This is the accessible text file for GAO report number GAO-09-376R entitled 'Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures' which was released on April 2, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. April 2, 2009: The Honorable Mary L. Schapiro: Chairman: U.S. Securities and Exchange Commission: Subject: Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures: Dear Ms. Schapiro: On November 14, 2008, we issued our opinion on the U.S. Securities and Exchange Commission's (SEC) fiscal years 2008 and 2007 financial statements. We also issued our opinion on the effectiveness of SEC's internal control over financial reporting (including safeguarding of assets) and over compliance as of September 30, 2008, and our evaluation of SEC's compliance with selected provisions of laws and regulations during fiscal year 2008.[Footnote 1] The purpose of this report is to present issues identified during our fiscal year 2008 audit of SEC's internal controls and accounting procedures and to recommend actions to address these issues. Accordingly, in this report we are making 19 recommendations to SEC to strengthen internal controls and accounting procedures. These recommendations are in addition to 24 remaining recommendations included in prior year audits of SEC's financial statements that still need to be fully addressed. See enclosure I. Results in Brief: As part of our audit of SEC's fiscal years 2008 and 2007 financial statements, we identified three significant deficiencies[Footnote 2] in internal control, which although not material weaknesses,[Footnote 3] represent deficiencies in the design or operation of internal control that could adversely affect SEC's ability to meet its internal control objectives. These significant deficiencies concerned controls over (1) information security,[Footnote 4] (2) property and equipment, and (3) accounting for budgetary resources. We also identified other internal control issues that, although not considered material weaknesses or significant deficiencies, warrant SEC management's consideration. These issues concern: * documenting accounting procedures, * reviewing accounting entries, * reporting Freedom of Information Act (FOIA)[Footnote 5] fees, * adding footnote disclosure for disgorgement and penalty[Footnote 6] activities, * estimating allowance for loss amounts for disgorgement and penalty accounts receivables, * safeguarding cash receipts related to disgorgement and penalty payments, * recording disgorgement and penalty transactions in Momentum,[Footnote 7] * processing personnel actions and certifying employees' time cards, and: * considering Office of Compliance Inspections and Examinations (OCIE) inspection results. At the end of our discussion of each of these issues in the following sections, we make recommendations for strengthening SEC's internal controls or accounting procedures. In addition, enclosure I provides the status of recommendations from our prior audits that were reported as open in our April 1, 2008, management report.[Footnote 8] These recommendations are intended to bring SEC into conformance with the standards for internal control[Footnote 9] to be followed by all federal agencies and to minimize the risk of future misstatements in SEC's financial statements. As presented in enclosure I, during fiscal year 2008, SEC took action to fully address 10 of the 34 recommendations from our prior audits that we had reported as open in our April 1, 2008 management report.[Footnote 10] In providing written comments on a draft of this report, the SEC Chairman highlighted accomplishments during fiscal year 2008, and expressed her commitment to continuing remediation efforts to resolve these control deficiencies. Further, the Chairman discussed SEC's short- term and long-term strategies for addressing the three significant deficiencies GAO identified. In order to fully address GAO's recommendations, the Chairman stated that SEC is preparing a corrective action plan which builds on SEC's ongoing efforts initiated in fiscal year 2008. Scope and Methodology: As part of our audit of SEC's fiscal years 2008 and 2007 financial statements, we evaluated SEC's internal controls and tested its compliance with selected provisions of laws and regulations. We designed our audit procedures to test relevant controls over financial reporting, including those designed to provide reasonable assurance that transactions are properly recorded, processed, and summarized to permit the preparation of the financial statements in conformity with U.S. generally accepted accounting principles, and that assets are safeguarded against loss from unauthorized acquisition, use, or disposition. We requested comments on a draft of this report from the SEC Chairman. SEC's written comments are reprinted in enclosure II. We conducted our audit in accordance with U.S. generally accepted government auditing standards and Office of Management and Budget (OMB) audit guidance. Further details on our scope and methodology are included in our November 2008 report on our audits of SEC's fiscal years 2008 and 2007 financial statements[Footnote 11] and are summarized in enclosure III. Property and Equipment: SEC's property and equipment consists of general-purpose equipment used by the agency, capital improvements made to buildings leased by SEC for office space, and internal-use software development costs for projects in development and production. During fiscal year 2008, SEC acquired approximately $17 million in property and equipment and reported a net property and equipment balance of $84 million at September 30, 2008. As with our prior year's audit, we found continuing concerns with SEC's controls over property and equipment such as ineffective controls related to SEC's property receipt function, errors in amounts capitalized for internal-use software projects, and inaccuracies in recorded acquisition costs for property and equipment purchases. To address our previous audit findings in this area, in fiscal year 2008, SEC implemented a new property and equipment subsidiary ledger system that is integrated with its general ledger accounting system, and also developed new policies and procedures for recording property transactions. However, our testing of property and equipment acquisitions processed under this new system found that the controls over the receipt and acceptance of assets were not operating effectively, which caused errors in SEC's recording of new property and equipment purchases. These control deficiencies resulted from (1) incorrect system design configurations and (2) a lack of training on the use of the new system in conjunction with the new accounting processes for property and equipment purchases. Specifically, the new property and equipment system was intended to link the receipt of capitalizable furniture and equipment purchases recorded in the property and equipment subsidiary ledger to the general ledger. However, this link was not properly configured to automatically post the appropriate accounting entries for capitalizing such purchases in SEC's general ledger. As a result, such acquisitions were recorded as expenses instead of as assets to be depreciated over the useful life. This system error resulted in unrecorded property and equipment additions and overstated expenses. Also, we observed that not all staff involved in the process for capitalizing software additions had been fully trained and the document that was intended to provide guidance to the staff on how to enter transaction data into the new system had not yet been finalized prior to the system's implementation. A contributing factor to these internal control deficiencies was SEC's decision to implement the new property and equipment system in July 2008, late into the fiscal year, without sufficient time to fully test the system configurations or train its users prior to the end of its fiscal year. SEC finalized its guidance and corrected the design configurations in September 2008, enabling the purchase transactions to automatically post to the proper accounts in the general ledger as of the end of the fiscal year. However, SEC personnel continued to incorrectly record property and equipment purchases because they were still not familiar with the new system processes, resulting in ongoing asset capitalization errors. To compensate for the system configuration issues and lack of user training on the new processes, SEC performed a labor-intensive reconciliation and review of property additions acquired during the fourth quarter of fiscal year 2008 and made adjusting entries to correct capitalization errors and properly report related account balances at September 30, 2008. As in our prior year's audit, during the course of testing fiscal year 2008 property additions, we identified many instances of inaccurate amounts capitalized for internal-use software projects and in recorded acquisition costs for property and equipment purchases. For example, our review found that for 8 of the 10 capitalized software additions with related federal employee costs we tested, SEC used an incorrect salary rate when capitalizing the related federal employee