This is the accessible text file for GAO report number GAO-13-274R entitled 'Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures' which was released on April 5, 2013. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-13-274R: United States Government Accountability Office: Washington, DC 20548: April 4, 2013: The Honorable Elisse B. Walter: Chairman: U.S. Securities and Exchange Commission: Subject: Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures: Dear Ms. Walter: On November 15, 2012, we issued our report containing our opinion on the U.S. Securities and Exchange Commission's (SEC) and its Investor Protection Fund's (IPF)[Footnote 1] fiscal years 2012 and 2011 financial statements.[Footnote 2] Our November 2012 report also included (1) our opinion on the effectiveness of SEC's internal control over financial reporting as of September 30, 2012, and our evaluation of SEC's compliance with selected provisions of laws and regulations during fiscal year 2012,[Footnote 3] and (2) the two significant deficiencies[Footnote 4] we identified in SEC's internal control over financial reporting on its budgetary resources and property and equipment. The purpose of this report is to (1) present additional information regarding the significant deficiencies we identified in our November 2012 report on the results of our SEC financial audit,[Footnote 5] along with related new recommendations; (2) communicate other less significant control deficiencies we identified in SEC's internal controls during our fiscal year 2012 audit along with our related recommended corrective actions; and (3) provide an overview of the status of our prior recommendations reported as new or open in our April 13, 2012, SEC management report.[Footnote 6] Results in Brief: Our audit of SEC's fiscal years 2012 and 2011 financial statements identified two areas of deficiency in SEC's internal control as of September 30, 2012, that we determined represented significant deficiencies. Specifically, as briefly discussed in our November 2012 audit report,[Footnote 7] we determined that the aggregation of both continuing and new deficiencies in SEC's financial reporting controls over (1) budgetary resources and (2) property and equipment transactions each constituted significant deficiencies as of September 30, 2012. These significant control deficiencies may adversely affect the accuracy and completeness of information used and reported by SEC's management. We are making a total of nine new recommendations to address these significant internal control deficiencies. In addition to the two significant deficiencies, our fiscal year 2012 financial audit identified other deficiencies in SEC's internal control over financial reporting that while we did not consider them to be material weaknesses or significant deficiencies, nonetheless warrant SEC management's attention. We are making a total of nine recommendations to address these deficiencies in SEC's controls over financial reporting related to: * review and monitoring of disgorgement and penalty transactions, [Footnote 8] * supervisory review and monitoring procedures over manual journal entries, * the accounts payable accrual methodology, and, * information security. Further, our follow-up on the status of internal control recommendations we made in our prior audits found that SEC took action to fully address 25 of our 47 prior years' recommendations.[Footnote 9] Enclosure I provides summary information on the status of SEC's actions to address the recommendations reported as open from our prior audits as of the conclusion of our fiscal year 2012 audit. In commenting on a draft of this report, SEC acknowledged that the report contained helpful recommendations. Further, SEC stated that continued improvement in the agency's internal control structure, particularly in the two significant deficiency areas, budgetary resources and property and equipment transactions, is a top priority, and cited a number of related remediating efforts under way. SEC's written comments are reprinted in enclosure II. Scope and Methodology: As part of our audit of SEC's fiscal years 2012 and 2011 financial statements, we evaluated SEC's internal control over financial reporting and tested its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls over financial reporting, including those designed to provide reasonable assurance that transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles (GAAP), and that assets are safeguarded against loss from unauthorized acquisition, use, or disposition. As part of our audit, we considered and evaluated the work performed and conclusions reached by SEC management in its internal control assessment.[Footnote 10] A full discussion of our scope and methodology is included in our November 2012 report on our audit of SEC's fiscal years 2012 and 2011 financial statements.[Footnote 11] We conducted our audit of SEC's fiscal years 2012 and 2011 financial statements in accordance with U.S. generally accepted government auditing standards. We believe our audit provided a reasonable basis for our conclusions in this report. Significant Deficiency over Budgetary Resources: As part of its strategy intended to address previously reported significant internal control deficiencies over financial accounting and reporting, in April 2012, SEC migrated its core financial system operations to a shared service provider. However, its financial system operations' migration did not address many control deficiencies that we have identified and reported in previous years. For example, these efforts did not address previously identified deficiencies in SEC's general ledger capabilities for recording obligations and deobligation transactions. Further, we identified new control deficiencies during our fiscal year 2012 audit related to SEC's monitoring controls over the service provider's core financial system operations, including those related to budgetary accounting and reporting activities.[Footnote 12] We concluded that in the aggregate, these continuing and new control deficiencies in (1) monitoring and reviewing recorded downward adjustment transactions[Footnote 13] and (2) reconciling subsidiary ledger and related general ledger accounts for unobligated budget authority constituted a significant deficiency in SEC's controls over financial reporting on budgetary resources. [Footnote 14] These deficiencies resulted in misstatements in SEC's accounting records, which, while sufficiently addressed such that they did not materially affect SEC's fiscal year 2012 financial statements, could affect the reliability of information reported in future Statements of Budgetary Resources (SBR). Recording of Downward Adjustment Transactions: During our fiscal year 2012 audit, we found continuing internal control deficiencies regarding SEC's recording of its downward adjustment transactions. Further, SEC did not establish required control procedures for monitoring its service provider's capability for recording downward adjustment transactions to SEC's prior year obligations before the migration of its core financial systems to its service provider. As a result, SEC did not detect, prior to the migration, that the service provider's financial system could not properly and timely record downward adjustments. Specifically, SEC's service provider's financial system did not have the capability to record downward adjustment transactions to SEC's prior year obligated balances as these occurred, and in accordance with Department of the Treasury (Treasury) and Office of Management and Budget (OMB) accounting guidance for federal agencies.[Footnote 15] Federal accounting guidance provides that (1) the deobligations of prior year obligations are to be separately accounted for as downward adjustments to an entity's prior year obligated balances and (2) they are to be reported in the SBR as recoveries from prior year obligations. Instead, the service provider's accounting system incorrectly accounted for all deobligation transactions as a direct reduction of SEC's obligation balance. This resulted in misstatements of balances reported in SEC's SBR for recoveries of prior year unpaid obligations and obligations incurred, which were not corrected until SEC developed a compensating practice for adjusting and correcting erroneous deobligation transactions recorded by its service provider in September 2012. As of the conclusion of our audit, SEC had not documented its monthly compensating control practices for monitoring the validity and accuracy of its service provider's recording of downward adjustment transactions to prior year obligations to ensure that any errors are timely detected and corrected through SEC adjusting entries. We also found that SEC's undocumented compensating control practices did not require obtaining and retaining proper documentation supporting certain downward adjustment transactions. For example, our test of 45 randomly selected transactions found an instance in which a downward adjustment transaction was recorded without proper supporting documentation. In response to our inquiry regarding SEC's lack of a requirement for documenting recorded downward adjustments, SEC management issued a directive on September 12, 2012, that required responsible SEC personnel to prepare and maintain documentation for downward adjustment transactions. Further, because SEC had not yet established documented compensating monitoring controls for fiscal year 2012, these controls were not considered as part of SEC's annual risk assessment process[Footnote 16] during fiscal year 2012. Standards for Internal Control in the Federal Government[Footnote 17] provides that transactions should be promptly recorded to maintain their relevance and value to management in controlling operations and making decisions. In addition, it states that internal control should be clearly documented in management directives, administrative policies, or operating manuals. Without procedures that are fully documented and tested as part of the risk assessment process, SEC management is not assured that procedures are designed and operating effectively and SEC is at increased risk of misstating downward adjustments and related activities in its SBR. Recommendations for Executive Action: To address the deficiencies in internal control over the financial reporting related to budgetary resources, we recommend that the Chairman direct the Chief Operating Officer (COO) and Chief Financial Officer (CFO) to take the following specific actions: 1. Finalize procedures requiring monitoring of SEC's service provider's accounting and reporting on budgetary resources to include required steps and documentation requirements for monthly review of the propriety and accuracy of downward adjustment transactions to identify and process any necessary adjusting entries. 