This is the accessible text file for GAO report number GAO-05-880T entitled 'Securities and Exchange Commission: Results of Fiscal Year 2004 Financial Audit' which was released on July 28, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Subcommittee on Federal Financial Management, Government Information, and International Security, Committee on Homeland Security and Governmental Affairs, U.S. Senate: For Release on Delivery Expected at 2:00 p.m. EST Wednesday, July 27, 2005: Securities and Exchange Commission: Results of Fiscal Year 2004 Financial Audit: Statement of David M. Walker, Comptroller General of the United States: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-880T]: GAO Highlights: Highlights of GAO-05-880T, testimony before the Subcommittee on Federal Financial Management, Government Information, and International Security, Committee on Homeland Security and Governmental Affairs, U.S. Senate: Why GAO Did This Study: Pursuant to the Accountability for Tax Dollars Act of 2002, the Securities and Exchange Commission (SEC) is required to prepare and submit to Congress and the Office of Management and Budget audited financial statements. GAO agreed, under its audit authority, to perform the initial audit of SEC’s financial statements. GAO’s audit was done to determine whether, in all material respects, (1) SEC’s fiscal year 2004 financial statements were reliable, (2) SEC’s management maintained effective internal control over financial reporting and compliance with laws and regulations, and (3) SEC’s management complied with applicable laws and regulations. Established in 1934 to enforce the securities laws and protect investors, the SEC plays an important role in maintaining the integrity of the U.S. securities markets. GAO was asked by the Chairman of the Senate Subcommittee on Federal Financial Management, Government Information, and International Security, Committee on Homeland Security and Governmental Affairs, to present the results of its May 26, 2005, report, Financial Audit: Securities and Exchange Commission’s Financial Statements for Fiscal Year 2004 (GAO-05-244). What GAO Found: The SEC’s first ever financial audit was performed by GAO for fiscal year 2004. In reporting on the results of the audit, GAO issued an unqualified, or clean, opinion on the financial statements of the SEC. This means that SEC’s financial statements presented fairly, in all material respects, its financial position as of September 30, 2004, and the results of operations for the year then ended. However, because of material internal control weaknesses in the areas of preparing financial statements and related disclosures, recording and reporting disgorgements and penalties, and information security, GAO issued an adverse opinion on internal controls, concluding that SEC did not maintain effective internal control over financial reporting as of September 30, 2004. However, SEC did maintain, in all material respects, effective internal control over compliance with laws and regulations material in relation to the financial statements as of September 30, 2004. In addition, GAO did not find reportable instances of noncompliance with laws and regulations it tested. It is important to remember that GAO’s opinions on SEC’s financial statements and internal controls reflect a point in time. SEC prepared its first complete set of financial statements for fiscal year 2004 and made significant progress during the year in building a financial reporting structure for preparing financial statements for audit. However, GAO identified inadequate controls over SEC’s financial statement preparation process including a lack of sufficient documented policies and procedures, support, and quality assurance reviews, increasing the risk that SEC management will not have reasonable assurance that the balances presented in the financial statements and related disclosures are supported by SEC’s underlying accounting records. In addition, GAO identified inadequate controls over SEC’s disgorgements and civil penalties activities, increasing the risk that such activities will not be completely, accurately, and properly recorded and reported for management’s use in its decision making. GAO also found that SEC has not effectively implemented information system controls to protect the integrity, confidentiality, and availability of its financial and sensitive data, increasing the risk of unauthorized disclosure, modification, or loss of the data, possibly without detection. The risks created by these information security weaknesses are compounded because the SEC does not have a comprehensive monitoring program to identify unusual or suspicious access activities. SEC agreed with our findings and is currently working to improve controls in all these areas. What GAO Recommends: www.gao.gov/cgi-bin/getrpt?GAO-05-880T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Jeanette M. Franzel at (202) 512-9471 or franzelj@gao.gov. [End of section] Mr. Chairman and Members of the Subcommittee: I am pleased to be here today to discuss the results of our audit of the Securities and Exchange Commission's (SEC) fiscal year 2004 financial statements, the first complete set of financial statements SEC has prepared and has subjected to an independent audit.