costs. Because SEC's calculation of federal employee costs related to capitalized software amounts was not automated, manual spreadsheets were used for the calculation. SEC's time and attendance system, Quicktime, is not currently configured to calculate these employee costs through the use of project codes in the system. This calculation error resulted in SEC's overstating assets by approximately $2.3 million at June 30, 2008. While SEC recorded an adjusting entry to correct this overstatement at June 30, our year-end testing of property and equipment additions continued to identify substantive errors resulting from SEC's continued incorrect calculation of federal employee costs. These issues indicate a need for improved oversight and review of accounting for property transactions. SEC's written guidance for property and equipment did not include procedures for performing and documenting oversight and review processes for these transactions. SEC corrected most of the substantive errors we identified and the remaining uncorrected errors did not materially affect the balances reported for property and equipment or the corresponding depreciation/ amortization expense amounts in SEC's financial statements for fiscal year 2008. However, these continuing conditions, along with the issues we found this year with the new system implementation, evidence a significant deficiency in internal control over the recording of property and equipment that affects the reliability of its related financial statement balances. Consistent with Standards for Internal Control in the Federal Government,[Footnote 12] SEC should have controls in place to provide reasonable assurance that its financial transactions are completely and accurately recorded. Until users are adequately trained in using the new property and equipment system and processes, and oversight and review processes over accounting for property and equipment transactions are strengthened, SEC does not have sufficient assurance that property and equipment transactions will be completely, consistently, or accurately recorded or reported. To address certain deficiencies discussed here and other internal control deficiencies over property and equipment, we reaffirm five open recommendations from our prior audits, detailed in enclosure I. Recommendations: We also recommend that the Chairman take the following additional actions to improve controls over property and equipment: (1) Provide training for all appropriate employees on entering and processing transactions related to property and equipment purchases in the new property and equipment system. (2) Develop and implement procedures for performing and documenting oversight and review processes over property and equipment transactions. (3) Develop and implement procedures for the use of project codes in Quicktime to automate the calculation of federal employee costs related to capitalized software amounts. Accounting for Budgetary Resources: For fiscal year 2008, SEC's Statement of Budgetary Resources (SBR) reflects approximately $916 million in obligations incurred, which represent legal liabilities against funds available to SEC to pay for goods and services ordered. At September 30, 2008, $157 million of those obligations represented undelivered orders for goods and services ordered but not yet delivered or received as of that date. SEC's SBR also reports offsetting collections[Footnote 13] of approximately $986 million. These primarily represent fees SEC collected from self- regulatory organizations (e.g., stock exchanges and the Financial Industry Regulatory Authority (FINRA))[Footnote 14] and registrants[Footnote 15] that Congress has also appropriated in annual appropriation acts.[Footnote 16] SEC offsets its appropriation for the fiscal year using these offsetting collections and then sets aside the balance for future years, and reports these amounts as offsetting collections temporarily precluded from obligations. We identified the same types of problems in SEC's accounting for these budgetary activities this year as we reported for fiscal year 2007. We continued to find many instances in which SEC (1) recorded invalid obligation-related transactions due to incorrect posting configurations in SEC's general ledger, (2) did not maintain documentation of authorizations for downward adjustments to prior-year undelivered orders, and (3) recorded obligations prior to having documentary evidence of a binding agreement for the goods or services. We also identified two internal control deficiencies related to SEC's accounting for offsetting collections. Specifically, we identified (1) revenue-related transactions that were invalid due to additional incorrect posting configurations in SEC's general ledger and (2) incomplete and incorrect written procedures for general ledger entries used to account for returning appropriated funds to the U.S. Treasury. During fiscal year 2008, SEC addressed some problems related to incorrect posting configurations in its general ledger; however, several such problems continued. Specifically, we found that SEC's general ledger was not properly configured to post the proper accounting entries for upward and downward adjustment transactions. SEC corrected this posting-logic configuration error for single-year funds[Footnote 17] during this year's audit. However, the incorrect posting configurations for the bulk of its funds, no-year funds,[Footnote 18] were not yet corrected as of September 30, 2008. In fiscal year 2008, SEC recorded approximately $83.8 million in adjusting entries to correct transaction errors resulting from these incorrect posting configurations. SEC has acknowledged this problem and has stated that correcting these remaining posting configuration errors is a high priority in fiscal year 2009. Downward adjustments to obligations incurred occur as part of SEC's process for monitoring undelivered orders. The purpose of this monitoring is to promptly deobligate funds no longer needed so these budgetary resources can be used to fund other activities or obligations during the time frame that those funds are available. For all 43 statistically selected downward adjustments we tested, we found no documentary evidence of review and approval of the transactions. SEC's written instructions for the review of undelivered orders did not provide guidance or requirements for documenting review and approval of downward adjustment transactions. Consistent with Standards for Internal Control in the Federal Government,[Footnote 19] internal control should be clearly documented, and the documentation readily available for examination. During our testing of obligation activity, we identified five instances in which SEC recorded obligations prior to the signing (i.e., executing) of a written contract. SEC's administrative control of funds guidance did not clearly document the responsibilities of the staff performing obligation-related activities with regard to recording obligations in accordance with the recording statute. Recording obligations prior to having documentary evidence of a binding agreement for the goods and services is a violation of the recording statute,[Footnote 20] and may result in funds being reserved unnecessarily and therefore made unavailable for other uses should the agreement not materialize. Early recording of obligations also may result in charging incorrect fiscal year funds for an agreement executed in a later fiscal year. In fiscal year 2007, SEC changed its method of accounting for user fees collected in excess of current-year appropriations. However, in fiscal year 2008, we found that SEC had not yet implemented a corresponding reconfiguration of its system to post offsetting collection transactions as the transactions occurred in accordance with its accounting change. These incorrect entries resulted in an overstatement of SEC's total budgetary resources and amounts available for obligation. To compensate for this system limitation, SEC performed a manual review of the general ledger activity for these transactions and made correcting entries. In fiscal year 2008, SEC made adjustments of approximately $983.7 million to properly record these fees in the appropriate budgetary accounts. SEC's written guidance for funds management details the series of accounting entries for recording its offsetting collections and related transactions, including the return of appropriated funds to the U.S. Treasury. However, based on our analysis, we determined that SEC's guidance was not complete and included the use of an incorrect general ledger account. Specifically, the series of accounting entries detailed in SEC's guidance (1) did not include accounting entries needed to properly reflect the balances in the general ledger accounts for "unexpended appropriations used" and "expended appropriations" and (2) cited an incorrect general ledger account to use for recording the return of appropriated funds to the U.S. Treasury. Although the process document was inaccurate, SEC performed a manual review of the general ledger activity for these transactions and made adjusting entries to properly reflect the balances in its general ledger