• Office of Audits
  • Overview
  • View Issued Reports
  • View Ongoing Audits
• Office of Investigations
  • Overview
  • Hotline
  • Investigative Memoranda
• Reports and Publications
  • View Semiannual Reports
  • View Testimony
  • View Other Publications
• Administration
  • Organization Chart
  • Inspector General
  • Staff Biographies
• Sign-up
  • RSS Feed

Office of Audits Pending Audits

Assessment of the Commission’s Bounty Program for Whistleblowers

Bounty programs are an effective tool to encourage whistleblowers to come forward and they provide the incentives that are needed for outside entities to bring complaints about possible illegal activities. There is some evidence that the bounty program implemented by the Department of Justice (DOJ) has played a role in l increasing the civil recoveries obtained by DOJ over a ten-year period. The Internal Revenue Service (IRS) also has a system in place for providing a bounty to individuals who present the IRS with information leading to the collection of federal taxes.

Currently, Section 21A(e) of the Securities Exchange Act of 1934 authorizes the Securities and Exchange Commission (SEC) to award a bounty to a person who provides information leading to the recovery of a civil penalty from:

• An insider trader;
• A person who “tipped” information to an insider trader; or
• A person who directly or indirectly controlled an insider trader.

Although the SEC has had a bounty program for more than 20 years, very few bounty awards have been issued. The SEC’s bounty program is limited to insider trading cases, and the stated criteria for judging bounty applications are broad, somewhat vague, and not subject to judicial review. All bounty determinations, including whether, to whom, or in what amount to make payments, are within the sole discretion of the SEC. Currently, the total bounty cannot exceed 10% of the amount actually recovered from a civil penalty pursuant to a court order.

The OIG is conducting an assessment of the SEC’s bounty program to determine whether necessary management controls have been established and operate effectively to ensure bounty applications are routed to appropriate personnel and are properly processed and tracked. We will also determine whether improvements are needed and plan to perform benchmarking to identify best practices at other government agencies with similar bounty programs.

Assessment of Interagency Acquisition Agreements to Improve Efficiency

The OIG is continuing its audit of the SEC’s interagency agreements and acquisitions. Government agencies use interagency agreements and acquisitions to take advantage of contracts, expertise and experience in other government agencies that they might not have internally. They can also use interagency agreements and acquisitions to provide services to other agencies. Interagency agreements provide government agencies with convenient access to commonly-needed goods and services. Using these types of acquisitions can provide an agency with improved efficiency and convenience through a streamlined procurement process. However, interagency agreements must be effectively managed. In 2005, the Government Accountability Office designated the management of interagency contracting as a high-risk area. Also, a recent risk assessment survey of the SEC’s contracting activities identified a number of potential risk areas that could affect the management of its interagency agreements.

We are finalizing our audit to assess whether the SEC obtains, manages, and closes interagency agreements and acquisitions in accordance with applicable requirements. We expect to issue the audit report shortly.

Audit of the SEC’s Information Technology Investment Process

We have also commenced an audit of the SEC’s approval process for major IT investments. The audit will examine whether procedures exist to ensure that major IT investments are properly approved by the appropriate IT boards as outlined in the SEC’s Capital Planning and Investment Control (CPIC) bylaws. We will determine whether the CPIC structures, approval processes and procedures adhere to governing Commission policy and applicable federal laws and regulations. We will further assess whether major IT investment projects are properly approved by the appropriate agency committees or boards.

The OIG will also survey the SEC’s offices and divisions to assess whether all major IT investments are properly controlled throughout the agency.

2009 Federal Information Security Management Act Assessment

The OIG has contracted with the Command, Control, Communications, Collaborate, Combat and Intelligence Corporation (C5i) to perform an independent review of the SEC’s information technology systems. C5i will independently evaluate and report on how the SEC has implemented its mandated information security requirements regarding the following components:

• Security management structure;
• Risk management process;
• System security plans;
• Certification and accreditation process;
• Computer incident response capability;
• Contingency planning process and procedures;
• Security awareness environment;
• Life-cycle management of security and management of personnel security; and
• Privacy.

C5i will also conduct an assessment of two major SEC security programs, encryption and privacy, and determine whether the programs meet the Office of Management and Budget’s and the National Institute of Standards and Technology’s requirements.