[Footnote 1] Our recent report,[Footnote 2] issued on May 26, 2005, presents the results of that audit. Today, I will discuss those results and the steps we believe SEC needs to take to improve its ability to produce timely and reliable financial statements, and to produce them efficiently and with reasonable assurance that they are fairly presented. These steps will also help SEC to produce complete and reliable information for internal management who make decisions about SEC operations and expenditures, and congressional stakeholders who provide oversight of SEC operations and make decisions about SEC funding. The results of our audit were mixed--a clean opinion on the financial statements and an adverse opinion on internal control. Because we detected three material weaknesses in internal control, we concluded that SEC's internal control did not reduce to a relatively low level the risk of misstatements material to the financial statements. In other words, mistakes may occur and either go undetected by employees in the normal course of their work or be detected too late to prevent errors or fraud. The material weaknesses we found relate to SEC's internal control over (1) preparing financial statements and the related disclosures, (2) recording and reporting of disgorgements[Footnote 3] and civil penalties,[Footnote 4] and (3) information security. It is important to remember that our opinions on SEC's financial statements and internal controls reflect a point in time. SEC has stated its commitment to enhancing its financial and operational effectiveness. We and others have made recommendations, which if successfully implemented, would help SEC to generate timely, reliable, and useful financial information with which to make informed decisions, manage daily operations, and ensure accountability on an ongoing basis. SEC has a very visible and prominent leadership role in promoting and enforcing accountability for corporations whose equity and debt securities are traded in the securities markets. Recently, this role has also encompassed helping to ensure the effective implementation of the Sarbanes-Oxley Act, with its emphasis on internal control and corporate governance for the companies it regulates. At a time when many corporations are striving to strengthen internal controls and improve financial reporting, SEC has the opportunity and responsibility to serve as a model of good practice. In that regard, SEC stated in its 2004 Performance and Accountability Report, issued in May 2005, that SEC must lead by example with respect to the internal control requirements demanded of the private and federal sectors, and also articulated management's vision that SEC serve as the standard against which other federal agencies are measured. A higher standard of accountability is appropriate for SEC as a government regulatory agency; moreover, it is important to the success of SEC's programs, activities, and leadership in the business community and as a government regulator. Audit Results: In our audit of the fiscal year 2004 financial statements for SEC, we found: * the financial statements as of and for the fiscal year ended September 30, 2004, including the accompanying notes, are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles; * SEC did not have effective internal control over financial reporting (including safeguarding of assets), but had effective control over compliance with laws and regulations that could have a material effect on the financial statements as of September 30, 2004; and: * no reportable noncompliance with laws and regulations we tested. We issued an unqualified, or clean, opinion on the SEC's financial statements. This means that the financial statements and accompanying notes present fairly, in all material respects, SEC's financial position as of September 30, 2004, and, as well, certain other financial information that the statements must provide: net cost, changes in net position, budgetary resources, financing, and custodial activities for the year then ended. We also found that the statements conform to U.S. generally accepted accounting principles. In order to reach our conclusions about the financial statements, we (1) tested evidence supporting the amounts and disclosures in the financial statements, (2) assessed the accounting principles used and significant estimates made by management, and (3) evaluated the presentation of the financial statements. We found three material weaknesses in internal control and thus issued an adverse opinion on internal control--stating that SEC management did not maintain effective internal control over financial reporting and the safeguarding of assets as of September 30, 2004. Internal control over financial reporting consists of an entity's policies and procedures that are designed and operated to provide reasonable assurance about the reliability of that entity's financial reporting and its process for preparing and fairly presenting financial statements in accordance with generally accepted accounting principles. It includes policies and procedures for maintaining accounting records, authorizing receipts and disbursements, and the safeguarding of assets. Because SEC makes extensive use of computer systems for recording and processing transactions, SEC's financial reporting controls also include controls over computer operations and access to data and computing resources. Our opinion on SEC's internal control means that SEC's internal control did not reduce to a relatively low level the risk that misstatements material to the financial statements may occur and go undetected by employees in the normal course of their work. This conclusion on SEC's internal controls did not affect our opinion on SEC's financial statements. This is because during the audit process SEC made the adjustments identified during the audit as necessary for the fair presentation of its financial statements. However, the weaknesses we found could affect other, unaudited information used by SEC for decision making. Our evaluation of internal control covered SEC's financial reporting controls which also cover certain operational activities that result in SEC's financial transactions, such as activities pertaining to stock exchange transaction fees, public-filing fees, maintaining disgorgements and penalties receivable, payroll- related transactions, and others. We also tested SEC's compliance with selected