This is the accessible text file for GAO report number GAO-08-461R
entitled 'Internal Control: Improvements Needed in SEC's Accounting and
Financial Reporting Process' which was released on April 1, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
April 1, 2008:
The Honorable Christopher Cox:
Chairman:
U.S. Securities and Exchange Commission:
Subject: Internal Control: Improvements Needed in SEC's Accounting and
Financial Reporting Process:
Dear Mr. Cox:
On November 16, 2007, we issued our report[Footnote 1] on the U.S.
Securities and Exchange Commission's (SEC) fiscal years 2007 and 2006
financial statements and on SEC's internal control as of September 30,
2007. We also reported on the results of our tests of SEC's compliance
with selected provisions of laws and regulations during fiscal year
2007.
The purpose of this report is to present areas of SEC's internal
controls identified during our fiscal year 2007 audit that could be
improved.[Footnote 2] This report contains 14 recommendations to SEC to
improve these internal controls and procedures. These recommendations
are in addition to those we already provided to SEC as a result of our
prior audits of SEC's financial statements.[Footnote 3]
Results in Brief:
Our November 16, 2007, report concluded that SEC had a material
weakness[Footnote 4] in internal control over its financial reporting
process, and therefore did not maintain effective internal control over
financial reporting as of September 30, 2007. This weakness is
comprised of four significant deficiencies,[Footnote 5] which taken
collectively result in more than a remote likelihood that a material
misstatement of the financial statements will not be prevented or
detected. These significant deficiencies concern (1) the period-end
financial reporting process, (2) disgorgements and penalties accounts
receivable, (3) accounting for transaction fee revenue, and (4)
preparing financial statement disclosures.
In addition to the material weakness discussed above, we identified
three significant deficiencies in internal control, which although not
material weaknesses, represent significant deficiencies in the design
or operation of internal control. These significant deficiencies
concern (1) information security controls, (2) property and equipment,
and (3) accounting for budgetary resources.
As of January 2008, SEC had taken actions to fully address 3 of the 23
recommendations that remained open as of January 2007 from our audits
of the agency's 2004, 2005, and 2006 financial statements.
We also identified one other internal control weakness that although
not considered to be a material weakness or significant deficiency, we
believe warrants SEC management's consideration as to whether
additional actions are warranted. This issue concerns certification of
employees' time cards, documentation of monitoring of time card
certification, and approval of personnel actions.
Tables 1, 2, and 3 of enclosure I provide summary information on the
status of recommendations from our 2004, 2005, and 2006 audits of SEC's
financial statements, respectively.[Footnote 6] Our 14 new
recommendations follow the sections in which the corresponding issues
are discussed.
In providing written comments on a draft of this report, the SEC
Chairman expressed his commitment to remediate the control deficiencies
this fiscal year and summarized SEC's corrective action plans to
address GAO's recommendations.
Scope and Methodology:
As part of our audit of SEC's fiscal years 2007 and 2006 financial
statements, we evaluated SEC's internal controls and tested its
compliance with selected provisions of laws and regulations. We
designed our audit procedures to test relevant controls over financial
reporting, including those designed to provide reasonable assurance
that transactions are properly recorded, processed, and summarized to
permit the preparation of the financial statements in conformity with
U.S. generally accepted accounting principles, and that assets are
safeguarded against loss from unauthorized acquisition, use, or
disposition. This report is based on the work performed during our
audit of SEC's fiscal years 2007 and 2006 financial statements. We
requested comments on a draft of this report from the Chairman of SEC.
SEC's written comments are reprinted in enclosure II. We conducted our
audit in accordance with U.S. generally accepted government auditing
standards. Further details on our scope and methodology are included in
our report on the results of our audit of SEC's fiscal years 2007 and
2006 financial statements[Footnote 7] and are briefly summarized in
enclosure III.
Period-End Financial Reporting Process:
SEC's financial management system does not conform to the systems
requirements of Office of Management and Budget (OMB) Circular No. A-
127, Financial Management Systems. Specifically, Circular No. A-127
requires that financial management systems be designed to provide for
effective and efficient interrelationships between software, hardware,
personnel, procedures, controls, and data contained within the systems.
Circular No. A-127 further states that financial systems must have
common data elements, common transaction processing, consistent
internal controls, and efficient transaction entry, and that reports
produced by the systems shall provide financial data that can be traced
directly to the general ledger accounts.
SEC's period-end financial reporting process for recording
transactions, maintaining account balances, and preparing financial
statements and disclosures is supported to varying degrees by a
collection of automated systems that are not integrated or compatible
with its general ledger system. These automated systems' lack of
integration and compatibility require that extensive compensating
manual and labor-intensive accounting procedures, involving large
spreadsheets and numerous posting and routine correcting journal
entries, dominate SEC's period-end financial reporting process. Some of
SEC's subsidiary systems, such as those for property and equipment and
for disgorgements and penalties, do not share common data elements and
common transaction processing with the general ledger system.
Therefore, intermediary information processing steps, including
extensive use of spreadsheets, manipulation of data, and manual journal
entries, are needed to process the information in SEC's general ledger.
For example, at period end, SEC personnel must extract the period's
transactions from each subsidiary system and forward these data, in
various formats, to accountants in the Financial Statements Preparation
Branch, who use them to develop the journal vouchers (JV) necessary to
include these transactions in period-end balances. These JVs are
uploaded in batches to the core financial management system and posted
to the general ledger. Once the general ledger is thus updated, a trial
balance is created from which the accountants prepare the financial
statements.