for "unexpended appropriations used" and "expended appropriations," and used the appropriate general ledger account for recording the return of appropriated funds to the U.S. Treasury. However, incomplete or inaccurate written guidance for accounting for offsetting collections can lead to erroneous accounting for the status of SEC's appropriated amounts, particularly in the event of employee turnover, especially because these entries occur infrequently rather than routinely. Although SEC was able to identify most of the errors and make corresponding adjustments, the ineffective processes that caused these errors constitute a significant deficiency in SEC's internal control over recording and reporting obligations and revenue, and put SEC at risk that the amounts recorded in the general ledger and reported on SEC's Statement of Budgetary Resources could be misstated in the future. To address certain deficiencies discussed here and other internal control deficiencies over SEC's accounting for its budgetary activities, we reaffirm four open recommendations from our prior audits, detailed in enclosure I. Recommendations: We also recommend that the Chairman take the following additional actions to improve SEC's budgetary accounting controls: (4) Develop and implement formal operating procedures for monitoring undelivered orders to include guidance for documenting review and approval of downward adjustment transactions. (5) Correct general ledger configurations to properly record offsetting collections as these transactions occur. (6) Update the written guidance for funds management to include correct accounting entries and use of correct general ledger accounts for recording offsetting collections transactions. Other Issues: Although not considered to be significant deficiencies, the following weaknesses also warrant management consideration. Documenting Accounting Procedures: During this year's audit, we observed that SEC lacked detailed written procedures for several of its accounting processes that precede the general ledger closing process and generation of financial statements. We noted the absence of formally approved desktop procedures to provide detailed instructions for the tasks to be performed, the location of files on the shared network drive, and descriptions of relevant spreadsheet formulas. Specifically, we noted a lack of desktop procedures for the analysis, calculation, and recording of advances and prepayments; the preparation and analysis of the Investments and Fair Funds Summary file; and the preparation of the Journal Voucher Log Master, which is used to create an interface for posting certain transactions or adjusting journal entries into the general ledger. SEC's procedures did not provide detailed instructions needed for performing each task, including internal control procedures to be followed and the manner for documenting the controls associated with the tasks performed. These are elements of detailed procedures necessary to ensure continuity of the efficient performance of key accounting procedures and timely and reliable financial reporting in the event of employee turnover. Standards for Internal Control in the Federal Government[Footnote 21] states that management is responsible for developing detailed policies, procedures, and practices to fit the agency's operations and to ensure that they are built into and are an integral part of operations to meet the agency's objectives. One such objective is timely and reliable financial reporting. Moreover, the standards state that internal control should be clearly documented and the documentation readily available for examination. The documentation should appear in management directives, administrative policies, or operating manuals and may be in paper or electronic form. All documentation and records should be properly managed and maintained. Recommendation: We recommend that the Chairman take the following action to improve controls over accounting procedures that precede the general ledger closing process and generation of financial statements: (7) Develop and implement a desktop procedures manual that provides detailed instructions for performing each key accounting process preceding the general ledger closing process; the associated internal control to be followed for each step, as applicable; and the manner for documenting compliance with these controls. Reviewing Accounting Entries: SEC uses journal vouchers (JV) for recording transactions and making, correcting, or adjusting entries. During our audit, we noted many instances of undocumented or ineffective supervisory review of accounting entries. Our interim control testing of 45 statistically selected JVs recorded during the 9 months ended June 30, 2008, identified 32 instances in which individual JVs lacked documentation of supervisory review and approval. In addition, while reviewing JVs related to undelivered orders, we noted that the reviewer of one JV did not detect an error in the approval documentation during the review. Specifically, we noted that the summary JV entry sheet had an incorrect amount and that it was signed by a preparer, reviewer, and approver. Although the correct amount was recorded in the general ledger, this error is evidence of a lack of a thorough and complete review. SEC's written guidance for JVs did not include descriptions of the steps to be performed and the documentation required for supervisory-level review. We also found instances in which the documentation supporting certain JVs that were reviewed, approved, and posted in the general ledger contained errors that were not detected as part of the JV review process. For example, our test of property and equipment transactions identified spreadsheet formula errors for capitalizing staff costs for certain internal-use software. The monthly reported Capitalized Costs for Federal Staff was recorded using a quarterly rate for all full-time equivalents (FTE) instead of a monthly rate. We brought these errors to SEC's attention and SEC made a $2.3 million correcting entry. This correcting entry was recorded using a new mechanism for recording activity in the general ledger--the standard voucher (SV) entry--which was implemented when SEC upgraded its general ledger system late in fiscal year 2008. However, we noted errors in SEC's correcting entry and an additional FTE calculation error, which were not detected during the review process. Moreover, SEC has not prepared written guidance for when to use SV or JV entries. Consistent with Standards for Internal Control in the Federal Government,[Footnote 22] SEC should have controls in place to provide reasonable assurance that its financial transactions are recorded completely and accurately. Recommendations: We recommend that the Chairman take the following actions to improve controls over accounting entries: (8) Develop and implement written procedures for the preparation and review of accounting entries to include descriptions of the steps to be performed and the documentation required for supervisory-level review of all supporting documentation. (9) Develop and implement written procedures providing guidance for when to use JV or SV entries. Reporting FOIA Fees: In fiscal year 2008, SEC collected approximately $94,000 in fees from the public for providing information under FOIA. Because the fees collected were for payment of services that SEC provided, these fees are exchange revenues. We noted, however, that SEC did not account for and report these fees as exchange revenues and instead reported the activity in its fiscal year 2008 Statement of Custodial Activity as part of Total Custodial Revenue due to an incorrect interpretation of federal accounting principles. We noted that SEC's Balance Sheet Compilation Methodology specifies that FOIA fees should be reported as custodial liabilities. Although the amount was not material, such reporting was nevertheless inconsistent with U.S. generally accepted accounting principles (GAAP) and federal financial reporting requirements. Specifically, Statement of Federal Financial Accounting Standards No. 7, Accounting for Revenue and Other Financing Sources and Concepts for Reconciling Budgetary and Financial Accounting, states that exchange revenues arise when a government entity provides goods and services to the public or to another government entity for a price.[Footnote 23] In addition, OMB Circular No. A-136, Financial Reporting Requirements, requires federal entities to report the full amount of exchange revenue on the Statement of Net Cost or a supplementary schedule, regardless of whether the entity is permitted to retain the revenues in whole or in part. Any portion of exchange revenue that cannot be retained by the entity is reported as a transfer-out on the Statement of Changes in Net Position.