2. As part of the annual risk assessment process, include required steps for assessing SEC's monitoring controls to identify, document, and record any downward adjustment transactions to SEC's prior year obligations in the general ledger. Reconciling General Ledger Unobligated Balances to Subsidiary Records: During our fiscal year 2012 audit, we found that SEC's budget execution module (subsidiary ledger) for apportioned but unobligated balances differed from the related general ledger account balance. Specifically, we found that while SEC's subsidiary ledger reflected the correct amount for apportioned budget authority available for obligation, the related general ledger account balance incorrectly included erroneous manual journal adjustments to SEC's apportioned but unobligated balance. As a result, available unobligated balance reported in SEC's SBR at June 30, 2012, which is prepared from its general ledger, was understated by over $42 million. These errors were not detected because SEC did not require routine, such as monthly reconciliation of its budget execution module and the related general ledger account balances. Standards for Internal Control in the Federal Government provides that internal control activities include a wide range of diverse control activities that management should establish, such as approvals, reconciliations, authorizations, and verifications, to ensure that all transactions are completely and accurately recorded. Without such reconciliation controls, SEC is at increased risk that its SBR may be misstated. Recommendation for Executive Action: To address the deficiency in internal control over accounting and financial reporting for apportioned but unobligated balances, we recommend that the Chairman direct the COO and CFO to take the following specific action: 3. Develop and implement control procedures to monthly reconcile the budget execution module (subsidiary ledger) to the related general ledger account balances for SEC's apportioned but unobligated balances. Significant Deficiency over Accounting for Property and Equipment: Our fiscal year 2012 audit identified continuing and new deficiencies related to SEC's controls over recording its property and equipment transactions in the general ledger. New deficiencies identified in fiscal year 2012 related to SEC's controls over (1) monitoring property and equipment transactions processed by its shared service provider and (2) physical inventory counts for its capitalized assets, to ensure that all capitalized assets were counted and that the results of the physical count were properly reflected in its financial statements. We concluded that taken together, these continuing and new deficiencies in SEC's accounting controls over property and equipment represented a significant deficiency. While these deficiencies did not materially affect SEC's fiscal year 2012 reporting on its property and equipment, until these deficiencies are corrected, SEC remains at risk of misstatements in its property and equipment reporting and possible theft or misuse of its assets. Recording of Property and Equipment Transactions: Our audit of SEC's fiscal year 2012 financial statements found that SEC did not have effective controls to consistently ensure timely and accurate recording of its property and equipment transactions. For example, we found the following: * SEC did not have procedures in place to ensure that assets were properly and timely capitalized in the year received. As a result, we found that SEC did not capitalize over $5 million in equipment received and placed into service in fiscal year 2011 until fiscal year 2012. Further, once these assets were capitalized in fiscal year 2012, SEC did not consider the effect of this misstatement in its analysis for evaluating the effect of prior year misstatements in the current year financial statements until after we notified SEC of the omission. The lack of control procedures to ensure that assets are properly capitalized increased SEC's risk that its property and equipment balances may be misstated. Further, ineffective procedures over adjustments that affect prior periods increased SEC's risk of not appropriately considering whether the cumulative effect of all property transaction misstatements identified in the current year would require revision to prior year or current year financial statements. * SEC did not have procedures requiring the assessment of new asset acquisition costs against established capitalization criteria, including validating the propriety of the budget object classification (BOC) code that was associated with the obligation at the time it was recorded, prior to recording the asset entry. Specifically, under SEC's procedures, the acquisition costs assigned to an asset depend on the linkage between invoiced costs and the related obligation for purchases of capital assets, as identified by the obligation's BOC. As we have reported in the past, correct BOCs were not always entered at the time of obligation.[Footnote 18] Therefore, when goods and services were received, it was necessary for SEC to examine supporting documentation to determine if the BOCs used at the time the obligations were initially recorded were accurate and make adjustments, as needed, to the applicable BOCs. During our 2012 audit, we found that the capitalized value of several assets included noncapitalizable costs, such as maintenance and service costs, which were inappropriately recorded to capitalizable BOCs at the time of obligation. SEC corrected these errors with manual adjustments in fiscal year 2012. However, the ongoing deficiencies related to the recording of its obligation documents for property and equipment acquisitions and the lack of control procedures to ensure that acquisition costs are appropriate place SEC at increased risk that its future property and equipment balances may be misstated. Standards for Internal Control in the Federal Government provides that management should establish specific control activities to ensure that all transactions are completely and accurately recorded. Recommendations for Executive Action: To address the deficiencies we identified in the recording of property and equipment transactions, we recommend that the Chairman direct the COO and CFO to take the following specific actions: 4. Develop and implement control procedures to review all property and equipment acquisition transactions to ensure that they are properly accounted for in the year-end financial statements. 5. Augment current procedures to require considering whether the cumulative effect of all misstatements of property transactions identified in the current year would require revision to prior year or current year financial statements. 6. Develop and implement control procedures to require the review of underlying invoices and obligation documents at the time of capitalization to ensure that recorded asset acquisition costs represent capitalizable costs. Monitoring of Property and Equipment Transactions: Our audit of SEC's fiscal year 2012 financial statements found that SEC did not develop monitoring procedures over property and equipment transactions recorded by its service provider at the time of its transition to the service provider's general ledger system. SEC implemented some of these controls before year-end; however, we continued to find deficiencies in the operating effectiveness of SEC's monitoring procedures for capitalized transactions in the fourth quarter. Specifically, see the following: * We identified numerous discrepancies between the acquisition and disposal transactions recorded in the financial reporting system maintained by the service provider and those included in the manual spreadsheet SEC used to monitor property and equipment transactions sent to its service provider for processing. These discrepancies occurred because SEC's manual spreadsheet was incomplete. Specifically, the spreadsheet, which was maintained by SEC's Office of Information Technology's Asset Management Branch, only included transactions that were submitted to the service provider for processing by that branch, but excluded transactions submitted by other SEC offices. As a result, other property and equipment transactions recorded by SEC's service provider, such as acquisitions or disposals of