounts." Here, too, the CORs told the auditors that they relied on the Division attorneys to approve the invoices.
The OIG recommended that the SEC’s Office of Acquisitions work with the Division of Enforcement in two ways to resolve the surveillance of experts issues:
Recommendation 1. Determine if surveillance of experts’ monthly status reports is the optimal process for managing and mitigating contract-related risks; and, as needed, establish new processes and guidance to define the role of contracting officers’ representatives in surveilling work performed under contracts for expert services. SEC management concurred with the recommendation.
Recommendation 2. Finalize the supplemental invoice template to clearly define and communicate types of information required on experts’ monthly invoices for payment. Management agreed.
Enforcement and information security
The audit’s second finding was that the SEC did not always enforce or establish information security controls to address risks inherent in expert services contracts.
For instance, the OIG noted, agency personnel did not ensure that "more than half of the 113 individuals reported as having worked on the contracts we reviewed signed the required [non-disclosure agreement] (NDA) or signed one timely," the audit report said. "In addition, in at least five instances, agency personnel had not enforced contract requirements related to [personally identifiable information] even though experts had access to PII. We also found that contract lacked controls regarding the inadvertent release or disclosure of information after the SEC transmits information to experts."
As a result, the OIG said, "the agency lacked assurance that experts and their information systems achieved basic levels of security to protect the SEC’s sensitive, non-public information, including PII."
As far as the NDAs are concerned, SEC operating procedures state that the contractor and each of the contractor personnel must complete and sign an NDA for each contract on which contractor personnel work, the audit report said. The contracts generally state that a violation of an NDA or assignment of staff who had not executed an NDA may result in administrative contracting officer action, default of contract, civil suits or criminal prosecution.
Despite this, of the 113 individuals listed on contractor-submitted invoices as having worked on the 21 contracts the OIG reviewed, "61 of these individuals, or more than half, either had not signed an NDA or signed one after [emphasis OIG] beginning work on the contract," the audit report said.
"I was surprised to learn about NDAs not being completed," said Plaze. "They are important for prosecutors."
As for PII, "at least five attorneys stated that they had sent PII to experts," the OIG said. "The PII included investors’ names, addresses, dates of birth, and customer account information." In addition, the watchdog agency said, in all five instances, prior to the audit, the contracting officer had not obtained from experts the required quarterly assessments or privacy policies.
In regard to this second finding, the OIG recommended, and SEC management concurred, that the agency’s Office of Acquisitions take the following steps:
Recommendation 3. Work with the Division of Enforcement to obtain non-disclosure agreements from any contractor personnel who are assigned to an active expert service contract but have not completed a non-disclosure agreement.
Recommendation 4. Work with the Division of Enforcement to implement a standardized process for verifying receipt of non-disclosure agreements, where necessary, and before contractor personnel perform work under any new contracts for expert services.
Recommendation 5. Incorporate into the Office of Acquisition’s processes a review of new or recent Federal Acquisition Regulation parts, subparts or sections applicable to new solicitations, contracts and modifications to existing contracts, including Federal Acquisition Regulation 52.204-21.
Regulation 6. Work with the Division of Enforcement to a) determine if the current contractual provisions regarding protection of personally identifiably information are the optimal processes for ensuring appropriate protection of such information, and b) evaluate what other steps are needed to ensure that contractors appropriately protect such information.
Regulation 7. Work with the Division of Enforcement to develop a process that ensures that contracting officers enforce contract requirements related to personally identifiable information, when necessary, for any new contracts for expert services.