[Footnote 24] Recommendation: We recommend that the Chairman take the following action to improve SEC's reporting for FOIA fees: (10) Develop and implement procedures to account for the receipt of FOIA fees in accordance with GAAP and federal financial reporting requirements. Adding Footnote Disclosure for Disgorgement and Penalty Activities: In fiscal year 2008, SEC changed its method of presentation for the receipt, accounting, and disposition of all disgorgement-related assets stemming from actions against violators of federal securities laws. Historically, SEC treated disgorgement-related receivables as custodial activity and the collection and investment of disgorgements and penalties as fiduciary activity. Beginning in fiscal year 2008, SEC treated all activity related to disgorgement and penalties as non- entity assets under control of SEC with an equal and offsetting liability on the balance sheet. As of September 30, 2008, SEC reported a liability for disgorgement and penalties balance of $3.1 billion. As a result of this reporting change, we noted that the source and disposition of SEC's disgorgement and penalty activities were no longer disclosed in the financial statement footnotes as they had been in previous years. According to the Federal Accounting Standards Advisory Board's (FASAB) Concept Statement No. 1, "financial reporting should be reliable; to be reliable, financial reporting needs to be comprehensive. Nothing material should be omitted from the information necessary to represent faithfully the underlying events and conditions, nor should anything be included that would likely cause the information to be misleading to the intended report user." Although there is no specific requirement for reporting the source and disposition of disgorgement and penalty activities, this is a significant and material SEC activity and, therefore, disclosure of these activities would result in more comprehensive and transparent financial reporting. Recommendation: We recommend that the Chairman take the following action to improve disclosure of SEC's disgorgement-and penalty-related activities: (11) Develop procedures for including in the footnotes to the financial statements disclosure and explanations about the source and disposition of SEC's disgorgement and penalty activities. Estimating Allowance for Loss Amounts for Disgorgement and Penalty Accounts Receivables: In fiscal year 2008, we noted significant improvements in SEC's process for recording disgorgement and penalty transactions. However, our audit work in fiscal year 2008 identified issues that raise overall concerns about SEC's methodology for establishing a reasonable allowance for loss on uncollectible disgorgement and penalty receivables. SEC bases the allowance for uncollectible amounts and the related provision for estimated losses for disgorgement and penalty accounts receivable on a collectibility analysis. Specifically, on a quarterly basis, SEC's Office of Financial Management (OFM) identifies the largest, "top 25," debts for review by the Division of Enforcement (Enforcement). The top 25 debts made up about 80 percent of the net accounts receivable balance during fiscal year 2008. Enforcement makes a determination as to the collectibility of each debt so that an appropriate allowance amount can be applied against the receivable and communicates this determination to OFM. For the remaining accounts receivable balances, OFM applies a percentage, based on historical collection data, to reflect the balances at their estimated net realizable value. At September 30, 2008, SEC reported a gross receivable balance of $434 million with an offsetting allowance of $346 million for disgorgement and penalties receivable. During our review of the allowance for loss on disgorgement and penalty accounts receivable at June 30, 2008, we identified instances in which the amount of allowance fluctuated widely when the debt was identified as a top 25 debt in one quarter and then dropped from the top 25 debt list in another quarter. For example, we noted three debts that were listed in the top 25 debt list at March 31, 2008, with a collective receivable balance of $5.7 million. Enforcement had recommended a total allowance amount of $5.3 million for these debts, resulting in a net receivable balance of $400,000. At June 30, 2008, each of the three debts had fallen below the top 25 threshold and was removed from the top 25 debt list. Because the debts were no longer included in the top 25 debt list, OFM calculated a total allowance amount of $1.6 million for the three debts, based on the historical collection percentage. This change in the allowance calculation for these three debts resulted in an increase in the net receivable balance of $3.7 million at June 30, 2008. This type of fluctuation raises concern about the continued reasonableness of SEC's allowance methodology for disgorgement and penalty accounts receivable. Statement of Federal Financial Accounting Standards No. 1, Accounting for Selected Assets and Liabilities, states "the allowance for uncollectible amounts should be reestimated on each annual financial reporting date and when information indicates that the latest estimate is no longer correct." The standard further states, "to determine the loss allowance on a group basis, receivables should be separated into groups of homogeneous accounts with similar risk characteristics." SEC's current allowance methodology for its group analysis does not further separate the debts into any subgroups, such as aging of the receivables. During our review of the allowance for loss on disgorgement and penalty accounts receivable, we also identified instances in which SEC did not consistently implement its current methodology. For example, we identified a debt that was erroneously omitted from the top 25 debt list at December 31, 2007. Instead, OFM calculated an allowance of $1.2 million for this debt based on the historical collection percentage. This debt then appeared on the top 25 debt list at March 31, 2008, and was forwarded to Enforcement for review. Although Enforcement assessed this debt as fully collectible, OFM continued to apply a $1.2 million allowance against the debt at March 31, 2008. Enforcement's review of the collectibility of the top 25 debts is a key process for establishing a reasonable allowance for loss against the most significant disgorgement and penalties receivable balances. However, OFM's inconsistent implementation of the allowance methodology, specifically the use of Enforcement's collectibility assessments, puts SEC at risk that the process may not operate effectively and may result in a misstated net receivable balance. Recommendations: We recommend that the Chairman take the following actions to improve SEC's processes and controls over estimating collectibility for disgorgement and penalty accounts receivable: (12) Develop and implement procedures specifying how the collectibility assessments provided by Enforcement will be used by OFM, to include documentation requirements for instances in which an allowance amount other than Enforcement's assessment is recorded. (13) Reevaluate the reasonableness of the methodology used for calculating the allowance for loss on disgorgement and penalty accounts receivable, specifically evaluating whether the methodology should be revised to separate debts into risk-based groups when calculating the historical collection percentage and considering the effect of debts moving in and out of the top 25 debt list. Safeguarding Cash Receipts Related to Disgorgement and Penalty Payments: SEC receives checks for the payment of disgorgement and penalties as well as for other activities. Defendants required to pay disgorgement and penalty amounts are instructed to mail or hand deliver checks to SEC's Operations Center located in Alexandria, Virginia. During our review of SEC's cash receipt process at the Operations Center, we noted that SEC did not have sufficient safeguarding procedures over checks received, making the checks highly susceptible to misappropriation. Specifically, during our observation of the handling of the mail, we noted that the mail room was unsecured, the mail bins were not adequately safeguarded, and mail to be delivered to SEC's OFM was not placed in a locked bag. According to Standards for Internal Control in the Federal Government,[Footnote 25] an agency must establish physical control to secure and safeguard vulnerable assets including security for and limited access to assets such as cash. Recommendation: We recommend that the Chairman take the following action to ensure the safeguarding of disgorgement and penalty receipts: Develop and implement improved safeguarding procedures within SEC's Operations Center for checks received or establish a lockbox for the submission of checks to OFM and instruct defendants to mail checks to the lockbox. Recording Disgorgement and Penalty Transactions in Momentum: During fiscal year 2008, SEC upgraded its Momentum financial reporting system and implemented a new system module to automate and integrate accounts receivable transactions for disgorgement and penalties with the general ledger. Concurrent with the upgrade, SEC established and began using certain transaction codes in Momentum to record activity associated with receivable activity such as collections, write-offs, terminations, and discharges of disgorgement receivables. However, during our fourth quarter testing of disgorgement and penalty collections, we noted instances in which