While the accounting staff make extensive use of desktop applications
and workstations to perform calculations and to store the data used to
prepare JVs and financial statements, little of the data processing
that takes place during SEC's financial reporting cycle is fully
automated. The information security controls necessary to prevent or
recover from any inadvertent data corruption or to permit independent
verification of the processing that has taken place have not been
established for period-end accounting and reporting. SEC has developed
a standard voucher template and a standardized review form for JVs,
which were used to prepare the final fiscal 2007 financial statements.
However, SEC's current period-end closing process taken as a whole
complicates review of the transactions and greatly increases the risk
that the transactions are not recorded completely, properly, or
consistently, ultimately affecting the reliability of the data
presented in the financial statements. Our identification this year of
errors in SEC's calculation of disgorgement and penalty accounts
receivable, discussed below, illustrates this risk.
The risk to data reliability is further increased because basic
controls over electronic data, such as worksheet and password
protection, change history, and controls over data verification, such
as control totals and record counts, were not consistently used during
the data processing between the source systems and the general ledger.
In addition, currently, SEC's general ledger has several unconventional
posting models and other limitations that prevent proper recording of
certain transactions. As a result, SEC's year-end reporting process
requires extensive routine correcting journal entries to correct errors
created by incorrectly posted transactions in its general ledger. We
also noted that SEC's documentation used to crosswalk individual
accounts to the financial statement line items contained an incorrect
routing to a line item on SEC's Statement of Budgetary Resources for
SEC's year-end financial statement preparation process, which caused a
material error in SEC's draft financial statements for 2007.
Also, SEC did not have detailed written documentation of its
methodologies and processes for preparing financial statements and
disclosures, increasing the risk of inconsistent and improper reporting
and the risk that disruptions and error may arise when staff turnover
occurs. Specifically, SEC did not have current written policies and
procedures for over 15 areas, including investments, property and
equipment, accounts receivable, other liabilities, and for the
preparation of JV uploads into SEC's financial management system.
Recommendations:
We recommend that SEC take the following actions to improve its period-
end financial reporting process controls:
1. Integrate subsystems that process significant accounting data with
the general ledger.
2. Until subsystems are fully integrated, develop and implement
documented data reliability checks for data extracted from
nonintegrated subsidiary systems, including spreadsheets. These data
reliability checks should include supervisory review.
3. Prepare written procedures which describe explicitly the steps
required to accomplish and document each significant activity in the
general ledger closing process and in the generation of the financial
statements, including related disclosures.
Disgorgements and Penalties Accounts Receivable:
As part of its enforcement responsibilities, SEC issues orders and
administers judgments ordering, among other things, disgorgements,
civil monetary penalties, and interest against violators of federal
securities laws.[Footnote 8] SEC recognizes a receivable when SEC is
designated in an order or a final judgment to collect the assessed
disgorgements, penalties, and interest. At September 30, 2007, the
gross amount of disgorgements and penalties accounts receivable was
$330 million, with a corresponding allowance of $266 million resulting
in a net receivable of $64 million.
SEC's Phoenix system, which maintains financial data pertaining to
disgorgements and penalties, is not integrated with SEC's general
ledger system. To determine disgorgement and penalty receivable
amounts, SEC downloads the data from Phoenix into a spreadsheet,
manipulates selected data, and uses cell formulas to determine balance
totals. This manual process for determining disgorgement and penalty
balances presents high inherent risk in SEC's financial reporting
process and demands effective compensating controls to ensure the
accuracy and proper recording of related financial statement amounts,
including effective supervisory review.
In our reviews of the interim June 30, 2007, and year-end September 30,
2007, balances of accounts receivable for disgorgements and penalties,
we found errors in SEC's spreadsheet formulas resulting in
overstatements of these receivable balances for both periods.
Specifically, for the interim balance as of June 30, 2007, the
spreadsheet formula did not reduce the disgorgement receivable for
offset amounts that had already been paid by debtors to a non-SEC
entity. SEC subsequently detected and corrected the June 30 errors, but
then made different spreadsheet calculation errors in the year-end
balances as of September 30, 2007, which we detected as part of our
audit and which SEC corrected prior to the issuance of the financial
statements. For example, SEC incorrectly included in its disgorgement
receivable balance at September 30, 2007, amounts that had been
terminated.
The main cause of these errors was the breakdown this year in the
manual controls that were intended to compensate for the lack of an
integrated accounting system for disgorgements and penalties, as
discussed above.
Although SEC reviewed the journal entries posting the amounts to the
general ledger, this review did not extend to the preparation of the
spreadsheet SEC used to document the accounts receivable calculation at
June 30 and September 30, 2007, and therefore, was not sufficient to
detect significant spreadsheet formula errors. For example, the review
did not include (1) reviewing the detailed manual process of
downloading data from Phoenix, (2) determining which Phoenix data
elements to use and the rationale used in selecting those data
elements, (3) reviewing the manipulation of selected data, and (4)
reviewing the accuracy of the spreadsheet cell formulas used in
calculating the accounts receivable balance.
Recommendations:
We recommend that SEC take the following action to improve its
disgorgement and penalties accounts receivable controls:
4. Develop and implement controls over the calculation of disgorgement
and penalties accounts receivable, including the reliability of data
downloaded from Phoenix and the accuracy of spreadsheet cell formulas
and related methodologies.