provisions of laws and regulations that have a direct and material impact on the financial statements. For example, we tested for compliance with sections of the Securities Exchange Act of 1934, as amended, that requires SEC to collect fees from the national securities exchanges and the National Association of Securities Dealers based on volume of stock transactions, and sections of the Securities Act of 1933, as amended, that requires SEC to collect fees from registrants for public filings. Our tests found no instances of noncompliance that are reportable. We also found that SEC maintained, in all material respects, effective internal control over compliance. I would now like to discuss in detail the three material internal control weaknesses we found during our audit. Material Internal Control Weaknesses: SEC Needs to Improve Its Controls over Financial Statement Preparation and Reporting: We found that SEC did not have formalized processes or documentation for the procedures, systems, analysis of accounts, and personnel involved in developing key balances and preparing the financial statements and related disclosures. As I will discuss later, this issue is compounded by SEC's limitations with its financial management system. Also, SEC did not have formalized quality control or review procedures. As a result, we identified errors in the beginning asset and liability balances and in the September 30, 2004, draft financial statements prepared by SEC management, that if had not been corrected, would have resulted in materially misleading operating results for fiscal year 2004. SEC's lack of formalized processes, documented procedures, and quality assurance checks, significantly delayed the reporting of fiscal year 2004 financial results, consumed significant staff resources, caused audit inefficiencies, and resulted in higher financial statement preparation and audit costs. I would like to highlight the following items we found: * SEC did not have documentation providing an explanation or a crosswalk between the financial statements and the source systems, general ledger accounts, account queries, and account analyses. * SEC did not maintain a subsidiary ledger for certain activities, such as customer deposit amounts pertaining to filing fees. * Accounting staff had difficulty in retrieving support for certain account balances, such as undelivered-order amounts, and for certain property and equipment leases. * Reconciliations of detail and summary account balances were not prepared for certain financial statement line items, such as for the customer deposit liability relating to filing fees and the associated earned filing fee revenue; the accounts receivable related to exchange fees and the related amount of earned exchange fee revenue; and the budgetary accounts related to undelivered and delivered orders, thus requiring SEC staff to create an audit trail after the fact. * There also was no consistent evidence of supervisory review of journal entries, including closing and adjusting journal entries made in connection with preparing quarterly and year-end financial statements. * Comprehensive accounting policies and procedures were still in draft or had not yet been developed for several major areas related to financial statements, including disgorgements and penalties, filing fees, exchange fees, and fixed asset capitalization. GAO's Standards for Internal Control in the Federal Government[Footnote 5] requires that controls over the financial statement preparation process be designed to provide reasonable assurance regarding the reliability of the balances and disclosures reported in the financial statements and related notes in conformity with generally accepted accounting principles, including the maintenance of detailed support that accurately and fairly reflect the transactions making up the balances in the financial statements and disclosures. In addition, an effective financial management system includes policies and procedures related to the processing of accounting entries. SEC's difficulties in the area of financial statement preparation are exacerbated because SEC's financial management system is not set up to generate the user reports needed to perform analyses of accounts and activity on a real-time basis leading to SEC's staff-intensive and time- consuming efforts to prepare financial statements. Because SEC does not maintain standard schedules for producing certain basic reports of account detail for analysis, users have to request reports generated on an ad hoc basis by a software application whose operations are known only to some SEC staff. Also, as I will discuss in more detail later, not all of SEC's systems used for tracking and recording financial data are integrated with the accounting system. Federal agencies preparing financial statements are required to develop a financial management system to prepare a complete set of statements on a timely basis in accordance with generally accepted accounting principles. The financial statements should be the product of an accounting system that is an integral part of an overall financial management system with structure, internal control, and reliable data. Office of Management and Budget Circular No. A-127, Financial Management Systems, requires that each agency establish and maintain a single integrated financial management system--basically a unified set of financial systems electronically linked for agencywide support. Integration means that the user is able to obtain needed information efficiently and effectively from any level of use or access point. (This does not necessarily mean having only one software application covering all financial management system needs or storing all information in the same database.) Interfaces between systems are acceptable as long as the information needed to enable reconciliation