transaction information (such as document number, document title, and check number) was not entered consistently in accordance with SEC's written guidance. SEC's Accounts Receivable Procedures Guide provides guidance for entering transaction information into Momentum. However, these procedures were not being consistently implemented. Consistent with Standards for Internal Control in the Federal Government,[Footnote 26] SEC should have controls in place to provide reasonable assurance that its financial transactions are recorded completely and accurately. These instances of SEC staff not consistently following existing guidance in this area indicate that SEC staff could benefit from additional training on the proper use of the new system module and proper supervisory review of disgorgement and penalty transactions entered into Momentum. Although the issues did not result in a substantive misstatement of the collections amount at year-end, the errors did necessitate a time-consuming and labor-intensive reconciliation process. Without consistent recording of transactions, the risk is increased that disgorgement and penalty transactions are not completely and accurately recorded. Recommendations: We recommend that the Chairman take the following actions to improve SEC's controls over recording disgorgement and penalty transactions: (15) Provide training to staff on the proper use of the new system module and the proper procedures for recording disgorgement and penalty transactions in Momentum. (16) Modify existing guidance to provide for a timely and documented supervisory review of all disgorgement and penalty transactions entered in Momentum to ensure that transactions are entered completely and accurately. Processing Personnel Actions and Certifying Employees' Time Cards: During our fiscal year 2008 audit, we identified issues related to SEC's implementation of its policies over the processing of personnel actions and certification of employees' time cards. Specifically, we found that a Standard Form-50 (SF-50), Notification of Personnel Action, was not approved until 5 weeks after the effective separation date. Without adequate controls over the processing of separation actions, SEC is at risk that erroneous payroll expenses will be incurred. We also found numerous instances in which the SF-50s did not include the signature of the authorizing official. Specifically, we found that 42 percent of the SF-50s we reviewed did not include the signature of the Director of the Office of Human Resources. Without proper approval of personnel actions, SEC is at risk that unauthorized payroll actions will be processed. Moreover, as we have consistently found in our prior audits of SEC,[Footnote 27] we found instances in which employee time cards were improperly certified by lower-level employees. Although SEC implemented Quicktime in fiscal year 2008, the system has not been configured to prevent lower-level employees from approving higher-level employees' time cards. Standards for Internal Control in the Federal Government[Footnote 28] state that internal control activities help ensure that management's directives are carried out, that these control activities occur at all levels and functions of the entity, and that they include a wide range of diverse activities such as approvals and authorizations, among others. To address certain deficiencies discussed here and other internal control deficiencies over SEC's payroll controls, we reaffirm three open recommendations from our prior audits, detailed in enclosure I. Recommendations: We also recommend that the Chairman take the following additional actions to improve its controls over payroll processing: (17) Develop procedures for implementing management's policy on the authorization and validation of personnel actions and the timely processing of such actions. (18) Configure Quicktime to preclude lower-level employees from approving higher-level employees' time cards. Considering OCIE Inspection Results: SEC collects securities transaction fees paid by self-regulatory organizations (SRO) (e.g., stock exchanges and FINRA) to SEC for stock transactions. According to Section 31 of the Securities Exchange Act of 1934 (Exchange Act), SRO transaction fees are payable to SEC twice a year.[Footnote 29] SEC calculates the fees due and bills the SROs based on actual transaction volume reported on a monthly basis by the SROs to SEC. Securities transaction-fee revenue totaled $795 million in fiscal year 2008. SEC's OCIE conducts annual inspections of SROs to monitor compliance with the Exchange Act. In its 2008 FINRA Section 31 Inspection Report, OCIE noted that on September 26, 2008, FINRA paid SEC a settled amount of unpaid Section 31 fees totaling $12.2 million. This settled amount represented underreported Section 31 fees for the years 2004 through 2007. OCIE also reported on other fee-reporting errors identified by FINRA, resulting in an additional underpayment of at most $3.75 million, although the precise amount was not yet known at September 30, 2008. Our discussion with OFM officials informed us that OFM does not consider the impact of OCIE inspection results on the related accounts and reported revenue in the agency financial statements. In addition, SEC's written guidance for recording Section 31 fees did not include procedures for the review and consideration of OCIE inspection results. Consistent with Standards for Internal Control in the Federal Government,[Footnote 30] SEC should have controls in place to provide reasonable assurance that its financial transactions are recorded completely and accurately. Although the underpayment amounts identified in the current-year inspection report did not materially affect the financial statements at September 30, 2008, future OCIE inspection results could have a significant or material effect on the balances presented in the financial statements. Without proper consideration of the results of the OCIE inspections, the risk is increased that the balances presented in the financial statements may be misreported. Recommendation: We recommend that the Chairman take the following action to improve SEC's controls over securities transaction-fee revenue: (19) Develop and implement procedures for the review and consideration of OCIE inspection results by OFM as part of its process for recording Section 31 fees. Agency Comments: In providing written comments on a draft of this report, the SEC Chairman stated her commitment to continuing remediation efforts to resolve the control deficiencies GAO identified. The SEC Chairman reported several actions SEC took during fiscal year 2008 toward remediation of the deficiencies, including upgrading SEC's core financial system. The SEC Chairman stated that SEC will continue to address the three significant deficiencies by employing both short-term strategies expected to be completed this fiscal year and long-term strategies expected to be completed in fiscal year 2010. Specifically, the SEC Chairman cited the short-term strategies to develop or improve process documentation, overlay manual processes with additional compensating controls as needed, implement standard general ledger (SGL) compliant posting models, and implement process improvements to enhance efficiencies and effectiveness of internal controls and monitor performance. Further, the SEC Chairman cited the long-term solution is an automated, fully integrated financial management system that will eliminate manual processes, minimize reliance on detective controls, and comply with SGL requirements at the transaction level. In order to fully address GAO's recommendations, the SEC Chairman stated that SEC is preparing a corrective action plan which builds on SEC's ongoing efforts initiated in fiscal year 2008. The SEC Chairman also stated that SEC is finalizing a position paper on the treatment of FOIA fee revenues. We will evaluate the effectiveness of SEC's actions, strategies, and plans during our fiscal year 2009 audit. SEC's written comments are reprinted in enclosure II of this report. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on the recommendations to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform not later than 60 days from the date of this report. A written statement also must be sent to the House and Senate Committees on Appropriations with your agency's first request for appropriations made more than 60 days after the date of this report. This report is intended for use by SEC management. We are sending copies of this report to the Chairman and Ranking Members of the Senate Committee on Banking, Housing, and Urban Affairs; the Senate Committee on Homeland Security and Governmental Affairs; the House Committee on Financial Services; and the House Committee on Oversight and Government Reform. We are also sending copies to the Secretary of the Treasury, the Director of the Office of Management and Budget, and other interested parties. In addition, this report is available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by SEC management and staff during our audit of SEC's fiscal years 2008 and 2007 financial statements. If you have any questions about this report or need assistance in addressing these issues, please contact me at (202) 512-9471 or franzelj@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Sincerely yours, Signed by: Jeanette M. Franzel: Managing Director: Financial Management and Assurance: [End of section] Enclosure I: Status of Recommendations from Prior Audits Reported as Open in GAO's 2007 Management Report[Footnote 31] Audit area/recommendation: GAO-05-691R and GAO-05-693-R: Disgorgement and penalties: 1. Implement a system that is integrated with the accounting system or that provides the necessary input to the accounting system to facilitate timely, accurate, and efficient recording and reporting of disgorgement and penalty activity; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-05-691R and GAO-05-693-R: Disgorgement and penalties: 2. Implement controls so that the ongoing activities involving disgorgements and penalties are properly, accurately, and timely recorded in the accounting system; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-05-691R and GAO-05-693-R: Disgorgement and penalties: 3. Develop and implement written policies covering the procedures, documentation, systems, and responsible personnel involved in recording and reporting disgorgement and penalty financial information. The written procedures should also address quality control and managerial review responsibilities and documentation of such a review; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-05-691R and GAO-05-693-R: Financial statement preparation and reporting: 4. Develop or acquire an integrated financial management system to provide timely and accurate recording of financial data for financial reporting and management decision making; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-05-691R and GAO-05-693-R: Property and equipment leases: 5. Review all existing leases for property and equipment to determine if they should be capitalized or expensed and make any necessary adjustments to the related general ledger balances; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-05-691R and GAO-05-693-R: Property and equipment leases: 6. Develop policies and procedures to properly account for future property and equipment leases on an ongoing basis; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-05-691R and GAO-05-693-R: Closing recommendation to address Federal Managers' Financial Integrity Act weaknesses: 7. Require documented support and review of SEC's corrective actions to provide evidence that actions taken in response to audit recommendations fully correct identified deficiencies prior to closing out the audit issues in the tracking system; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-06-459R: Disgorgement and penalties: Develop, document in writing, and implement comprehensive policies, procedures, and controls over disgorgement and penalty transactions that include the following (see items 1-4): 1. An accounting policy for disgorgements and penalties that will provide SEC management with reasonable assurance that the subsidiary ledger for disgorgement/penalty receivables is accurate and complete; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-06-459R: Disgorgement and penalties: Develop, document in writing, and implement comprehensive policies, procedures, and controls over disgorgement and penalty transactions that include the following (see items 1-4): 2. The type of documentation and procedures needed to record the termination or waiver of a debt and the proper notification and communication for approved terminations and waivers, such that management has assurance that only valid and approved terminations are recorded; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-06-459R: Disgorgement and penalties: Develop, document in writing, and implement comprehensive policies, procedures, and controls over disgorgement and penalty transactions that include the following (see items 1-4): 3. The recording of activity by case for fiduciary balances, including monthly reconciliations and management review, to ensure that balances by case are accurate; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-06-459R: Disgorgement and penalties: Develop, document in writing, and implement comprehensive policies, procedures, and controls over disgorgement and penalty transactions that include the following (see items 1-4): 4. The initiation, recording, and monitoring of investments, including the monthly reconciliation of investment activity, to provide assurance that these fiduciary amounts are accurate and complete; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-06-459R: Responsibilities of contracting officer's technical representative (COTR): 5. Clarify guidance regarding policies and procedures (as described in SECR 10-8 and SECR 10-15) for the COTR's responsibilities and take actions to help ensure existing policies and procedures are being followed consistently; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-06-459R: Internal review of filing fee calculations: 6. Take action to help ensure that its policy on recalculating fee- bearing filing amounts is consistently followed; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-06-459R: Internal review of filing fee calculations: 7. Take action to help ensure that the recalculation of the required filing fees is clearly documented; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-07-482R: Property and equipment: 1. Include, in its updated property management policies, detailed procedures for recording proper acquisition costs and dates in its asset-tracking system, and take steps to ensure that these procedures are being consistently implemented; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-07-482R: Property and equipment: 2. Implement procedures requiring periodic comparisons of related details in disbursement and property/equipment subsidiary records to identify any unrecorded purchases that satisfy established capitalization criteria; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-07-482R: Property and equipment: 3. Implement procedures to ensure that internal use software project managers have a complete and consistent understanding of the requirements that should govern compilation of cost data submitted for capitalization, including consideration of joint Office of Information Technology and Office of Financial Management (OFM) training to software project managers on the requirements of applicable generally accepted accounting principles; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-07-482R: Property and equipment: 4. Implement procedures whereby OFM staff routinely review capitalized amounts for software projects against supporting documentation to provide additional assurance that the recorded amounts are accurate and complete; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-07-482R: Property and equipment: Payroll system access, approval of time and attendance records, and process documentation: 5. Evaluate the overall effectiveness of its actions taken in response to our findings regarding payroll and personnel action processing, when fully implemented, to determine whether any modifications, additional actions, or both are needed; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-07-482R: Comparison of furniture and equipment received and ordered: 6. Retain, in its updated property management policy, a procedure to document comparison of quantity and type of item received with the corresponding purchase order, and take actions to ensure that the comparisons are being consistently documented; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-08-461R: Period-end financial reporting process: 1. Integrate subsystems that process significant accounting data with the general ledger; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-08-461R: Period-end financial reporting process: 2. Until subsystems are fully integrated, develop and implement documented data reliability checks for data extracted from nonintegrated subsidiary systems, including spreadsheets. These data reliability checks should include supervisory review; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-08-461R: Period-end financial reporting process: 3. Prepare written procedures which describe explicitly the steps required to accomplish and document each significant activity in the general ledger closing process and in the generation of the financial statements, including related disclosures; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-08-461R: Disgorgement and penalties accounts receivable: 4. Develop and implement controls over the calculation of disgorgement and penalties accounts receivable, including the reliability of data downloaded from Phoenix and the accuracy of spreadsheet cell formulas and related methodologies; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-08-461R: Accounting for transaction fee revenue: 5. Establish and implement detailed written procedures for recording transaction fee revenue and the related receivable, including procedures for recognizing data received after the balance sheet date but prior to issuance of the financial