Accounting for Transaction Fee Revenue:
As one of its sources of revenue, SEC collects securities transaction
fees paid by self-regulatory organizations (SRO) to SEC for stock
transactions. SRO transaction fees are payable to SEC twice a year - in
March for the previous months September through December, and in
September for the previous months January through August. SEC
calculates the fees due and bills the SROs based on actual transaction
volume reported on a monthly basis by the SROs to SEC. Since the SROs
are not required to report the actual volume of transactions until 10
business days after the end of each month, SEC estimates and records an
amount receivable for fees payable by the SROs to SEC for activity
during the month of September. At September 30, 2007, SEC estimated
this receivable amount at $100.6 million based on previous months'
transaction volume. Based on information SEC received from the SROs in
mid-October concerning the actual volume of transactions, the amount of
claims receivable at September 30, 2007, for activity during the month
of September should have been $74.4 million. In addition, also in mid-
October, one of the SROs submitted amended transaction volume to SEC
for the months March, April, May, and June 2007, reflecting an
additional receivable amount of approximately $75,000. In previous
years, SEC made adjustments to reflect the actual volume of
transactions; however, SEC does not have written procedures to help
ensure that these adjustments are made as a routine part of its year-
end financial reporting process. We proposed, and SEC posted, the
necessary audit adjustments to correct the amount of transaction fee
revenue and related receivable for fiscal year 2007.
Statement on Auditing Standards No.1, Codification of Auditing
Standards and Procedures, which explains the accounting requirements
for subsequent events, requires that events or transactions that
existed at the date of the balance sheet and affect the estimates
inherent in the process of preparing financial statements should be
considered for adjustment to or disclosure in the financial statements
through the date that the financial statements are issued. In addition,
the concept of consistency in financial reporting provides that
accounting methods, including those for determining estimates, once
adopted, should be used consistently from period to period unless there
is good cause to change.
Recommendations:
We recommend that SEC take the following action to improve its
accounting for transaction fee revenue controls:
5. Establish and implement detailed written procedures for recording
transaction fee revenue and the related receivable, including
procedures for recognizing data received after the balance sheet date
but prior to issuance of the financial statements.
Preparing Financial Statement Disclosures:
In our review of SEC's year-end draft financial statement disclosures,
we noted numerous errors including misstated amounts, improper breakout
of line items, and amounts from fiscal year-end 2006 incorrectly
brought forward as beginning balances for fiscal year 2007. For
example, in its disclosure for Custodial Revenues and Liabilities, SEC
improperly excluded approximately $320 million in collections. In
another example, for its disclosure on Fund Balance with Treasury, SEC
misclassified approximately $90 million into incorrect line items.
Also, in its disclosure for Fiduciary Assets and Liabilities, SEC's
beginning balances for Fund Balance with Treasury and for Liability for
Fiduciary Activity were each misstated by $8.9 million due to errors in
carrying forward ending balances from September 30, 2006. We also noted
numerous instances in which amounts reported in the footnote
disclosures were not consistent with amounts presented in the financial
statements or Management's Discussion and Analysis. SEC revised the
financial statement disclosures to correct the errors that we noted in
its final year-end financial statements for fiscal year 2007. However,
correction of these errors required multiple revisions before all
errors were properly corrected.
We believe that these and numerous other errors in the disclosures were
due mainly to the lack of a documented timeline and process for
completing the fiscal year 2007 financial statements and disclosures,
including review of the disclosures. In addition, the cumbersome and
complicated nature of SEC's financial reporting process discussed above
did not allow SEC finance staff sufficient time to carry out thorough
and complete reviews of the disclosures in light of the November 15
reporting deadline.[Footnote 9]
Recommendations:
We recommend that SEC take the following action to improve its
financial statement disclosure preparation controls:
6. Establish and implement detailed written procedures for the
preparation and review of the financial statement disclosures,
including the comparison of financial statement disclosure amounts to
related information presented in the current and previous year
financial statements and Management's Discussion and Analysis.
Property and Equipment:
SEC's property and equipment consists of general-purpose equipment used
by the agency; capital improvements made to buildings leased by SEC for
office space; and internal-use software development costs for projects
in development and production. SEC acquired approximately $27 million
dollars in property and equipment during fiscal year 2007. Similar to
our last year's audit, during the course of testing fiscal year 2007
additions, we noted numerous instances of inaccuracies in recorded
acquisition dates and costs for property and equipment purchases, as
well as unrecorded property and equipment purchases. We also identified
an internal control deficiency related to SEC's property receipt
function and errors in amounts capitalized and amortized for internal-
use software projects.
In 21 of the 53 unique personal property, leasehold improvement, and
software items we reviewed, SEC recorded items in subsidiary ledgers or
systems with incorrect acquisition dates which affected depreciation
calculations. In 12 instances, the incorrect acquisition dates were
related to software items SEC recorded on a quarterly basis, rather
than in the month of acquisition. SEC has since changed from quarterly
to monthly recording of software items. In the remaining 9 instances,
SEC recorded items using the incorrect acquisition dates due to
administrative errors. In addition to the 21 errors we identified,
there were 5 instances for which SEC lacked reliable documentation of
receipt date.
Also during our testing, we noted eight instances in which SEC
incorrectly recorded property costs. SEC incorrectly recorded costs
based on contracts or purchase orders rather than invoices. We also
identified approximately $200,000 in unrecorded additions to SEC's
telephone system. This omission from SEC's property ledger is in
addition to approximately $2.5 million in telephone equipment which we
identified in our previous audit and SEC failed to record during fiscal
year 2006 or to correct during fiscal year 2007.
