Managing a Small Audit Office The Office of

Managing a Small Audit Office: The Office of Inspector General at the SEC (1989 -2004)

Topics: 1. Background : IG Act and SEC OIG 2. Lessons we learned 3. Case Studies of two audits

Prelude: the SEC Office of Internal Audit (1985 -89) Creation of office Staffing of office Organizational location

Background Inspector General Act n n n Audits and investigations Reporting Independence and access Similar Offices Yellow Book standards

Background Our office n n 5 auditors, 2 attorney investigators, 2 managers, plus contractors Audit assignments: SEC programs (securities markets), Information Technology, Administrative/Financial

Lessons learned: Staffing Experience Quality of staff (pay) Maximize value Staffing increases

Lessons learned: Dealing with Auditees --Positive, constructive, give credit --Modify reports (auditee buy-in) --Focus on improvements, not on workpapers and reports (ends rather than means) --Different offices tend not to communicate

Lessons learned: Quality Control for Audits Meet standards, but no more: minimalism (hard enough) Reduces administrative costs and helps ensure compliance Minimalism for supervision too Usefulness of peer reviews (improvements suggested: legal review, staff rotation)

Lessons learned: Risk Assessments Quantitative risk assessment n n n Administrative costs Preference of staff Role of judgment Qualitative risk assessment Relation to Annual and Strategic Plans

Lessons learned: Audit Coverage Gradual increase Financial/administrative, then Information Technology, then programs Avoidance of complex policy questions n n Congress, Commissioners, GAO coverage Limited staff and expertise Coverage where most useful and other coverage lacking

Lessons Learned: Audit Coverage Consider other options to full scale audit For example n n n Audit Memorandum rather than report No audit or limited audit: brief senior management on significant, pressing issues (if they agree to take action without full audit, saves time) Inspection or special project

Lessons learned: Information Technology contractors IT: major problems, major expenses, insufficient attention by others Too much work for one staff Hired several contractors with option years: expertise, flexibility, increased coverage Conflict of interest and confidentiality issues

Case studies Information Technology capital planning Disgorgement waivers

IT Capital Planning First audit n n No formal process and procedures Assisted management in developing one Follow-up Audit n n Processes still informal, ad hoc, not in full compliance with statutes and regulations Resistance and lack of understanding from some staff; poor communication between IT Office and program offices

IT Capital Planning Risks greater because of large increases in IT budget Audit helped educate SEC staff, enhanced controls, and established authority of IT Office over Capital Planning Many briefings, auditees helped identify solutions (buy-in) Used standard evaluation frameworks (GAO, OMB, etc. )

Disgorgement Waivers Auditor divorce Did research on hidden assets—public data bases Applied personal research to Disgorgement audit “Ill-gotten” assets from securities law violations—returned to investors

Disgorgement Waivers Disgorgement often waived because of inability to pay, based on defendant’s sworn statement Enforcement not checking for hidden assets and relying on good faith of defendant Auditor realized that violators not trustworthy, controls not adequate

Disgorgement Waivers Convinced Enforcement to hire contractor and implement procedures to locate hidden assets OIG reported significant problem in Semi-Annual Report: internal control weakness, materiality of assets involved Problem got media attention, several news articles published

Contact information egbertn@sec. gov 202 -942 -4462; fax 202 -942 -9653 www. sec. gov; www. ignet. gov