software or leasehold improvements, were not being effectively monitored. Ineffective SEC monitoring controls over property and equipment transactions processed by its service provider placed SEC at increased risk that its property and equipment balances may be misstated in the financial statements. * SEC did not have documented procedures for monitoring the calculation and recording of depreciation and related transactions in the general ledger by its service provider. SEC began developing monitoring procedures in September 2012. However, these procedures were not fully documented during fiscal year 2012. The lack of documented procedures for monitoring the service provider's calculation and recording of depreciation and related transactions in the general ledger placed SEC at increased risk that any errors in the recording of depreciation and related transactions may not be timely detected and corrected. Standards for Internal Control in the Federal Government provides that management should establish specific control activities, including monitoring controls, to ensure that all transactions are completely and accurately recorded. Recommendations for Executive Action: To address the deficiencies we identified in the monitoring of property and equipment transactions, we recommend that the Chairman direct the COO and CFO to take the following specific actions: 7. Augment SEC's service provider monitoring spreadsheet to include all property and equipment acquisition and disposal transactions from all SEC offices. 8. Finalize procedures documenting the required steps to be followed for monitoring the service provider's calculation and recording of property and equipment, depreciation, and related transactions in the general ledger. Procedures for Annual Property and Equipment Physical Inventory Count: SEC's procedures for conducting its annual physical inventory count did not include specific steps to be followed to ensure that all capitalized assets were counted and that the results of the physical count were properly reflected in SEC's financial statements. Specifically, through our review of SEC's fiscal year 2012 physical inventory count, we found that SEC's procedures did not require the following: * Reconciling the property and equipment report used for the inventory count to the related general ledger balance; therefore, there was no assurance that all capitalized property and equipment assets were included in the count. * Reconciling the responses received from all divisions and offices to the items included in the property and equipment report used for the inventory count; therefore, there was no assurance that all capitalized property and equipment assets included in the report were counted. * Assessing the extent of any financial statement impact as a result of any missing, obsolete, surplused, or additional capitalizable assets identified during the count; therefore, there was no assurance that the results of the physical count were timely and properly reflected in SEC's financial statements. Statement of Federal Financial Accounting Standards (SFFAS) 6, Accounting for Property, Plant, and Equipment, sets the accounting requirements for federally owned property, plant, and equipment. A federal agency's compliance with these requirements depends on complete and accurate records of the cost and disposition of the capital assets for which a federal agency is responsible. Further, Standards for Internal Control in the Federal Government states that management should establish specific control activities to ensure that all transactions are completely and accurately recorded. The lack of controls for ensuring the completeness of the inventory count and resulting entries during fiscal year 2012 placed SEC at increased risk of (1) inaccurately reporting its capitalizable assets and misstating certain of its financial statements and (2) loss from theft or misuse due to lack of effective inventory controls. Recommendation for Executive Action: To address the deficiencies we identified in SEC's procedures for conducting its annual property and equipment physical inventory count, we recommend that the Chairman direct the COO and CFO to take the following specific action: 9. Revise control procedures for conducting the annual physical inventory count of property and equipment to include specific steps required to: * reconcile capitalized property and equipment to be counted with related general ledger balances, * reconcile division and office responses to the items listed in the property and equipment report used for the physical count, and: * assess and appropriately reflect any financial statement impact of any issues identified during the physical count. Other Less Significant Deficiencies: In addition to the significant deficiencies in internal control over financial reporting related to SEC's budgetary resources and property and equipment, we identified other deficiencies in SEC's internal control that while not representing material weaknesses or significant deficiencies either individually or collectively, nonetheless warrant management's attention. These control deficiencies concerned (1) review and monitoring of disgorgement and penalty transactions, (2) supervisory review and monitoring procedures over manual journal entries, (3) accounts payable accrual methodology, and (4) information security. Recording, Review, and Monitoring of Disgorgement and Penalty Transactions: As part of its enforcement responsibilities, SEC issues orders and administers judgments imposing disgorgement and civil monetary penalties on violators of federal securities laws and requiring payment of related interest. SEC is responsible for the collection of disgorgement and penalties, and recognizes a receivable when an order directs payment to the SEC or Treasury.[Footnote 19] SEC is also party to court orders directing violators of federal securities laws to pay amounts assessed to a federal court or to a nonfederal receiver acting on behalf of harmed investors. These orders are not recognized as accounts receivable by SEC or reported in its financial statements because the debts are payable to, and collected by, another party. SEC distributes collected disgorgements and penalties to harmed investors in accordance with court orders and judgments. Our audit identified deficiencies in SEC's procedures for recording and reviewing disgorgement and penalty transactions, including (1) inadequate segregation of incompatible responsibilities and (2) ineffective review and monitoring of disgorgement and penalty transactions. Specifically, we found that SEC procedures did not prohibit an individual who could match electronic collections to corresponding existing accounts receivables from also reviewing and approving recorded collections.[Footnote 20] According to Standards for Internal Control in the Federal Government, key duties and responsibilities should be divided or segregated among different individuals to reduce the risk of error or fraud. This should include separating the responsibilities for authorizing, processing and recording, and reviewing transactions and handling any related assets. Inadequate segregation of responsibility for closely related duties of processing and reviewing transactions increases the risk that an individual could both create and conceal an error or irregularity in SEC's collections and accounts receivable balance. During our audit, we also found that SEC did not have effective review and monitoring procedures for disgorgement and penalty transactions. Specifically, see the following: * SEC did not require that reviews be performed to ensure that disbursements of disgorgement and penalty collections to harmed investors were made for the correct amounts and to the correct payees. SEC uses Treasury's electronic funds transfer system to process these disbursements, and SEC's review procedures over disbursements to harmed investors included a required review of summary disbursement data after the payments were processed by Treasury and recorded in SEC's general ledger by its service provider. However, SEC's review procedures did not include requiring verification that individual disbursements were made for the correct amounts and to the correct payees. * SEC did not have procedures requiring the timely review of disgorgement and penalty collections to determine whether they were owed to SEC or to another party. SEC may receive money related to court orders that direct payment be made to a federal court or nonfederal receiver, not to SEC or Treasury. In these cases, the collections should not be applied to an SEC accounts receivable, but are instead to be transferred to the Treasury general fund or to a court or receiver. Further, SEC may receive collections without accompanying documentation that clearly identifies to which court order or judgment the collection relates. Without procedures that require the review and analysis of all collections, SEC cannot determine whether collections should be applied to a corresponding debt or transferred to another entity or to Treasury. This increases the risk that SEC's receivable balance and its amount due to the U.S. Treasury and other courts and receivers will be misstated. SEC's monitoring procedures for accounts receivable transactions recorded in the general ledger did not require the review of all transactions affecting the balance of accounts receivables. While the procedures provided for daily review of original receivable transactions recorded in the general ledger, the procedures did not require review of all types of accounting entries that could affect the disgorgement and penalty accounts receivable balance, such as correcting entries. We found that SEC's accounts receivable balance was understated by over $1.8 million at September 30, 2012, as a result of an erroneous correcting accounting entry that was not included in SEC's review. Standards of Internal Control in the Federal Government provides that transactions should be promptly recorded to maintain their relevance in controlling operations and making decisions and that controls should be in place to provide reasonable assurance that financial transactions are accurately recorded. Without establishing effective recording, reviewing, and monitoring procedures over disgorgement and penalty transactions, SEC is at increased risk that the transactions will not be properly recorded and reported or that any errors will not be detected and corrected timely. Recommendations for Executive Action: We recommend that the Chairman direct the COO and CFO to take the following specific actions: 10. Revise existing collection procedures to provide for segregating incompatible responsibilities, including prohibiting an individual from both processing and reviewing electronic collections transactions. 