Contributing to the cause of these errors is that SEC does not have a
formalized, documented process for comparing quantity and type of item
received against the corresponding order for property purchases. Seven
of the 23 personal property items we reviewed did not have sufficient
evidence of this comparison. SEC's draft Property Management Manual,
scheduled for implementation during calendar year 2008, calls for the
Assistant Property Management Officer to "ensure that receipts are
matched against Purchase Orders as a condition of acceptance and
payment." However, SEC's guidance does not prescribe a standardized
form to document this review. A lack of standardized, documented review
procedures increases the risk that SEC will accept, pay for, and record
property not yet received.
SEC's property subsidiary system is not integrated with the general
ledger. SEC uses a spreadsheet to calculate depreciation and
amortization related to additions to existing property items. We found
formula errors in these calculations, which we communicated to SEC in
September 2007. SEC subsequently corrected these systemic errors, but
this situation highlights the risks associated with the lack of an
integrated financial management system and the need for additional
compensating control procedures.
Overall, these systemic errors did not materially affect the balances
reported for property and equipment or the corresponding depreciation
and amortization expense amounts in SEC's financial statements for
fiscal year 2007. However, these conditions evidence a significant
deficiency in control over the recording of property and equipment that
affects the reliability of its recorded balances for property and
equipment. Further, SEC's lack of an integrated financial management
system for accounting for property and equipment, as discussed above,
requires compensating procedures, which were not effective, to ensure
that manual calculations, such as those for depreciation and
amortization, are accurate. Until it has a systemic process that
incorporates effective controls over receiving, recording,
capitalizing, and amortizing property and equipment purchases, SEC will
not have sufficient assurance over the accuracy and completeness of its
reported balances for property and equipment.
Recommendations:
We recommend that SEC, in addition to our previous recommendations in
this area which are included in enclosure I, take the following actions
to improve its property and equipment controls:
7.. Establish and implement controls over invoiced property costs and
dates to ensure that property and equipment acquisitions are accurately
recorded in the relevant subsidiary ledgers for personal property,
leasehold improvement, and software.
8. Establish and implement controls to ensure proper calculation of
depreciation and amortization of additions to existing items over the
remaining useful lives of the associated items.
Accounting for Budgetary Resources:
For fiscal year 2007, SEC incurred $877 million in obligations, which
represents legal liabilities against funds available to SEC to pay for
goods and services ordered. At September 30, 2007, SEC reported that
the amount of budgetary resources obligated for undelivered orders was
$255 million, which reflects obligations for goods or services that had
not been delivered or received as of that date. In our testing of
undelivered order transactions for this year's audit, we identified
several concerns over SEC's accounting for obligations and undelivered
orders. Specifically, we found numerous instances in which SEC (1)
recorded obligations prior to having documentary evidence of a binding
agreement for the goods or services, (2) recorded invalid undelivered
order transactions due to an incorrect posting configuration in SEC's
general ledger, and (3) made errors in recording new obligations and
deobligations due to the use of incorrect accounts and by posting
incorrect amounts in the general ledger.
During our interim and year-end testing of obligation activity we
identified 12 instances in which SEC recorded obligations prior to the
signing execution of a written contract. We also found one instance
where funds were obligated with the expectation that a contract would
be ratified, but the ratification request was later denied. SEC does
not have policies or internal controls to prevent recording of
obligations that are not valid. Recording obligations prior to having
documentary evidence of a binding agreement for the goods and services
is a violation of the recording statute,[Footnote 10] and may result in
funds being reserved unnecessarily and therefore made unavailable for
other uses should the agreement not materialize. Early recording of
obligations also may result in charging incorrect fiscal year funds for
an agreement executed in a later fiscal year.
We noted approximately $76 million in general ledger posting errors,
including both upward and downward adjustments to prior-year
undelivered orders. Due to a system error, deobligations of funds in 1-
year Treasury Account Fund Symbols (TAFS) did not process correctly,
materially overstating both the upward and downward adjustment
accounts. This process results in the need to routinely correct
entries. Extensive reviews of the adjusting journal entries are needed
to compensate for the system limitations. This process unnecessarily
complicated transaction processing and caused SEC to misstate various
line items on the Statement of Budgetary Resources. While SEC
identified and manually corrected this error for fiscal year 2007,
there is a risk that, if the error is not corrected in the financial
management system, SEC could materially misstate its Statement of
Budgetary Resources in future periods.
In addition to the systemic posting errors, we noted several additional
errors impacting SEC's budgetary accounting. SEC incorrectly recorded
new obligations by posting incorrect amounts in the general ledger. For
example, in 8 of the 147 items we tested, SEC recorded obligations at
incorrect amounts, due to either recording obligations early using the
requisition amounts instead of the final contract amounts or making
administrative errors. In addition, SEC made errors in recording
deobligations due to administrative errors in posting amounts to the
incorrect accounts. We identified approximately $1 million in net
errors in which SEC's financial management system did not properly
process downward adjustments of prior-year funds in no-year TAFS. SEC's
financial management system improperly treats all budget years
maintained in this fund as current-year funds, thereby understating
downward adjustments for those years.
Overall, the majority of exceptions related to these issues were
corrected by SEC through adjusting journal entries. While the remaining
uncorrected amounts did not materially affect the balances on the
Statement of Budgetary Resources at September 30, 2007, ineffective
processes that caused these errors constitute a significant deficiency
in SEC's internal control over recording and reporting of obligations,
and put SEC at risk that the amounts recorded in the general ledger and
reported on SEC's Statement of Budgetary Resources are misstated.
Recommendations:
We recommend that SEC take the following actions to improve its
budgetary accounting controls:
9. Correct general ledger system configurations to properly account for
upward and downward adjustments of prior-years' undelivered orders in
accordance with the U.S. Standard General Ledger.