between the systems is accessible to managers. Interface linkages should be electronic unless the number of transactions is so small that it is not cost beneficial to automate the interface. Reconciliations between systems, where interface linkages are appropriate, should be maintained to ensure data accuracy. To support its financial management functions, SEC relies on several different systems to process and track financial transactions that include filing and exchange fees, disgorgements and penalties, property and equipment, administrative items pertaining to payroll and travel, and others. Not all of these systems are integrated with the accounting system. For example, the case-tracking system and the spreadsheet application used to account for significant disgorgement and penalty transactions and the system used to account for property and equipment are not integrated with the accounting system. Without a fully integrated financial management system, SEC decision makers run the risk of delays in attaining relevant data or using inaccurate information inadvertently while at the same time dedicating scarce resources toward the basic collection of information. A properly designed and implemented financial statement preparation and reporting process (which encompasses the financial management system) should provide SEC management with reasonable assurance that the balances presented in the financial statements and related disclosures are materially correct and supported by the underlying accounting records. To address the issues related to SEC's financial statement preparation and reporting processes, we recommended that SEC take the following 13 actions to improve controls over the process. 1. Develop written policies and procedures that provide sufficient guidance for the year-end closing of the general ledger as well as the preparation and analysis of quarterly and annual financial statements. 2. Establish clearly defined roles and responsibilities for the staff involved in financial reporting and the preparation of interim and year- end financial statements. 3. Prepare a crosswalk between the financial statements and the source systems, general ledger accounts, and the various account queries and analyses that make up key balances in the financial statements. 4. Maintain subsidiary records or ledgers for all significant accounts and disclosures so that the amounts presented in the financial statements and footnotes can be supported by the collective transactions making up the balances. 5. Perform monthly or periodic reconciliations of subsidiary records and summary account balances. 6. Perform a formal closing of all accounts at an interim date or dates to reduce the level of accounting activity and analysis required at year-end. The formal closing entails procedures to ensure that all transactions are recorded in the proper period through the closing date, and then closing the accounting records so that no new entries can be posted during that period. 7. Distinguish common closing and adjusting entries in a formal listing, which is used in the general ledger closing process and in preparing financial statements. 8. Require supervisory review for all entries posted to the general ledger and financial statements, including closing entries. A supervisor should review revisions to previously approved entries and revised financial statements and footnotes. All entries and review should be documented. 9. Establish milestones for preparing and reviewing the financial statements by setting dates for critical phases such as closing the general ledger; preparing financial statements, footnotes, and the performance and accountability report; and performing specific quality control review procedures. 10. Use established tools (i.e., checklists and implementation guides) available for assistance in compiling and reviewing financial statements. 11. Maintain documentation supporting all information included in the financial statements and footnotes. This documentation should be more self-explanatory than what has been retained in the past. The documentation should be at a level of detail to enable a third party, such as an auditor, to use the documentation for substantiating reported data without extensive explanation or re-creation by the original preparer. 12. Take advantage of in-house resources and expertise in establishing financial reporting policies, internal controls, and business practices, as well as in review of financial statement and footnote presentation. 13. Develop or acquire an integrated financial management system to provide timely and accurate recording of financial data for financial reporting and management decision making. In response to our audit findings, SEC plans to increase its financial reporting staff this fiscal year, formalize its policies and procedures, and solicit advice from corporate financial reporting experts within SEC. SEC senior management has reviewed and endorsed certain initial policies applied in the first year of financial reporting, and has modified or recommended others for further review. In addition, SEC plans to establish a formal audit committee to provide for regular review by key management officials and advise on policies and controls. SEC is undertaking a multiyear project to replace the existing case-tracking system with a system that is better designed for financial reporting purposes. Now I would like to shift to the second material internal control weakness. SEC Has Control Weaknesses over Disgorgements and Civil Penalties: As part of its enforcement responsibilities, SEC issues and administers judgments that order disgorgements and civil penalties against violators of federal securities laws. The resulting transactions for fiscal year 2004 involved collections of about $945 million, and recording and reporting of fiduciary and custodial balances on the financial statements.