11. Revise existing procedures for review of disbursements transactions to include specifically required steps for verification of individual disbursements processed by Treasury to ensure that these disbursements were made for the correct amounts and to the correct payees. 12. Develop and implement control procedures to include specific steps for the review, classification, and disposition of collections in order to properly apply collections to an SEC accounts receivable or transfer collections to either another entity or to Treasury. 14. Revise existing procedures for the monitoring of accounts receivable transactions recorded in the general ledger to specifically require review of all types of accounting entries that could affect the accounts receivable balance, including correcting entries. Supervisory Review and Monitoring Procedures over Manual Journal Entries: During our fiscal year 2012 audit, we found that controls over SEC's supervisory review process for nonrecurring manual journal voucher adjustment entries (JV)[Footnote 21] were not operating effectively. Further, we found that SEC's monitoring procedures for reviewing JVs processed by its service provider were also not effective. SEC's procedures provide that all nonrecurring manual JVs must be reviewed by an SEC accountant to, among other things, confirm that the posting model used in the entry is complete and correct.[Footnote 22] Further, each manual JV must also be approved by the responsible SEC branch chief prior to submission of the JV adjustment forms to SEC's service provider for processing into SEC's general ledger. After processing, the preparer is required to compare the recorded JV to the manually approved JV form to ensure consistency. Based on the results of our testing of nonrecurring manual JV transactions recorded during the year, we determined that these review and monitoring control procedures were either not performed or, if performed, were not performed effectively. Specifically, our tests identified several instances in which SEC's controls for review of manual JVs did not prevent or timely detect and correct errors made by SEC personnel or SEC's service provider. For example: * SEC erroneously recorded a $141 million manual JV for deobligation of prior year obligations related to canceled lease obligations as a direct reduction to its obligated balance rather than accounting for these transactions as recoveries from the deobligation of prior year obligations, as required by GAAP. As a result, SEC's recoveries from prior year obligations were understated by this amount in its SBR at June 30, 2012. SEC identified and corrected this error during the fourth quarter of fiscal year 2012. * SEC erroneously understated its available unobligated balance reported in its SBR at June 30, 2012, by over $42 million, and its unobligated balance unavailable was overstated by the same amount.[Footnote 23] We found that these reporting errors resulted from three manual JVs that erroneously included a reduction to allotments rather than a reduction to unapportioned authority. We informed SEC of this error, which SEC corrected during the fourth quarter of fiscal year 2012. * SEC erroneously posted a manual JV to its Fund Balance with Treasury general ledger account, which resulted in a $2.4 million misstatement of SEC's Fund Balance with Treasury account at June 30, 2012. SEC corrected this error during the fourth quarter of fiscal year 2012. * In two instances, SEC's service provider did not record the manual JV transactions in the general ledger in accordance with the approved adjustment form. These errors resulted in misstatements in SEC's monthly financial statements and were not corrected until the subsequent fiscal month. Standards for Internal Control in the Federal Government provides that internal control activities include a wide range of diverse control activities that management should establish, such as approvals, reconciliations, authorizations, and verifications, to ensure that all transactions are completely and accurately recorded. Without effective review procedures over manual journal entries, SEC will continue to be at risk of misstatements in its financial statements. Recommendations for Executive Action: We recommend that the Chairman direct the COO and CFO to take the following specific actions: 14. Establish a mechanism to ensure that existing supervisory review procedures over manual JV transactions are followed to ensure that all manual JVs are properly prepared and accurately and timely recorded. These procedures could include sending periodic reminders to JV reviewers emphasizing existing procedures and the importance of adhering to them. 15. Establish a mechanism to ensure that procedures for reviewing JV's processed by SEC's service provider are followed to ensure that all manual JVs are recorded in the general ledger in accordance with the JV forms approved by SEC management. Accounts Payable Accrual Methodology: During our fiscal year 2012 audit, we found that SEC did not have controls to (1) appropriately assess the reasonableness of certain portions of its quarterly accrual for accounts payable amounts reported in its financial statements[Footnote 24] and (2) ensure that the accounts payable accrual process appropriately considered obligations that were primarily for purchases of capital assets. We found that SEC's quarterly assessment[Footnote 25] of the accounts payable accrual amounts it reported in its fiscal year 2012 financial statements was inadequate.[Footnote 26] Specifically, variances identified from SEC's quarterly assessment were not statistically projectable to the population of open obligations used for estimating the accrual amounts for certain accounts payable amounts reported in the financial statements. To assess the ongoing relevance of assumptions used in its accounts payable accrual methodology, SEC procedures require quarterly reviews of accounts payable amounts previously accrued against invoices received in subsequent periods. SEC's procedures involved performing this review for a random selection of individual accounts payable accruals. However, we found that as implemented, the random selection did not include monetary considerations; consequently, the results of SEC's review were not statistically projectable to the population of open obligations used for estimating the accrual amounts for certain accounts payable amounts reported in the financial statements. As a result, SEC did not have the relevant information needed to determine whether the variances derived from its review were, in aggregate, acceptable. Standards for Internal Control in the Federal Government states that activities need to be established to monitor performance measures and indicators. These controls could call for comparisons and assessments relating different sets of data to one another so that analyses of the relationships can be made and appropriate actions taken. Controls should also be in place to validate the propriety and integrity of these measures and indicators. Without appropriate procedures for validating ongoing relevance of its accounts payable accrual methodology, SEC is at increased risk that its accounts payable balance may be misstated. We also found that SEC did not have controls to ensure that its accounts payable accrual process appropriately excluded estimates derived from obligations that were primarily for purchases of capital assets. Specifically, we found that SEC's procedures for calculating its accounts payable accrual estimate considered all of its undelivered open obligations, but did not distinguish those obligations that were primarily for purchases of capital assets. As a result, SEC's third and fourth quarter financial statements were misstated for accounts payable accrual estimates that inappropriately estimated and recorded expenses for certain obligations that were primarily for purchases of capital assets.[Footnote 27] Standards for Internal Control in the Federal Government provides that internal control activities include a wide range of diverse control activities that management should establish, such as approvals, reconciliations, authorizations, and verifications, to ensure that all transactions are completely and accurately recorded. Without controls designed and implemented to ensure that its accounts payable accrual amount is properly calculated and recorded, SEC is at increased risk of inaccurately reporting these and related activities in its financial statements. Recommendations for Executive Action: We recommend that the Chairman direct the COO and CFO to take the following specific actions: 16. Revise SEC's procedures for evaluating the ongoing reasonableness of its account payable accrual methodology to include steps to ensure that the results of reviews will be projectable to the population and any variances derived from its review, in aggregate, are acceptable for financial reporting purposes. 17. Revise the accounts payable accrual methodology to specify required steps for properly considering obligation amounts for capitalized assets. Information Security: Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission or business and is especially important for government agencies, where maintaining the public's trust is essential. Without proper safeguards, systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain or manipulate sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. To support its financial operations and store the sensitive information it collects, SEC relies extensively on computerized systems interconnected by local-and wide-area networks. For example, to process and track financial transactions, such as filing fees paid by corporations or disgorgements and penalties from enforcement activities, SEC relies on several enterprise database applications, including (1) EDGAR, which performs the automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others that are required to file certain information with SEC, and (2) EDGAR/Fee Momentum, a subsystem of EDGAR that maintains accounting information pertaining to fees received from registrants. In addition, SEC relies on a general support system [Footnote 28] network that allows users to communicate with the database applications. At the conclusion of our fiscal year 2011 audit, we reported a significant deficiency in SEC's information security. SEC's strategy for addressing its significant internal control deficiencies in financial reporting included migrating its core financial system to an external service provider. At the conclusion of our fiscal year 2012 audit, we determined that SEC had successfully managed the migration of financial data to an external service provider, implemented certain security management procedures for its financial systems, and remediated 18 of 21 information security control weaknesses identified in previous audits that remained open as of our separate April 13, 2012, report to SEC. However, despite this progress, we identified new weaknesses in information security controls that while not considered material weaknesses or significant deficiencies individually or collectively, nonetheless warrant SEC management's attention. The new weaknesses in information security controls we identified in fiscal year 2012 relate to (1) inadequate access controls over financial systems operated by SEC and resources concerning user identification and authentication, authorization, and audit and monitoring and (2) inconsistent deployment of patches, which could jeopardize the data integrity and confidentiality of SEC's financial information. These new weaknesses did not affect SEC's core financial management system, which, as previously discussed, was migrated to an external service provider in fiscal year 2012. A basic management objective for any organization is the protection of its information systems and critical data from unauthorized access. To accomplish this objective, organizations are to design and implement controls to prevent, limit, and detect access to resources. These controls include identification and authentication, user authorization, and audit and logging of system activities. A computer system needs to be able to identify and authenticate each user to establish effective accountability for activities on the system. In this regard, SEC information security policies require establishment of access controls over its information systems and critical data to prevent unauthorized access. Further, SEC policy requires that each user or process be assigned only those privileges or functions needed to perform authorized tasks. However, our fiscal year 2012 audit found that SEC's controls did not always protect its information systems and critical data from unauthorized access, specifically with respect to SEC's general support and other financial systems operated by SEC. For example, SEC controls were not fully effective in preventing one remote host from establishing connections to servers without requiring a log-in and password. SEC's controls were also not fully effective in establishing strong passwords for access to several network infrastructure devices. In addition, SEC did not disable network accounts of several separated employees and contractors, and an employee had access to a key financial application without authorization. Although SEC had designed controls and procedures consistent with its policy, these were not consistently implemented, which hindered the effective operation of these controls. In addition, to establish individual accountability, monitor compliance with security policies, and investigate security violations, organizations need to determine what, when, and by whom specific actions have been taken on a system. Organizations accomplish this by implementing system or security software that provides an audit trail--a log of system activity--that they can use to determine the source of a transaction or attempted transaction and to monitor users' activities. However, our fiscal year 2012 audit found that SEC's controls did not enable auditing and monitoring of security- relevant events on one server that supported a financial application. These control deficiencies increased the risk that individuals may gain unauthorized access to SEC resources and may jeopardize the data integrity and confidentiality of SEC's financial data. SEC had designed controls and procedures relative to auditing and monitoring; however, these were not consistently implemented, which hindered the effective operation of these controls. Patch management, a component of configuration management, is an important element in mitigating the risks associated with software vulnerabilities. When a software vulnerability is discovered, the software vendor may develop and distribute a patch, or work-around, to mitigate the vulnerability. Without the patch, an attacker may be able to exploit a software vulnerability to read, modify, or delete sensitive information; disrupt operations; or launch attacks against systems at another organization. SEC policy requires remediation efforts, such as patching, to be implemented within 7 days or less for those vulnerabilities deemed to be high risk or critical. However, our fiscal year 2012 audit found that SEC did not consistently deploy high- risk patches on financial application servers, which rendered them susceptible to remote and denial-of-service attacks.[Footnote 29] SEC had designed controls and procedures consistent with its policy; however, these were not consistently implemented, which hindered the effective operation of these controls. Failing to apply high-risk patches increases the risk of exposing SEC's systems to vulnerabilities that could be exploited. Recommendations for Executive Action: We recommend that the Chairman direct the COO and Chief Information Officer to take the following specific action: 18. Augment control procedures over SEC's information security to include specific steps for: * configuring SEC's remote host and network infrastructure devices to require the use of strong passwords; * disabling access of all contractors and employees to SEC's networks or financial applications upon separation from SEC; * monitoring compliance with information security policies, such as by enabling audit and monitoring of software on servers that support financial applications; and: * mitigating software vulnerabilities, for example, by requiring installation (or deployment) of high-risk patches, consistent with SEC policy. Overview of the Status of Prior Audit Recommendations: During our audit of SEC's fiscal year 2012 financial statements, we found that SEC took action to address many of the recommendations from our prior audits. Specifically, as summarized in enclosure I, SEC took action to fully address 25 of the 47 recommendations reported as open in our April 13, 2012, management report on the results of our fiscal year 2011 audit.[Footnote 30] The 22 previously reported recommendations that remained open as of the end of our fiscal year 2012 financial statement audit relate to financial statement preparation and reporting, accounting for budgetary resources, disgorgement and penalties and investments, nonpayroll disbursement and accrual transactions, and property and equipment. Agency Comments and Our Evaluation: In her March 25, 2013, written comments on a draft of this report, the SEC Chairman acknowledged that the report contained helpful recommendations to strengthen SEC's internal control over financial reporting. Further, the Chairman stated that SEC is committed to investing the time and resources to put its internal controls over financial reporting on a strong, sustainable path, and that continued improvement in the agency's internal control structure, particularly in the two significant deficiency areas, budgetary resources and property and equipment transactions, is a top priority. The Chairman also cited a number of efforts under way directed at remediating SEC's remaining deficiencies. We will evaluate SEC's actions, strategies, and plans for addressing these deficiencies as part of our fiscal year 2013 audit. SEC's written comments are reprinted in enclosure II. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on the recommendations to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform not later than 60 days from the date of this report. A written statement also must be sent to the House and Senate Committees on Appropriations with your agency's first request for appropriations made more than 60 days after the date of this report. This report is intended for use by SEC management. We are sending copies of this report to the Chairmen and Ranking Members of the Senate Committee on Banking, Housing, and Urban Affairs; the Senate Committee on Homeland Security and Governmental Affairs; the House Committee on Financial Services; and the House Committee on Oversight and Government Reform. We are also sending copies to the Secretary of the Treasury, the Director of the Office of Management and Budget, and other interested parties. In addition, this report is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by SEC management and staff during our audit of SEC's fiscal years 2012 and 2011 financial statements. If you have any questions about this report or need assistance in addressing these issues, please contact James R. Dalkin at (202) 512-3133 or dalkinj@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff members who made key contributions to this report are listed in enclosure III. Sincerely yours, Signed by: James R. Dalkin: Director, Financial Management and Assurance: Signed by: Gregory C. Wilshusen: Director, Information Security Issues: Enclosures - 3: [End of section] Enclosure I: Status of Recommendations from Prior Audits Reported as Open in GAO's 2011 Management Report: Audit area: Information system security controls. 1. Establish and implement appropriate controls to mitigate any additional risks that were identified as a result of SEC's reevaluation of existing automated information system security controls in light of the risks identified in SEC's October 2009 certification and accreditation procedures for the general ledger system and supporting processes; Year initially reported: 2010; Status of corrective action: Completed. 2. Establish configuration baselines and related guidance for securing systems and monitoring system configuration baseline implementation; Year initially reported: 2012; Status of corrective action: Completed. 3. Enhance the EDGAR security plan to document security requirements for the EDGAR/Fee Momentum subsystem; Year initially reported: 2012; Status of corrective action: Completed. 4. Develop and implement a comprehensive vulnerability management strategy that includes routine scanning of SEC's systems and evaluation of such scanning to provide for any needed corrective actions; Year initially reported: 2012; Status of corrective action: Completed. Audit area: Budgetary resources. 5. Reconfigure the general ledger system to produce reports necessary to both prepare the financial statements and support managing operations, such as a consolidated trial balance report and undelivered order aging report, respectively, on an ongoing basis; Year initially reported: 2010; Status of corrective action: Completed. 6. Correct general ledger system configurations to properly account for upward and downward adjustments of prior years' undelivered orders in accordance with the U.S. Standard General Ledger; Year initially reported: 2008; Status of corrective action: In progress. 7. Establish and implement controls to ensure that SEC staff adheres to existing policies and procedures to prevent violations of the recording statute; 2008; Status of corrective action: Completed. 8. Develop and implement reconciliation, validation, and analytical procedures to ensure the reliability of the Open Obligations Review Reports used by the various SEC divisions and offices in their review of unliquidated obligations; Year initially reported: 2011; Status of corrective action: In progress. 9. Augment existing policies and procedures for recording obligations to include, at a minimum, (a) backup procedures for the recording of obligations in the event that responsible employees are unable to perform their assigned duties and (b) controls designed to ensure that SEC offices submit obligating documents to OFM for processing as obligations are incurred; Year initially reported: 2011; Status of corrective action: In progress. 10. Develop and implement documented control procedures to ensure liquidation and/or deobligation of remaining travel obligations after the completion of the travel; Year initially reported: 2011; Status of corrective action: In progress. 11. Until such time that SEC is able to correct configuration limitations of its general ledger system, implement procedures to prepare and post correcting budgetary transactions prior to the close of the monthly accounting period; Year initially reported: 2011; Status of corrective action: In progress. 12. Augment existing policies and procedures to provide for supporting documentation for MOs consistent with applicable guidance provided in OMB Circular No. A-11; Year initially reported: 2011; Status of corrective action: Completed. 13. Develop and implement policies and procedures detailing the steps and documentation required to effectively control and monitor travel expenses paid through the central billing account (CBA), including steps required to ensure documented receipt of refunds or credits for travel/tickets that were previously paid for by SEC but subsequently canceled; Year initially reported: 2011; Status of corrective action: In progress. 14. Enhance current procedures for supervisory review to include required steps for ensuring (a) the accuracy and completeness of the obligation transaction and contract information prior to recording the obligation in the general ledger records and (b) timely recording of obligation transactions in the general ledger; Year initially reported: 2012; Status of corrective action: In progress. 15. Implement system controls to ensure that all applicable information (such as POP) is recorded in the financial system and can be associated with its obligation record; Year initially reported: 2012; Status of corrective action: In progress. 16. Implement system controls to provide for the review and approval of all obligation transactions and all related contract information by appropriate officials prior to posting the information in the general ledger records; Year initially reported: 2012; Status of corrective action: In progress. 17. Revise agency regulation SECR 14-1 to clearly delineate circumstances under which authority for obligating agency budgetary resources can be delegated to appropriate personnel other than the CO, compare current SOPs and BPPs with SECR 14-1, and make any necessary conforming changes; Year initially reported: 2012; Status of corrective action: In progress. 18. Develop and implement procedures for ongoing monitoring of open obligations for validity and timely closeout of any open obligations that are no longer valid. These should include (a) quarterly review of open obligations for ongoing validity based on end of POP or contract completion dates and (b) reconciling SEC's records of contract activity and balances with its key vendors, at least annually; Year initially reported: 2012; Status of corrective action: In progress. Audit area: Disgorgements and penalties and investments. 19. Develop and implement an automated solution that will eliminate the manual process of reentering disgorgement and penalties data from Phoenix into the general ledger system accounts receivable module; Year initially reported: 2010; Status of corrective action: Completed. 20. Reconfigure the disgorgements and penalty accounts receivable module to enable production of an accounts receivable aging report; Year initially reported: 2010; Status of corrective action: Completed. 21. Augment current procedures to require that Enforcement's reviews of disgorgement and penalty data in the case-management system be completed prior to closing the accounting period; Year initially reported: 2011; Status of corrective action: Completed. 22. Develop an oversight mechanism to ensure that disgorgement and penalty collections are processed and reported in accordance with existing SEC policies and procedures; Year initially reported: 2012; Status of corrective action: Completed. 23. Revise existing posting configurations to account for liability balances related to compounded postjudgment interest amounts in accordance with SEC policy; Year initially reported: 2012; Status of corrective action: In progress. 24. Revise existing procedures to account for amounts collected on behalf of other federal entities as intragovernmental liabilities; Year initially reported: 2012; Status of corrective action: Completed. 25. Augment existing policies and procedures for check collections to include specific required steps for handling amounts remitted to SEC field offices to ensure compliance with the Miscellaneous Receipts Statute and related Treasury regulation; Year initially reported: 2012; Status of corrective action: In progress. 26. Develop and implement an automated subledger that interfaces with the general ledger for investment and disgorgement and penalty liability transaction activity; Year initially reported: 2010; Status of corrective action: In progress. 