10. Establish and implement controls over obligation-related entries
(including original obligations, corrections, and deobligations) to
ensure the use of correct U.S. Standard General Ledger accounts and the
recording of correct amounts.
11. Clarify administrative control of funds guidance and document the
responsibilities of the staff performing obligation-related activities
with regard to recording obligations in accordance with the recording
statute.
Establish and implement controls to ensure that SEC staff adheres to
existing policies and procedures to prevent violations of the recording
statute.
Other Issues:
Although not considered to be a significant deficiency, the following
weaknesses warrant management's consideration.
Certification of Employees' Time Cards, Documentation of Monitoring of
Time Card Certification, and Approval of Personnel Actions:
We identified three internal control issues with regard to payroll
transactions. Specifically, these issues concern the certification of
employees' time cards, the documentation of monitoring procedures over
time card certification, and the approval of personnel actions.
During our fiscal year 2007 audit, we noted nine instances in which
time cards were improperly certified by lower-level employees. We
previously noted concerns with administrative officers approving time
cards for higher-level employees on a regular basis during fiscal year
2006.
SEC time and attendance (T&A) policies instruct that each organization
designate timekeepers who are responsible for initiating time cards and
designate supervisors or managers as certifiers who have responsibility
for reviewing the accuracy of time cards. The T&A instructions state
that administrative officers may certify time cards for higher-level
officials for emergency situations only.
As noted above, during our fiscal year 2006 audit, we found cases in
which administrative officers improperly certified time cards of higher-
level employees on a regular basis. We communicated this finding to SEC
officials in August 2006. In response to our finding, SEC's Office of
Human Resources (OHR) began to actively monitor the level of employees
certifying time cards to determine compliance with its current stated
policy. During our fiscal year 2007 audit, we observed SEC's monitoring
of time card certifications for a particular pay period. However, SEC
did not document when, or what, they were monitoring or the results of
what they found. Lack of documentation of these control procedures may
delay or prevent SEC management from becoming aware that monitoring of
time card certifications has ceased or that there are instances of
employees certifying higher-level officials' time cards on an other
than emergency basis.
Consistent with GAO's Standards for Internal Control in the Federal
Government,[Footnote 11] internal control should be clearly documented,
and the documentation readily available for examination. According to
SEC's OHR, development of this documentation will be undertaken after
determining how best to document its monitoring of time card
certifications.
Also, during our interim testing of payroll, we compared selected
personnel actions on the employee roster against Standard Form-50
("Notification of Personnel Action") documentation and identified one
employee who approved a valid personnel action for an increase in his
own salary without evidence of additional review from another level of
management. According to GAO's Standards for Internal Control in the
Federal Government, "key duties and responsibilities need to be divided
or segregated among different people to reduce the risk of error,
waste, or fraud." In addition, "no one individual should control all
key aspects of a transaction or event." Because one individual
performed incompatible duties regarding his own personnel actions,
there is a risk of fraud.
Recommendations:
We recommend that SEC, in addition to our previous recommendations in
this area which are included in enclosure I, take the following actions
to improve its payroll controls:
13. Establish and implement procedures for documenting evidence of
monitoring of time card certifications and include procedures to
document any identified exceptions.
14. Segregate key responsibilities over the approval of personnel
actions so that no one individual approves his own personnel action.
Agency Comments:
In providing written comments on a draft of this report, the SEC
Chairman stated his commitment to remediate the control deficiencies
this fiscal year. The SEC Chairman reported several actions SEC has
already taken to address financial reporting processes, documentation,
and controls, and summarized SEC's Corrective Action Plan (CAP) to
address GAO's recommendations. The Chairman cited developing a fully
integrated financial management system as the keystone of SEC's CAP to
remediate the deficiencies relative to system integration,
noncompliance with U.S. Standard General Ledger (SGL) at the
transaction level, and compensating controls. The Chairman noted that
remediation strategies are presented in the CAP in terms of both short-
term solutions that are expected to be achieved this fiscal year and
long-term solutions that will achieve greater efficiency,
effectiveness, and risk mitigation by minimizing reliance on detective
controls. Specifically, the short-term strategies are to develop or
improve process documentation; overlay manual processes with additional
compensating controls as needed; implement SGL-compliant posting
models; and implement process improvements to enhance efficiencies and
effectiveness of internal controls and monitor performance. The long-
term strategies are to automate integration of financial management
systems and to comply with the SGL at the transaction level. We will
evaluate SEC's actions and initiatives during our fiscal year 2008
audit.
SEC's written comments are reprinted in enclosure II of this report.
This report contains recommendations to you. The head of a federal
agency is required by 31 U.S.C. § 720 to submit a written statement on
actions taken on the recommendations to the Senate Committee on
Homeland Security and Governmental Affairs and the House Committee on
Oversight and Government Reform not later than 60 days from the date of
this report. A written statement also must be sent to the House and
Senate Committees on Appropriations with agency's first request for
appropriations made more than 60 days after the date of this report.
This report is intended for use by management of SEC. We are sending
copies of this report to the Chairman and Ranking Members of the Senate
Committee on Banking, Housing, and Urban Affairs; the Senate Committee
on Homeland Security and Governmental Affairs; the House Committee on
Financial Services; and the House Committee on Oversight and Government
Reform. We are also sending copies to the Secretary of the Treasury,
the Director of the Office of Management and Budget, and other
interested parties. In addition, this report will be available at no
charge on our Web site at [hyperlink, http://www.gao.gov].