statements; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-08-461R: Preparing financial statement disclosures: 6. Establish and implement detailed written procedures for the preparation and review of the financial statement disclosures, including the comparison of financial statement disclosure amounts to related information presented in the current and previous year financial statements and Management's Discussion and Analysis; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-08-461R: Property and equipment: 7. Establish and implement controls over invoiced property costs and dates to ensure that property and equipment acquisitions are accurately recorded in the relevant subsidiary ledgers for personal property, leasehold improvement, and software; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-08-461R: Property and equipment: 8. Establish and implement controls to ensure proper calculation of depreciation and amortization of additions to existing items over the remaining useful lives of the associated items; Status of recommendation: Closed: X; Status of recommendation: Open: [Empty]. Audit area/recommendation: GAO-08-461R: Accounting for budgetary resources: 9. Correct general ledger system configurations to properly account for upward and downward adjustments of prior-years' undelivered orders in accordance with the U.S. Standard General Ledger; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-08-461R: Accounting for budgetary resources: 10. Establish and implement controls over obligation-related entries (including original obligations, corrections, and deobligations) to ensure the use of correct U.S. Standard General Ledger accounts and the recording of correct amounts; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-08-461R: Accounting for budgetary resources: 11. Clarify administrative control of funds guidance and document the responsibilities of the staff performing obligation- related activities with regard to recording obligations in accordance with the recording statute; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-08-461R: Accounting for budgetary resources: 12. Establish and implement controls to ensure that SEC staff adheres to existing policies and procedures to prevent violations of the recording statute; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-08-461R: Certification of employees' time cards, documentation of monitoring of time card certification, and approval of personnel actions: 13. Establish and implement procedures for documenting evidence of monitoring of time card certifications and include procedures to document any identified exceptions; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Audit area/recommendation: GAO-08-461R: Certification of employees' time cards, documentation of monitoring of time card certification, and approval of personnel actions: 14. Segregate key responsibilities over the approval of personnel actions so that no one individual approves his own personnel action; Status of recommendation: Closed: [Empty]; Status of recommendation: Open: X. Source: GAO. Note: Recommendations from GAO-05-691R, GAO-05-693R, GAO-06-459R, GAO- 07-482R, and GAO-08-461R.Enclosure II: [End of table] [End of section] Enclosure II: Comments from the U.S. Securities and Exchange Commission: United States: Securities And Exchange Commission: Washington, D.C. 20549: The Chairman: March 24, 2009: Ms. Jeanette M. Franzel: Director: Financial Management and Assurance: Government Accountability Office: 441 G Street, N.W.: Washington. DC. 20548: Dear Ms. Franzel: Thank you for the opportunity to review and comment on the draft report of the Government Accountability Office (GAO) entitled Internal Control: Improvements Needed in SEC's Accounting and Financial Reporting Process, GAO-09-376R, The report presents recommendations for improvements to internal control as identified in the GAO's financial statement audit of the Securities and Exchange Commission (SEC) for fiscal years 2007 and 2008. I am pleased that the GAO's FY 2008 audit found that the SEC's financial statements and notes were presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles. I am also pleased that GAO concluded that the SEC no longer had a material weakness in internal control over its financial reporting process. The elimination of this material weakness validates our remediation approach and is encouraging as we continue our efforts to improve SEC internal control in the future. However, the GAO found significant deficiencies in three areas: information security, property and equipment, and accounting for budgetary resources as of September 30, 2008. We are committed to continuing our remediation efforts to resolve these items. In our response to last year's GAO report on improvements needed on internal controls. we stated that developing a fully integrated financial management system was the keystone of the SEC's Corrective Action Plan to remediate the deficiencies identified by the GAO. In FY 2008 we accomplished the first step toward full integration of the SEC's financial management systems by upgrading the agency's core financial system, Momentum. The upgraded system provides full integration of accounts payable; accounts receivable, including disgorgements and penalties: purchasing; and property, plant. and equipment (PP&E) transactions with the general ledger. The system improvements eliminated a significant amount of manual data handling of material financial balances. resulting in enhanced timeliness, accuracy. and reliability of financial information and greater transparency in financial processes. In addition to this major FY 2008 accomplishment, the SEC made the following improvements in its financial management system: * The SEC improved process documentation for financial reporting and period-end closes in order to address the lack of documented procedures cited by GAO as the cause for deficiencies related to transaction fee revenues and preparing financial statement disclosures. * The SEC eliminated the labor-intensive use of multiple spreadsheets by automating the generation of financial statements and analytical reports. This step allowed the SEC to use automated rule-based validation and data integrity cheeks to perform quality assurance and identify abnormalities or inconsistencies. * The SEC utilized best practices to enhance several other SEC financial management business processes. improving the effectiveness and efficiency of internal control and increasing transparency. Most importantly, disgorgement and penalty disbursements are now accomplished through Momentum using standard disbursement processes. Previously the disbursements were made using an exception process, bypassing the framework of controls available through both Momentum and the standard Treasury certification and disbursement processes. In FY 2009, the SEC will address the three significant deficiencies identified by GAO and will continue to strengthen internal control, by employing both short-term and long-term strategies. The short-term strategics for this fiscal year are to develop or improve process documentation: overlay manual processes with additional compensating controls as needed; implement standard general ledger (SGL) compliant posting models: and implement process improvements to enhance efficiencies and effectiveness of internal controls and monitor performance. In FY 2009, the SEC will continue to take a risk-based approach to ensure that process and procedural documentation is in place and updated as systems are changed. The documentation will he comprehensive and permit management and auditors to ascertain clearly who is performing the control activities, the frequency of the control activities, and how they are performed and evidenced. The long-term solution is an automated, full integrated financial management system that will eliminate manual processes. minimize reliance on detective controls, and comply with SGI, requirements at the transaction level. System integration will eliminate the need for the bulk of the manual data manipulation and entry currently required, resulting in enhanced timeliness, accuracy and reliability of the data, while reducing the need to maintain redundant schedules. The ability to fully comply with the SGL at the transaction level is dependent on SEC's ability to integrate or interface all transactional activity with Momentum. which is being enhanced to accommodate the necessary integration. As the next steps towards full integration of its financial management systems, the SEC will automate the manual interfaces currently in place for accounts receivable and PP&E, the manual process for investments and financial statements generation, and footnotes disclosure. The SEC will continue this effort as a top priority in FY 2009, and expects to complete this project in FY 2010. In order to fully address the control deficiencies specifically referenced in the draft report, as well as the recommendations made in the "Other Issues" section, we are preparing a corrective action plan which builds on our ongoing efforts initiated in fiscal year 2008. We will provide the plan to you in the near future, along