[Footnote 6] SEC records and tracks information on over 12,000 parties in SEC enforcement cases involving disgorgements and penalties through a case-tracking system. However, the case- tracking system is not designed for financial reporting and is not integrated with SEC's general ledger accounting system, which accumulates, tracks, and summarizes SEC's financial transactions. To compensate for limitations in the system, SEC staff compiles quarterly subsidiary ledgers using extensive and time-consuming procedures. After downloading financial information on disgorgements and penalties from the case-tracking system to a spreadsheet with thousands of cases and defendants with a magnitude of approximately 1 million data elements, SEC staff performs numerous calculations using the data in the spreadsheet to compile the disgorgement and penalty balances as of the end of each quarter. Such a process is inherently inefficient and prone to error. Further, since the source of the data included on the spreadsheet is from the case-tracking system, whose data reliability has been reported as a problem by SEC for the past three years,[Footnote 7] it is imperative that specific control procedures be put in place to provide reasonable assurance over the completeness and reliability of the data in the case-tracking system. In addition, control procedures are needed to reduce the risk of errors in the spreadsheet and ultimately the reported financial statement information. Finally, when reviewing case files we noted instances in which the supporting documentation in the files contained notations by the case managers indicating that potential activities or transactions related to the case had occurred. However, there was not adequate supporting documentation to support an entry to the case-tracking system. These instances raised questions about whether SEC's accounting and financial reporting information related to penalties and disgorgements was potentially incomplete or out-of-date. As a result of the issues I have described, we concluded that SEC did not have adequate control procedures in place to provide adequate assurance over the reliability of financial information related to this area. Thus, our auditors performed additional testing over SEC's financial statement balances related to penalties and disgorgements. GAO's Standards for Internal Control in the Federal Government requires that agencies establish controls to ensure that transactions are recorded in a complete, accurate, and timely manner. Although SEC has a draft policy that covers certain aspects of accounting for disgorgements and penalties, it is not comprehensive. For example, the policy does not define who is responsible for recording disgorgement and penalty data or the documentation that should be maintained to support the amounts recorded. Of even greater importance, the policy does not identify controls that are critical for determining the amounts to be recorded and for reviewing entries for completeness and accuracy, including the specific types of controls needed for the quarterly downloading of data and use of the spreadsheets for arriving at the accounting entries. Nor does the policy address supervisory review necessary to ensure consistent application of the procedures. A lack of comprehensive policies and controls over disgorgement and penalty transactions increases the risk that the transactions will not be completely, accurately, and consistently recorded and reported. In our audit of the estimated net amounts receivable from disgorgements and penalties, we did find errors in the recorded balances for the related gross accounts receivable and allowance for loss. Specifically, we noted errors where SEC had made entries to the accounting system that conflicted with information in the files. We also noted inconsistent treatment in recording judgments, interest amounts, terminated debts, and collection fees imposed by Treasury. We believe that these errors and inconsistencies occurred because of the control weaknesses we found. While, in most cases, these errors and inconsistencies were offsetting, such errors raise concern about the reliability of the $1.673 billion gross accounts receivable for disgorgements and penalties and the related allowance amounts of $1.394 billion reported in footnote 3 to SEC's financial statements. To address internal control weaknesses over disgorgements and penalties, we recommended that SEC: 1. implement a system that is integrated with the accounting system or that provides the necessary input to the accounting system to facilitate timely, accurate, and efficient recording and reporting of disgorgement and penalty activity; 2. review the disgorgement and penalty judgments and subsequent activities documented in each case file by defendant to determine whether individual amounts recorded in the case-tracking system are accurate and reliable; 3. implement controls so that the ongoing activity involving disgorgements and penalties is properly, accurately, and timely recorded in the case-tracking system and the accounting system; 4. strengthen coordination, communication, and data flow among staff of SEC's Division of Enforcement and Office of Financial Management who share responsibility for recording and maintaining disgorgement and penalty data; and: 5. develop and implement written policies covering the procedures, documentation, systems, and responsible personnel involved in recording and reporting disgorgement and penalty financial information. The written procedures should also address quality control and managerial review responsibilities and documentation of such a review. SEC agrees with our findings in this area and has begun efforts to strengthen internal controls. For example, SEC plans to complete a comprehensive review of files and data and review and strengthen policies and procedures for recording and updating amounts receivable for disgorgements and penalties. SEC anticipates that consistent application of strengthened internal controls and potentially some limited redesign of the existing management information system will be adequate to resolve the material weaknesses in fiscal year 2006. However, SEC acknowledges that a replacement of the current case- tracking system and a more thorough reexamination of the relevant business process would provide more effective assurance. Accordingly, in fiscal year 2006, SEC plans to complete a requirements analysis as the first phase of the multiyear project to replace the case-tracking system. Now I would like to shift to the discussion of the material internal control weakness pertaining to information security. SEC Needs to Address Weak Controls over Financial and Sensitive Data: Information system controls are essential for any organization that depends on computer systems and networks to carry out its mission or business and maintain key records and accountability information. Without proper safeguards, organizations run the risk that intruders may obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. SEC--which relies extensively on computer systems to support its operations--needs a comprehensive program of general controls[Footnote 8] to monitor and manage information security risks. Our review[Footnote 9] of SEC's information system general controls found that the commission did not effectively implement controls to protect the integrity, confidentiality, and availability of its financial and sensitive information. In March 2005, we reported weaknesses in electronic access controls, including controls designed to prevent, limit, and detect access to SEC's critical financial and sensitive systems.[Footnote 10] We found these weaknesses in user accounts and passwords, access rights and permissions, network security, and the audit and monitoring of security- related events. These weaknesses were heightened because SEC had not fully established a comprehensive monitoring program. We identified the following electronic access control weaknesses: * SEC operating personnel did not consistently set password parameters- -such as a minimum of six digits including both numbers and letters--to ensure a level of difficulty for an intruder trying to guess a password, and users sometimes did create easy-to-guess passwords. * All 4,100 network users were inadvertently granted access that would allow them to circumvent the audit controls in the commission's main financial systems. * Key network devices were not configured to prevent unauthorized individuals from gaining access to detailed network system policy settings and lists of users or user groups. * SEC did not have a comprehensive monitoring program for routine review, audit, or monitoring of system user-access activities. For example, audit logging, which is typically used to track certain types of activity on a system, was not consistently implemented on network services and there was no real-time capability to target unusual or suspicious network events for review. In addition, SEC had not fully implemented a network intrusion-detection system. The commission did, however, have several initiatives under way to monitor user access activity. We also identified weaknesses in other information system controls-- including physical security, segregation of computer functions, application change controls, and service continuity. For instance: * At the time of our review, 300 employees and contractors had physical access to SEC's data center. Persons with access included an undetermined number of application programmers, budget analysts, administrative staff, and customer support staff. Typically, persons serving these functions do not need access to the data center for their work. * SEC had not sufficiently separated incompatible[Footnote 11] system administration and security administration functions on its key financial applications. * Although a change control board at SEC was responsible for authorizing all application changes, none of the software modifications reviewed had documentation to show that such authorizations had been obtained. * SEC had not implemented a service-continuity plan to ensure that the system and its major applications could continue to function after a major disruption, such as a loss of electricity. As a result of these weaknesses, sensitive SEC data--including payroll and financial transactions, personnel data, regulatory, and other mission-critical information--were at increased risk of unauthorized disclosure, modification, or loss. A key reason for weaknesses in SEC's information system general controls is that the commission has not fully developed and implemented a comprehensive agency information security program. The Federal Information Security Management Act (FISMA) requires each agency to develop, document, and implement an agencywide information security program to provide security for the information and systems that support the operations and assets of the agency. Agencies are required to use a risk-based approach to information security management. FISMA also requires an agency's information security program to include these key elements: * periodic assessments of risk and the magnitude of harm that could result from unauthorized access, use, or disruption of information systems; * policies and procedures that are based on risk assessments and risk reductions to ensure that information security is addressed throughout the life cycle of each system and that applicable requirements are met; * security awareness training to inform all users of information security risks and users' responsibilities in complying with information security policies and procedures; and: * periodic tests and evaluations of the effectiveness of information security policies, procedures, and practices related to management, operational, and technical controls of every major system. Although SEC has taken some actions to improve security management-- including establishing a central security management group and appointing a senior information security officer to manage the information security program--further efforts are needed. For example, we found that the commission had not clearly defined roles and responsibilities for the central security group it had established. In addition, SEC had not fully (1) assessed its risks, (2) established or implemented security policies, (3) promoted security awareness, or (4) tested and evaluated the effectiveness of its information system controls. SEC and its Office of Inspector General (OIG) have recognized weaknesses in the commission's information security program. Since 2002, SEC has reported information security as a material weakness in its FMFIA reports. In its fiscal year 2004 FISMA report, SEC's OIG reported that the commission had several weaknesses in information security and was not substantially in compliance with information security requirements contained in FISMA. Without proper safeguards for its information systems, SEC is at risk from malicious intruders entering inadequately protected systems. It is at risk that intruders will use this access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. We believe the primary cause of these weaknesses has been the lack of a fully developed and implemented entitywide information security program. In our March 2005 report,[Footnote 12] we recommended 6 actions to fully develop and implement an effective security program. In addition, we made 52 recommendations to correct specific information security weaknesses related to electronic access control and other information system controls. Due to their sensitivity, these recommendations were included in a separate report designated for "Limited Official Use Only." A fully developed, documented, and implemented agency information security program would provide the commission with a solid foundation for resolving its information security problems and for ongoing management of its information security risks. We believe that if our recommendations and SEC's planned actions are carried out effectively, SEC can make considerable progress toward its declared vision as "the standard against which federal agencies are measured"[Footnote 13] and will be in a stronger position to manage its daily operations and accomplish its mission. This testimony is based on our recent audit of SEC's fiscal year 2004 financial statements, which was conducted in accordance with U.S. generally accepted government auditing standards. Mr. Chairman, this concludes my prepared statement. I would be pleased to respond to any questions that you or the other members of the Subcommittee may have. Contacts and Staff Acknowledgements: For further information on this testimony, please contact Jeanette Franzel at (202) 512-9471 or at [Hyperlink, franzelj@gao.gov] and Greg Wilshusen at (202) 512-6244 or at [Hyperlink, wilshuseng@gao.gov]. Individuals making key contributions to this testimony include Cheryl Clark, Kim McGatlin, Charles Vrabel, Estelle Tsay, Kristi Dorsey, and Maxine Hattery. (194560): FOOTNOTES [1] The Accountability of Tax Dollars Act of 2002 requires certain agencies, including SEC, to prepare financial statements and have them audited. [2] Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Year 2004, GAO-05-244 (Washington, D.C.: May 26, 2005). [3] Disgorgement is the repayment of illegally earned profits. [4] A penalty is a monetary sum that is to be paid by the registrant to SEC as a result of a security law violation. [5] GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). [6] Fiduciary activities represent the moneys collected from federal securities law violators and maintained by SEC to be distributed to harmed investors. Custodial activities represent the moneys collected by SEC from violators of federal securities laws that are returned to the General Fund of the Treasury, as nonfederal individuals or entities do not have an ownership interest in these revenues. [7] The Federal Managers' Financial Integrity Act (FMFIA) of 1982 (31 U.S.C. § 3512 (c)(d)) requires the head of each agency to annually prepare a statement that identifies material weaknesses in the agency's systems of internal accounting and administrative control and its plans and schedule for correcting them. SEC reported material weaknesses and related system nonconformance issues concerning data integrity and financial reporting for disgorgements and penalties in its 2002, 2003, and 2004 FMFIA reports. [8] Information system general controls affect the overall effectiveness and security of computer operations as opposed to being unique to any specific computer application. These controls include security management, operating procedures, software security features, and physical protection designed to ensure that access to data is appropriately restricted, computer security functions are segregated, only authorized changes to computer programs are made, and back-up and recovery plans are adequate to ensure the continuity of essential operations. [9] GAO-05-244. [10] See GAO, Information Security: Securities and Exchange Commission Needs to Address Weak Controls over Financial and Sensitive Data, GAO- 05-262 (Washington, D.C.: March 23, 2005). [11] Incompatible functions are those that cause a conflict or risk if they are under the responsibility of the same person. For example, authorizing access and using that access are incompatible functions. [12] GAO-05-262. [13] U.S. Securities and Exchange Commission, 2004 Performance and Accountability Report.