We acknowledge and appreciate the cooperation and assistance provided
by SEC management and staff during our audit of SEC's fiscal years 2007
and 2006 financial statements. If you have any questions about this
report or need assistance in addressing these issues, please contact me
at (202) 512-9471 or by e-mail at franzelj@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report.
Sincerely yours,
Signed by:
Jeanette M. Franzel:
Director:
Financial Management and Assurance:
Enclosures - 3:
Enclosure I:
Table 1: Recommendations from 2004 Audit Reported as Open at Conclusion
of 2006 Audit:
Audit area/recommendation: Disgorgements and penalties: 1. Implement a
system that is integrated with the accounting system or that provides
the necessary input to the accounting system to facilitate timely,
accurate, and efficient recording and reporting of disgorgement and
penalty activity;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Disgorgements and penalties: 2. Implement
controls so that the ongoing activities involving disgorgements and
penalties are properly, accurately, and timely recorded in the
accounting system;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Disgorgements and penalties: 3. Develop and
implement written policies covering the procedures, documentation,
systems, and responsible personnel involved in recording and reporting
disgorgement and penalty financial information. The written procedures
should also address quality control and managerial review
responsibilities and documentation of such a review;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Financial statement preparation and
reporting: 4. Consider a "formal closing" of all accounts at an interim
date(s), which will reduce the level of accounting activity and
analysis required at year end. The formal closing entails ensuring that
all transactions are recorded in the proper period through month's end;
Status of recommendation: Closed: X;
Status of recommendation: Open: [Empty].
Audit area/recommendation: Financial statement preparation and
reporting: 5. Develop or acquire an integrated financial management
system to provide timely and accurate recording of financial data for
financial reporting and management decision making;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Property and equipment leases: 6. Review all
existing leases for property and equipment to determine if they should
be capitalized or expensed and make any necessary adjustments to the
related general ledger balances;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Property and equipment leases: 7. Develop
policies and procedures to properly account for future property and
equipment leases on an ongoing basis;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Closing recommendation to address Federal
Managers' Financial Integrity Act weaknesses: 8. Require documented
support and review of SEC's corrective actions to provide evidence that
actions taken in response to audit recommendations fully correct
identified deficiencies prior to closing out the audit issues in the
tracking system;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Source: GAO.
Note: Recommendations made in GAO-05-691R and GAO-05-693R.
[End of table]
Table 2: Recommendations from 2005 Audit Reported as Open at Conclusion
of 2006 Audit:
Audit area/recommendation: Financial statement preparation and
reporting: 1. Determine cutoff dates for significant account balances
that are both appropriate and practical to facilitate interim financial
reporting and meeting year-end financial reporting deadlines;
Status of recommendation: Closed: X;
Status of recommendation: Open: [Empty].
Audit area/recommendation: Disgorgements and penalties: Develop,
document in writing, and implement comprehensive policies, procedures,
and controls over disgorgement and penalty transactions that include
the following (see items 2-5):
Audit area/recommendation: Disgorgements and penalties: 2. An
accounting policy for disgorgements and penalties that will provide SEC
management with reasonable assurance that the subsidiary ledger for
disgorgement/penalty receivables is accurate and complete;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Disgorgements and penalties: 3. The type of
documentation and procedures needed to record the termination or waiver
of a debt and the proper notification and communication for approved
terminations and waivers, such that management has assurance that only
valid and approved terminations are recorded;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Disgorgements and penalties: 4. The
recording of activity by case for fiduciary balances, including monthly
reconciliations and management review, to ensure that balances by case
are accurate;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Disgorgements and penalties: 5. The
initiation, recording, and monitoring of investments, including the
monthly reconciliation of investment activity, to provide assurance
that these fiduciary amounts are accurate and complete;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Responsibilities of contracting officer's
technical representative (COTR): 6. Clarify guidance regarding policies
and procedures (as described in SECR 10-8 and SECR 10-15) for the
COTR's responsibilities and take actions to help ensure existing
policies and procedures are being followed consistently;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Internal review of filing fee calculations:
7. Take action to help ensure that its policy on recalculating fee-
bearing filing amounts is consistently followed;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Internal review of filing fee calculations:
8. Take action to help ensure that the recalculation of the required
filing fees is clearly documented;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Compliance with Prompt Payment Act: 9. Take
action to help ensure that the policy requiring the timely return of
improper invoices to the vendor to allow for timely payment is
followed;
Status of recommendation: Closed: X;
Status of recommendation: Open: [Empty].
Source: GAO.
Note: Recommendations from GAO-06-459R.
[End of table]
Table 3: Recommendations from 2006 Audit:
Audit area/recommendation: Property and equipment: 1. Include, in its
updated property management policies, detailed procedures for recording
proper acquisition costs and dates in its asset-tracking system, and
take steps to ensure that these procedures are being consistently
implemented;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Property and equipment: 2. Implement
procedures requiring periodic comparisons of related details in
disbursement and property/equipment subsidiary records to identify any
unrecorded purchases that satisfy established capitalization criteria;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Property and equipment: 3. Implement
procedures to ensure that internal use software project managers have a
complete and consistent understanding of the requirements that should
govern compilation of cost data submitted for capitalization, including
consideration of joint Office of Information Technology and Office of
Financial Management (OFM) training to software project managers on the
requirements of applicable generally accepted accounting principles;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Property and equipment: 4. Implement
procedures whereby OFM staff routinely review capitalized amounts for
software projects against supporting documentation to provide
additional assurance that the recorded amounts are accurate and
complete;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Payroll system access, approval of time and
attendance records, and process documentation: 5. Evaluate the overall
effectiveness of its actions taken in response to our findings
regarding payroll and personnel action processing, when fully
implemented, to determine whether any modifications, additional
actions, or both are needed;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Audit area/recommendation: Comparison of furniture and equipment
received and ordered: 6. Retain, in its updated property management
policy, a procedure to document comparison of quantity and type of item
received with the corresponding purchase order, and take actions to
ensure that the comparisons are being consistently documented;
Status of recommendation: Closed: [Empty];
Status of recommendation: Open: X.