with requests to close GAO recommendations that we feel our recent FY 2009 actions have addressed. We are also interested in discussing further with your team the GAO recommendations regarding the treatment of Freedom of information Act revenues. Because this issue came up at the very end of the E Y 2008 audit, it was not the subject of a "Matters for Consideration" discussion, nor Ms. Jeanette M. Franzel was the issue addressed in the GAO audit report. We are currently finalizing a position paper on this subject and look forward to presenting it to you for resolution. As Chairman, I take the SEC's responsibility over financial reporting very seriously. I am committed to improving the SEC's financial integrity and operational efficiencies, so that the agency can lead by example when it comes to establishing and maintaining effective internal control over financial reporting. I appreciate your support of these efforts and look forward to continuing our productive dialogue during the course of this year's audit. Thank you again for the opportunity to comment on this report. If you have any questions relating to our response, please contact our Chief Financial Officer, Kristine Chadwick. at (202) 55I- 7l40. Sincerely, Signed by: Mary Schapiro: Chairman: [End of section] Enclosure III: Summary of Audit Scope and Methodology[Footnote 32] To fulfill our responsibilities as auditor of the financial statements of the Securities and Exchange Commission (SEC), we did the following: * Examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements. * Assessed the accounting principles used and significant estimates made by SEC management. * Evaluated the overall presentation of the financial statements. * Obtained an understanding of SEC and its operations, including its internal control related to financial reporting and compliance with laws and regulations. * Tested relevant internal controls over financial reporting and compliance with applicable laws and regulations, and evaluated the design and operating effectiveness of SEC's internal control. * Considered SEC's process for evaluating and reporting on internal control and financial management systems under the Federal Managers' Financial Integrity Act of 1982. * Tested compliance with selected provisions of the following laws and their related regulations: the Securities Exchange Act of 1934, as amended; the Securities Act of 1933, as amended; the Antideficiency Act; the Debt Collection Improvement Act; laws governing the pay and allowance system for SEC employees; the Prompt Payment Act; and the Federal Employees' Retirement System Act of 1986. We requested comments on a draft of this report from the SEC Chairman. We received written comments from SEC and summarized the comments in our report. We conducted our audit in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. Footnotes: [1] GAO, Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Years 2008 and 2007, [hyperlink, http://www.gao.gov/products/GAO-09-173] (Washington, D.C.: Nov. 14, 2008). [2] A significant deficiency is a control deficiency, or combination of deficiencies, that adversely affects the entity's ability to initiate, authorize, record, process, or report financial data reliably in accordance with generally accepted accounting principles such that there is more than a remote likelihood that a misstatement of the entity's financial statements that is more than inconsequential will not be prevented or detected. [3] A material weakness is a significant deficiency or combination of significant deficiencies that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. [4] The internal control issues concerning information security are discussed in a separate report. Information Security: Securities and Exchange Commission Needs to Consistently Implement Effective Controls, [hyperlink, http://www.gao.gov/products/GAO-09-203] (Washington, D.C.: Mar. 16, 2009). [5] FOIA , codified, as amended, at 5 U.S.C.§ 552, provides the public with a legal right of access to information and documents controlled by the U.S. government. The act requires federal agencies to make such information and documents available for inspection and copying in response to a public disclosure request, unless an applicable exemption applies that partially or fully limits disclosure. Under this act, federal agencies are permitted to charge fees to cover the cost of providing the information. [6] A disgorgement is the repayment of illegally gained profits (or avoided losses) for distribution to harmed investors whenever feasible. A penalty is the monetary payment from a violator of securities law that SEC obtains pursuant to statutory authority. A penalty is fundamentally a punitive measure, although penalties occasionally can be used to compensate harmed investors. [7] Momentum is a database application used to record some of SEC's accounting transactions, to maintain its general ledger, and to maintain some of the information SEC uses to produce financial reports. [8] GAO, Internal Control: Improvements Needed in SEC's Accounting and Financial Reporting Process, [hyperlink, http://www.gao.gov/products/GAO-08-461R] (Washington, D.C.: Apr. 1, 2008). [9] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [10] [hyperlink, http://www.gao.gov/products/GAO-08-461R]. [11] [hyperlink, http://www.gao.gov/products/GAO-09-173]. [12] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [13] Offsetting collections are amounts SEC receives from business-like transactions with the public (e.g., fees for filing registration statements), which SEC is authorized to credit to appropriations accounts for future obligation. The Securities Act of 1933 (15 U.S.C. § 77a et seq.) and the Securities Exchange Act of 1934 (15 U.S.C. § 78a et seq.) require SEC to assess certain fees and credit them as offsetting collections. [14] FINRA (a corporation that was formerly known as the National Association of Securities Dealers (NASD)) is a self-regulatory organization under the Securities Exchange Act of 1934 and is responsible for regulatory oversight of all securities firms that do business with the public; professional training, testing, and licensing of registered persons; arbitration and mediation; market regulation by contract for the New York Stock Exchange, the NASDAQ Stock Market, Inc., the American Stock Exchange LLC, and the International Securities Exchange, LLC; and industry utilities, such as Trade Reporting Facilities and other over-the-counter operations. [15] Registrants are corporations that register with the SEC their securities, tender offer, merger, and other transactions as required by law under the Securities Act of 1933 and the Securities Exchange Act of 1934. [16] The 2008 appropriation for SEC appropriated $906 million for SEC's necessary expenses and further required SEC to use the offsetting collections it receives during the year to reduce amounts appropriated from the General Fund of the U.S. Treasury. See Financial Services and General Government Appropriations Act, 2008, Pub. L. No. 110-161, div. D, tit. V, 121 Stat. 1972, 2010 (Dec. 26, 2007). [17] Single-year funds represent annual budget authority that is available for obligation during only 1 fiscal year or less. [18] No-year funds represent budget authority where the appropriation of budget authority or the authorization of the appropriation may make all or some portion of the amount available until expended. That means that, without further legislation, the funds remain available to incur obligations against the appropriation for an indefinite period of time. [19] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [20] An amount shall be recorded as an obligation of the U.S. government only when supported by documentary evidence of a binding agreement between an agency and another person (including an agency) that is in writing and executed before the end of the period of availability for obligation of the appropriation. 31 U.S.C. § 1501(a)(1). Under the plain terms of the statute, an oral agreement may not be recorded as an obligation. See GAO, Principles of Federal Appropriations Law, vol. 2, 3RD ed., GAO-06-382SP (Washington, D.C.: February 2006), at pages 7-15 for a discussion of these principles. [21] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [22] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [23] Para. 2. [24] Section II.4.4.4, Earned Revenues. [25] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [26] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [27] [hyperlink, http://www.gao.gov/products/GAO-08-461R]. [28] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [29] Securities Exchange Act of 1934, § 31(d), codified, as amended, at 15 U.S.C. § 78ee; as implemented in 17 C.F.R. § 240.31 (Section 31 transaction fees). [30] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [31] [hyperlink, http://www.gao.gov/products/GAO-08-461R]. [32] For a further, more detailed explanation of our audit scope and methodology, see the discussion in our related financial audit report [hyperlink, http://www.gao.gov/products/GAO-09-173]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: [End of section]