27. Revise existing posting configurations to account for amounts disbursed from SEC's Deposit Suspense Liability accounts in accordance with the USSGL; Year initially reported: 2011; Status of corrective action: Completed. Audit area: Filing fees. 28. Allocate sufficient resources to fully resolve current registrations' deposits liability balances in accordance with SEC policy and with federal regulations; Year initially reported: 2010; Status of corrective action: Completed. Audit area: Financial reporting. 29. Establish and implement procedures for performing a comprehensive review of all posting configurations and recurring correcting journal entries to identify and address any additional departures from Treasury's prescribed posting models; Year initially reported: 2010; Status of corrective action: In progress. 30. Review current usage of Social Security numbers as a personal identifier for federal employees in agency systems and programs and establish and implement alternative procedures to eliminate any such usage; Year initially reported: 2010; Status of corrective action: Completed. 31. Develop and implement a standardized financial statement closing schedule with cutoff dates for key month-end accounting transactions that should be completed prior to the closing of an accounting period; Year initially reported: 2010; Status of corrective action: Completed. 32. Develop and implement a process for reliably preparing accurate pro forma financial statements and updating the notes that accompany financial statements prior to year-end, preferably with the third quarter reporting; Year initially reported: 2010; Status of corrective action: Completed. 33. Modify existing policy and procedures to require all employees to report labor hours using preset activity and project codes within the time and attendance system and establish and implement applicable controls to ensure compliance; Year initially reported: 2010; Status of corrective action: In progress. 34. Revise and implement procedures over the preparation of the statement of net cost to utilize actual data reported by employees on their biweekly time and attendance reports; Year initially reported: 2010; Status of corrective action: In progress. 35. Augment policies and procedures concerning supervisory review of key spreadsheets used for financial disclosures to provide assurance that calculations within the spreadsheets are accurate; Year initially reported: 2011; Status of corrective action: Completed. 36. Augment existing control procedures over the processing of JV transactions to provide assurance that JVs processed into the general ledger reflect transactions approved by management. Such procedures should provide for accurate JV transaction posting at the account, fund, organization, and budget object class levels; Year initially reported: 2011; Status of corrective action: Completed. 37. Document and implement quality assurance procedures over the preparation of the statement of net cost, including a procedure to compare the sum of all allocated costs to the total actual costs of the various organizations to ensure that all such costs are properly and fully allocated; Year initially reported: 2012; Status of corrective action: In progress. Audit area: Nonpayroll expenses. 38. Develop and implement control and verification procedures to ensure all of SEC's contingency and intragovernmental liability transactions comply with SEC's Accounts Payable Accrual As-Is Process documentation; Year initially reported: 2010; Status of corrective action: Completed. 39. Develop or update and implement policies and procedures for reconciling any SEC intragovernmental expense and payable amounts reported by GSA to internal SEC data records prior to recording an accrual in SEC's general ledger for financial statement reporting; Year initially reported: 2010; Status of corrective action: In progress. 40. Develop and implement procedures to provide for appropriately documented COTR review of all vendor invoices prior to payment in compliance with SEC regulation; Year initially reported: 2010; Status of corrective action: In progress. 41. Establish an oversight monitoring mechanism to ensure that periodic reviews of cardholder and AO accounts are being performed in accordance with Appendix B of OMB Circular No. A-123; Year initially reported: 2012; Status of corrective action: Completed. Audit area: Payroll. 42. As part of the risk assessment process, include steps for reviewing the SSAE No. 16 reports from all service organizations key to SEC's financial reporting control environment in time to allow appropriate actions to be taken before the end of the fiscal year to address any identified deficiencies in the design and operating effectiveness of service organization or user entity controls; Year initially reported: 2012; Status of corrective action: Completed. 43. Perform a review of roles within SEC's time and attendance system to ensure that all supervisors or managers designated as certifiers have an alternate responsible for reviewing the accuracy of time cards in their absence; Year initially reported: 2012; Status of corrective action: Completed. 44. Develop and implement monitoring procedures to ensure that responsible management officials submit POL within the 30-day SEC policy requirement; Year initially reported: 2012; Status of corrective action: Completed. 45. Develop procedures to provide for documented evidence of a certifying official's approval of leave and compensatory time before recording such transactions in the time and attendance system; Year initially reported: 2012; Status of corrective action: In progress. 46. Develop and implement monitoring procedures to ensure that all time and attendance sheets recorded and submitted on behalf of another employee are supported by documented input from either the employee or the employee's certifier and include a valid reason for why a designated timekeeper is submitting a time and attendance sheet on behalf of another employee; Year initially reported: 2012; Status of corrective action: Completed. Audit area: Property and equipment. 47. Establish and implement procedures to properly record property and equipment receipt transactions using capitalizable project and budget object class codes within the general ledger system; Year initially reported: 2010; Status of corrective action: In progress. Source: GAO analysis of SEC data. [End of table] [End of section] Enclosure II: Comments from the U.S. Securities and Exchange Commission: United States Securities and Exchange Commission: The Chairman: Washington, D.C. 20549: March 25, 2013: Mr. James R. Dalkin: Director: Financial Management and Assurance: United States Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Mr. Dalkin: Thank you for the opportunity to respond to the draft report entitled Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures (GAO-13-274R). The report contains a number of helpful recommendations to strengthen the SEC's internal controls over financial reporting. I am extremely pleased that the GAO found the SEC again had no material weaknesses in its financial controls audit for FY 2012. I am delighted that the SEC was able to maintain the effectiveness of its internal controls while successfully completing its transition to a Federal Shared Service Provider (FSSP) model, engaging with the Department of Transportation's Enterprise Service Center (ESC). As your draft report noted, our internal control structure continues to warrant additional improvements, particularly in the two significant deficiency areas of budgetary resources and property and equipment transactions. Continued improvement in these areas is a top priority of the SEC. While we have made significant strides in the SEC's multi-year path towards a strong, sustainable internal control posture, the agency will continue to dedicate its energy towards remediating our remaining deficiencies. These efforts include: * Strengthening our process for de-obligating funds from completed contracts, and ensuring we incorporate appropriate accounting adjustments for these amounts; * Improving controls over the review of property transactions and formalizing the process for conducting the physical inventory of property and equipment; * Further enhancing the policies and procedures around accounting for disgorgement, post-judgment interest, and penalty transactions; * Enhancing controls around the review and monitoring of manual journal entries; and; * Augmenting control procedures over SEC's information security. The SEC is committed to investing the time and resources to put its internal controls over financial reporting on a strong, sustainable path. I look forward to continuing to work with you in the coming months as this effort unfolds. If you have any questions, please do not hesitate to contact Kenneth A. Johnson. the SEC's Chief Financial Officer, at (202) 551-4306. Sincerely, Signed by: Elisse B. Walter: Chairman: [End of section] Enclosure III: GAO Contacts and Staff Acknowledgments: GAO Contacts: James R. Dalkin, (202) 512-3133 or dalkinj@gao.gov: Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: Staff Acknowledgments: In addition to the contacts named above, the following individuals made key contributions to this report: Kristen A. Kociolek (Lead Assistant Director), Michael W. Gilmore, Meafelia P. Gusukuma, Eric Holbrook, Duc Ngo, David E. Ramirez, Rebecca Riklin, and Henry I. Sutanto. [End of section] Footnotes: [1] IPF was established in 2010 to fund the activities of SEC's whistleblower award program and the SEC Office of Inspector General's suggestion program for SEC employees. Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 922(a), 124 Stat. 1376, 1844 (2010) (codified at 15 U.S.C. § 78u-6(g)(2)). IPF is a separate fund within SEC and its financial statements present a segment of SEC financial activity. Accordingly, IPF's financial transactions are also included in SEC's financial statements. However, the significant deficiencies discussed in our audit report [hyperlink, http://www.gao.gov/products/GAO-13-122R] pertain to SEC's financial reporting but not that of IPF because of the nature of IPF's financial transactions during fiscal year 2012. [2] GAO, Financial Audit: Securities and Exchange Commission Fiscal Years 2012 and 2011 Financial Statements, [hyperlink, http://www.gao.gov/products/GAO-13-122R] (Washington, D.C.: Nov. 15, 2012). [3] [hyperlink, http://www.gao.gov/products/GAO-13-122R]. [4] A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. In contrast, a material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented or detected and corrected on a timely basis. A control deficiency exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent or detect and correct misstatements on a timely basis. [5] See enclosure I for the list of open recommendations relating to continuing control deficiencies that contributed to the significant deficiencies over financial reporting discussed in our audit opinion report, [hyperlink, http://www.gao.gov/products/GAO-13-122R]. [6] GAO, Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures, [hyperlink, http://www.gao.gov/products/GAO-12-424R] (Washington, D.C.: Apr. 13, 2012). [7] [hyperlink, http://www.gao.gov/products/GAO-13-122R]. [8] A disgorgement is the repayment of illegally gained profits (or avoided losses) for distribution to harmed investors whenever feasible. A penalty is a monetary payment from a violator of securities law that SEC obtains pursuant to statutory authority. A penalty is fundamentally a punitive measure, although penalties occasionally can be used to compensate harmed investors. [9] [hyperlink, http://www.gao.gov/products/GAO-12-424R]. [10] Office of Management and Budget Circular No. A-123, Management's Responsibility for Internal Control, defines management's responsibility for internal control in federal agencies and establishes requirements for documenting, testing, and making an assessment on the effectiveness of internal controls. [11] [hyperlink, http://www.gao.gov/products/GAO-13-122R]. [12] The role of the service provider includes recording transactions in SEC's core financial system; however, SEC management is responsible for reviewing, approving, and monitoring the recorded transactions. The service provider's Standards for Attestation Engagements No. 16 report listed several user controls that should be in place at SEC, as a user organization, in order for SEC to rely on the specified internal controls of the service provider. One such control provided that in order for the customer entity to have effective control over its accounting transactions, user entities need to establish controls that monitor, review, and approve all transactions processed by the service provider to ensure that their financial reporting is complete, accurate, and timely. [13] Downward adjustments are deobligations of obligations recorded in prior budget fiscal years. Deobligation refers to an agency's cancellation or downward adjustment of previously incurred obligations. Deobligated funds may be reobligated within the period of availability of the appropriation. For example, annual appropriated funds may be reobligated in the fiscal year in which the funds were appropriated, while multiyear or no-year appropriated funds may be reobligated in the same or subsequent fiscal years. [14] [hyperlink, http://www.gao.gov/products/GAO-13-122R]. [15] Treasury's guidance requires federal agencies to account for downward adjustments to prior year obligations as recoveries from previously recorded obligations, which provide budgetary resources to the agency. Recoveries of prior year obligations are also tracked by OMB relative to its role in monitoring the execution of the Budget of the United States Government. OMB requires recording of these transactions when there is documentary evidence that the price is reduced. [16] This is the process by which SEC (1) evaluates financial reporting assertions and the risk of material misstatements and (2) defines control objectives and develops related control activities to manage the risk of misstatement. SEC's Internal Control Policy states that its risk assessment process requires an evaluation of the financial reporting assertions that are applicable to significant financial statement line items and related general ledger accounts. SEC then defines risks of material misstatement that are relevant to the assertion. Finally, SEC defines control objectives and develops related control activities that are necessary to fulfill the assertion and mitigate the potential for misstatement. SEC re-performs its risk assessment process annually and as needed to address changes to its internal and external environments. [17] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [18] GAO, Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Years 2009 and 2008, [hyperlink, http://www.gao.gov/products/GAO-10-250] (Washington, D.C.: Nov. 16, 2009). [19] SEC records an intragovernmental accounts receivable and an equal amount for offsetting intragovernmental custodial liability if an order or a final judgment directs SEC to transfer amounts collected to the Treasury general fund. [20] SEC collects disgorgement, penalties, and interest through checks, wires, the government-wide Pay.gov website, and intra-agency fund transfers. SEC has procedures that require the segregation of duties for collections received by check, but lacked procedures requiring segregation of duties for electronic collections and those received through wires, the Pay.gov website, and intra-agency fund transfers. [21] Nonrecurring manual JVs are adjustments to general ledger balances outside of SEC's automated transaction process, such as accruals or corrections of errors. [22] Treasury's U.S. Standard General Ledger, a supplement to the Treasury Financial Manual, provides a uniform Chart of Accounts and technical guidance to be used in standardizing federal agency accounting. The guidance, among other things, includes (1) uniform chart of accounts and the related general ledger account definitions and (2) a list of account transactions for accounting for financial events occurring throughout the federal government and the related basic standard posting logic (also a posting model). [23] See "Reconciling General Ledger Balances to Subsidiary Records" in the "Significant Deficiency over Budgetary Resources" section of this report. [24] SFFAS No. 1, Accounting for Selected Assets and Liabilities, provides that when an entity accepts title to goods, whether the goods are delivered or in transit, the entity should recognize a liability for the unpaid amount of the goods. If invoices for those goods are not available when financial statements are prepared, the amounts owed should be estimated. According to Statement of Federal Financial Accounting Concepts No. 1, Objectives of Federal Financial Reporting, "reliability [of financial information] does not imply precision or certainty," but "reliability is affected by the degree of estimation in the measurement process and by uncertainties inherent in what is being measured." Thus, an amount reported in the financial statements may be "fairly stated" but still imprecise. [25] This quarterly assessment involves comparing randomly selected obligation amounts SEC included in its accounts payable accrual as having been delivered for financial reporting purposes, following its estimation methodology, against actual deliveries. [26] SEC Regulation 10-15 provides that contracting officer's representatives (COR) are responsible for ensuring that supplies are delivered, services are performed, or both according to the provisions of the contract. CORs are to document and maintain records that sufficiently describe all actions. SEC's methodology for estimating the delivered portions of its undelivered obligations does not involve review of individual obligations amounting to less than $1 million by the responsible COR. At June 30, 2012, approximately $16 million of the accounts payable balance reported in SEC's financial statements was not verified for accuracy by a COR. [27] SFFAS No. 6, Accounting for Property, Plant, and Equipment, provides that property, plant, and equipment (PP&E) shall be recognized when title passes to the acquiring entity or when the PP&E is delivered to the entity or to an agent of the entity and that acquisition cost of general PP&E shall be recognized as an asset and expensed over its useful life. [28] General support system refers to the integrated client-server system composed of local-and wide-area networks that is organized into distinct subsystems based along SEC's organizational and functional lines. The general support system provides services to internal and external customers who use them for their business applications. It also provides the necessary security services to support these applications. [29] Denial of service is the prevention of authorized access to resources or the delaying of time-critical operations. [30] [hyperlink, http://www.gao.gov/products/GAO-12-424R]. [End of document]