Source: GAO.
Note: Recommendations made in GAO-07-482R.
[End of table]
Enclosure II:
Comments from the Securities and Exchange Commission:
Christopher Cox:
Chairman:
Headquarters:
100 F Street, Ne:
Washington, Dc 20549:
Regional Offices:
Atlanta, Boston, Chicago:
Denver. Fort Worth:
Los Angeles, Miami, New York:
Philadelphia, Salt Lake City:
San Francisco:
United States:
Securities And Exchange Commission:
March 21, 2008:
Ms. Jeanette M. Franzel:
Director:
Financial Management and Assurance:
Government Accountability Office:
441 G Street N.W.:
Washington, DC 20548:
Dear Ms. Franzel:
Thank you for the opportunity to review and comment on the draft report
of the Government Accountability Office (GAO) entitled Internal
Control: Improvements Needed in SEC's Accounting and Financial
Reporting Process, GAO-08-461 R. The report presents recommendations
for improvements to internal control as identified in the GAO's
financial statement audit of the Securities and Exchange Commission
(SEC) for fiscal years 2007 and 2006.
I am pleased that the GAO's FY 2007 audit found that the SEC's
financial statements and notes were presented fairly, in all material
respects, in conformity with U.S. generally accepted accounting
principles. However, the GAO found that the SEC did not maintain
effective internal control over financial reporting as of September 30,
2007. Because no material weakness is acceptable, we are committed to
remediating the control deficiencies this fiscal year.
The SEC takes its responsibility for financial reporting very
seriously. As the GAO found in the FY 2007 audit report, the SEC
improved its controls over the accuracy, timeliness, and completeness
of the disgorgement and penalty data and used a much improved database
for the initial recording and tracking of these data. The GAO also
noted that the SEC continued to make progress in resolving deficiencies
in information security. In 2007, the SEC took the opportunity afforded
by significant turnover in senior financial positions to fully review
and evaluate existing financial reporting policies and procedures.
During fiscal year 2007, the SEC committed extensive resources to
improving financial reporting processes, documentation and controls.
The SEC began the evaluation of manual processes and controls used to
integrate subsidiary data sources with the General Ledger and initiated
systematic improvements to those processes and controls. This review of
policies and procedures and completion of related documentation will
continue in fiscal year 2008.
In order to fully remediate the control deficiencies this fiscal year,
we have prepared a comprehensive Corrective Action Plan (CAP) which
builds on the efforts initiated in fiscal year 2007. On February 7,
2008, the SEC provided your office with the draft FY 2008 Corrective
Action Plan for Remediation of Internal Control Deficiencies. Work has
already begun on several fronts. The plan specifically addresses
the recommendations made by GAO. We welcome your feedback regarding any
aspect of this plan and its completeness in addressing the concerns
outlined by GAO.
Developing a fully integrated financial management system is the
keystone of the SEC's Corrective Action Plan to remediate the
deficiencies identified by the GAO. Fully integrated financial
management systems and compliance with the U.S. Standard General
Ledger (SGL) at the transaction level are fundamental requirements for
federal financial management systems. The SEC's lack of automated
system integration is the underlying cause of the system non-
conformance reported. Currently, data is manually entered at a
summary level; however, compliance with SGL is required at the
transaction, or detail, level. The deficiencies in internal control
over financial reporting are attributable to ineffective compensating
controls over the manual processes and spreadsheets supporting
financial statement balances that, in the desired state, will be
replaced by fully automated integration.
We have developed remediation strategies to address the deficiencies
found relative to system integration, non-compliance with SGL at the
transaction level, and compensating controls. The strategies are
presented in the Corrective Action Plan in terms of both long-term and
short-term solutions. The short-term strategies represent improvements
that are expected to be achieved this fiscal year. We are confident
that these additional compensating controls will be successful in
mitigating the risk associated with manual processes. The long-term
solution will achieve greater efficiency, effectiveness and risk
mitigation by minimizing reliance on detective controls.
The short-term strategies are to develop or improve process
documentation; overlay manual processes with additional compensating
controls as needed; implement SGL compliant posting models; and
implement process improvements to enhance efficiencies and
effectiveness of internal controls and monitor performance. In FY 2008,
the SEC will continue to take a risk-based approach to ensure that
process and procedural documentation is in place, as discussed above.
The documentation will be comprehensive enough that management and
auditors can clearly ascertain who is performing the control
activities, the frequency of the control activities and how they are
performed and evidenced. The SEC's first quarter 2008 financial
statements were prepared using the newly documented methodologies.
In addition, the SEC is eliminating manual data handling and the use of
multiple labor-intensive spreadsheets by automating the generation of
financial statements. The implementation of a central data repository
for financial statement preparation and analysis will mitigate the risk
and the internal control deficiencies identified by the GAO. The
automated tool has been run in parallel with the existing process for
preparation of the monthly statements since December. The SEC will
fully implement the tool beginning with the second quarter statements.
The long-term strategies are to automate integration of financial
management systems to eliminate manual processes and comply with SGL at
the transaction level. System integration will eliminate the need for
the bulk of the manual data manipulation and entry currently required,
resulting in enhanced timeliness, accuracy and reliability of
the data, while reducing the need to maintain redundant schedules. The
ability to fully comply with the SGL at the transaction level is
dependent on SEC's ability to integrate or interface all transactional
activity with Momentum, which is currently being upgraded to
accommodate the necessary integration. Nonetheless, substantial
compliance may be demonstrated in the short-term through eliminating
use of unconventional posting models and other limitations that prevent
proper recordation as discussed above.
As Chairman, I take the SEC's responsibility over financial reporting
very seriously. I remain committed to improving the SEC's financial
integrity and operational efficiencies so that the agency can lead by
example when it comes to establishing and maintaining effective
internal control over financial reporting. I appreciate your support
of these efforts and look forward to continuing our productive dialogue
during the course of this year's audit.
Thank you again for the opportunity to comment on this report. If you
have any questions relating to our response, please contact our Chief
Financial Officer, Kristine Chadwick, at 202-551-7840.
Sincerely,
Signed by:
Christopher Cox:
Chairman:
cc: Diego Ruiz
Kristine Chadwick:
[End of section]
Enclosure III:
Summary of Audit Scope and Methodology:
To fulfill our responsibilities as auditor of the financial statements
of the Securities and Exchange Commission (SEC), we did the
following1[Footnote 12]:
* Examined, on a test basis, evidence supporting the amounts and
disclosures in the financial statements.
* Assessed the accounting principles used and significant estimates
made by SEC management.
* Evaluated the overall presentation of the financial statements.
* Obtained an understanding of SEC and its operations, including its
internal control related to financial reporting and compliance with
laws and regulations.
* Obtained an understanding of the recording, processing, and
summarizing of performance measures as reported in Management's
Discussion and Analysis.
* Tested relevant internal controls over financial reporting and
compliance with applicable laws and regulations, and evaluated the
design and operating effectiveness of internal control.
* Considered SEC's process for evaluating and reporting on internal
control and financial management systems under the Federal Managers'
Financial Integrity Act of 1982.
* Tested compliance with selected provisions of the following laws and
their related regulations: the Securities Exchange Act of 1934, as
amended; the Securities Act of 1933, as amended; the Antideficiency
Act; laws governing the pay and allowance system for SEC employees; the
Prompt Payment Act; and the Federal Employees' Retirement System Act of
1986.
We requested comments on a draft of this report from the Chairman of
SEC. We received written comments from SEC and summarized the comments
in our report. We conducted our audit in accordance with U.S. generally
accepted government auditing standards.
[End of section]
Footnotes:
[1] GAO, Financial Audit: Securities and Exchange Commission's
Financial Statements for Fiscal Years 2007 and 2006, GAO-08-167
(Washington, D.C.: Nov. 16, 2007).
[2] The internal control issues concerning information security are
discussed in a separate report: GAO, Information Security: Securities
and Exchange Commission Needs to Continue to Improve Its Program, GAO-
08-280 (Washington, D.C.: Feb. 29, 2008).
[3] We made recommendations in our internal control reports issued as
part of our fiscal years 2004, 2005, and 2006 SEC financial statement
audits: GAO, Material Internal Control Issues Reported in SEC's Fiscal
Year 2004 Financial Statement Audit Report, GAO-05-691R (Washington,
D.C.: July 27, 2005); Management Report: Opportunities for Improvements
in SEC's Internal Controls and Accounting Procedures, GAO-05-693R
(Washington, D.C.: Aug. 12, 2005); Internal Control: Improvements
Needed in SEC's Accounting and Financial Reporting Procedures, GAO-06-
459R (Washington, D.C.: Apr. 21, 2006); and GAO, Internal Control:
Improvements Needed in SEC's Accounting and Operational Procedures, GAO-
07-482R (Washington, D.C.: Apr. 3, 2007).
[4] A material weakness is a significant deficiency or combination of
significant deficiencies that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected.
[5] A significant deficiency is a control deficiency, or combination of
deficiencies, that adversely affects the entity's ability to initiate,
authorize, record, process, or report financial data reliably in
accordance with generally accepted accounting principles such that
there is more than a remote likelihood that a misstatement of the
entity's financial statements that is more than inconsequential will
not be prevented or detected.
[6] GAO-05-691R, GAO-05-693R, GAO-06-459R, and GAO-07-482R.
[7] GAO-08-167.
[8] A disgorgement is the repayment of illegally gained profits (or
avoided losses) for distribution to harmed investors whenever feasible.
A penalty is a monetary payment from a violator of securities law that
SEC obtains pursuant to statutory authority. A penalty is fundamentally
a punitive measure, although penalties occasionally can be used to
compensate harmed investors.
[9] OMB directs executive branch agencies to issue their audited
financial statements by November 15 for the preceding fiscal year
ending on September 30. OMB Circular No. A-136, Financial Reporting
Requirements, § I.5 (rev. June 27, 2007).
[10] An amount shall be recorded as an obligation of the U.S.
Government only when supported by documentary evidence of a binding
agreement between an agency and another person (including an agency)
that is in writing and executed before the end of the period of
availability for obligation of the appropriation. 31 U.S.C. §
1501(a)(1). Under the plain terms of the statute, an oral agreement may
not be recorded as an obligation. See GAO, Principles of Federal
Appropriations Law, vol. 2, 3RD ed., GAO-06-382SP (Washington, D.C.:
February 2006), page 7-15.
[11] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[12] [1] For further, more detailed, explanation of our audit scope and
methodology, see the discussion in our related financial audit report
(GAO-08-167).
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: