Management Report:

Improvements Needed in SEC's Internal Controls and Accounting Procedures

GAO-10-443R: Published: Mar 31, 2010. Publicly Released: Mar 31, 2010.

Additional Materials:

Contact:

James R. Dalkin
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

On November 16, 2009, we issued our opinion on the U.S. Securities and Exchange Commission's (SEC) fiscal years 2009 and 2008 financial statements. We also issued our opinion on the effectiveness of SEC's internal controls over financial reporting as of September 30, 2009, and our evaluation of SEC's compliance with selected provisions of laws and regulations during fiscal year 2009. The purpose of this report is to present (1) our recommendations related to the significant deficiencies we reported and discussed in our opinion report; (2) less significant internal control issues we identified during our fiscal year 2009 audit of SEC's internal controls and accounting procedures, along with our related recommended corrective actions; (3) the status of the recommendations reported as open in our April 2, 2009, management report (see enclosure I), and (4) the status of the security weaknesses in information systems controls at SEC that we identified in public and "Limited Official Use Only" reports issued in 2005, 2007, 2008, and 2009, that were unresolved at the time of our March 16, 2009, information security reports.

As part of our audit of SEC's fiscal years 2009 and 2008 financial statements, we identified a material weakness6 in internal control over financial reporting that resulted from the cumulative effect of significant deficiencies we identified in six key areas of SEC's controls over financial reporting. These significant deficiencies concerned controls over: (1)information security, (2)financial reporting process, (3)fund balance with Treasury, (4)registrant deposits, (5)budgetary resources, and (6)risk assessment and monitoring processes. We discussed these significant deficiencies in detail in our audit opinion on the SEC's fiscal years 2009 and 2008 financial statements. We also identified other internal control issues that although not considered material weaknesses or significant deficiencies, warrant SEC management's consideration. These issues concern: (1)security over sensitive employee information, (2)policies and procedures documents related to or affecting financial reporting, (3)documentation of payroll controls, (4) prior period corrections, (5)preparation of labor surveys, (6)Prompt Payment Act interest payments, (7)excessive user access rights in SEC's time and attendance system, (8)financial statement closing schedule: cutoffs and related activities, (9)documentation of Contracting Officer's Technical Representative's review of contractor invoices prior to SEC payment, and (10)notes to interim financial statements and pro-forma financial reporting. We present a discussion of our findings and related recommendations for each of these less significant control deficiencies following the presentation of our recommendations to address SEC's significant financial reporting deficiencies.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: During our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC had several information security weaknesses that resulted in a material deficiency. Specifically, SEC did not adequately: segregate computer-related duties and functions; restrict user privileges; implement patches and current software versions; use approved, secure means to transmit data; implement configuration management; or complete a certification and accreditation of its general ledger system and supporting processes during the fiscal year. We recommended that SEC establish and implement appropriate controls to mitigate any additional risks that were identified as a result of SEC's reevaluation of existing automated information system security controls in light of the risks identified in SEC's October 2009 certification and accreditation procedures for the general ledger system and supporting processes. In response to our recommendation, SEC transitioned its general ledger system to a Federal Shared Service Provider, Enterprise Service Center (ESC) [hosted by the Department of Transportation] in fiscal year 2012. Our review of the service provider's auditor's report regarding system security controls did not identify control deficiencies relating to confidentiality, availability, and integrity of automated information processed on ESC's financial system. As a result, SEC was able to resolve the material deficiency due to security issues related to the general ledger and supporting processes.

    Recommendation: In addition to completing actions to address the 22 outstanding previously reported automated system security-related weaknesses, and as part of SEC's planned corrective measures to improve automated information system security controls, the Chairman should reevaluate existing automated information system security controls in light of the risks identified in SEC's October 2009 certification and accreditation procedures for the general ledger system and supporting processes.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: During our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC had several information security weaknesses that resulted in a material deficiency. Specifically, SEC did not adequately: segregate computer-related duties and functions; restrict user privileges; implement patches and current software versions; use approved, secure means to transmit data; implement configuration management; or complete a certification and accreditation of its general ledger system and supporting processes during the fiscal year. We recommended that SEC establish and implement appropriate controls to mitigate any additional risks that were identified as a result of SEC's reevaluation of existing automated information system security controls in light of the risks identified in SEC's October 2009 certification and accreditation procedures for the general ledger system and supporting processes. In response to our recommendation, SEC transitioned its general ledger system to a Federal Shared Service Provider, Enterprise Service Center (ESC) [hosted by the Department of Transportation] in fiscal year 2012. Our review of the service provider's auditor's report regarding system security controls did not identify control deficiencies relating to confidentiality, availability, and integrity of automated information processed on ESC's financial system. As a result, SEC was able to resolve the material deficiency due to security issues related to the general ledger and supporting processes.

    Recommendation: In addition to completing actions to address the 22 outstanding previously reported automated system security-related weaknesses, and as part of SEC's planned corrective measures to improve automated information system security controls, the Chairman should establish and implement appropriate controls to mitigate any additional risks that were identified as a result of this reevaluation.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: Our fiscal year 2009 audit of the SEC's financial statements found that SEC's general ledger system and sub-modules lacked the functionality and proper configuration to generate and report financial information necessary for the preparation of the financial statements and the management of day-to-day operations on an ongoing basis. We recommended that SEC reconfigure the general ledger system to produce reports necessary to both prepare the financial statements and support managing operations, such as a consolidated trial balance report and undelivered order aging report. In response to our recommendation, in fiscal year 2012, SEC transitioned its general ledger system from the Momentum general ledger system to a federal shared service provider hosted by the Department of Transportation's Enterprise Service Center (ESC). Consistent with our recommendation, ESC's financial system is able to produce the necessary reports including a consolidated trial balance. As a result, SEC significantly reduced the risk of misstatement in its financial statements and improved its capability to support management's day to day operations through these improved financial reporting capabilities.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should reconfigure the general ledger system to produce reports necessary to both prepare the financial statements and support managing operations, such as a consolidated trial balance report and undelivered order aging report, respectively, on an ongoing basis.

    Agency Affected: United States Securities and Exchange Commission

  4. Status: Closed - Implemented

    Comments: Our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements noted that SEC's general ledger could not produce an aging report of its disgorgement and penalties accounts receivables. We recommended the SEC reconfigure the disgorgements and penalty accounts receivable module to enable production of an accounts receivable aging report. In response to our recommendation, in fiscal year 2012, SEC transitioned its general ledger system to a federal shared service provider hosted by the Department of Transportation's Enterprise Service Center (ESC). ESC's financial system produces a standard accounts receivable aging report. As a result of these new controls, SEC significantly improved its capability to oversee and manage day to day operations relating to its disgorgement and penalty accounts receivable, and reduced the risk of misstatements in the reporting of its disgorgement and penalty accounts receivable financial information in its financial statements.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should reconfigure the disgorgements and penalty accounts receivable module to enable production of an accounts receivable aging report.

    Agency Affected: United States Securities and Exchange Commission

  5. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted that the SEC's property module could not generate a property register that supported balances for capitalized cost and accumulated depreciation associated with property and equipment balances reported on the financial statements in compliance with Office of Management and Budget (OMB) Circular No. A-127, Financial Management Systems. A-127 provides that agency financial management systems are to provide financial information in a timely and useful fashion to comply with internal and external reporting requirements, including financial statements prepared in accordance with OMB and Treasury reporting requirements. As a result, management executed manual queries of property data to extract cost, accumulated depreciation, and other pertinent information to generate a property register that could be reconciled to financial statement account balances. In April 2009, we recommended that SEC reconfigure the property and equipment module to enable production of a property register report. In response to our recommendation, SEC developed and implemented new procedures in fiscal year 2010 to produce a property register from its property and equipment module. Our review of SEC's property register as of September 30, 2010, did not identify significant differences between the property register and general ledger balances reported in the financial statements for capitalized cost and accumulated depreciation. As a result of these improvements, SEC management has significantly improved its accountability for property and equipments balances reported in the financial statements.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should reconfigure the property and equipment module to enable production of a property register report.

    Agency Affected: United States Securities and Exchange Commission

  6. Status: Open

    Comments: We will review during our FY2014 audit.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should develop and implement an automated sub-ledger that interfaces with the general ledger for investment and disgorgement and penalty liability transaction activity.

    Agency Affected: United States Securities and Exchange Commission

  7. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that the SEC general ledger did not capture detailed investment activity and disgorgement and penalty liability transactions at the enforcement case level, necessitating SEC's reliance on a large unsecured spreadsheet to deconstruct the summary level disgorgement and penalty data in the general ledger to the case level. Through our review of this spreadsheet, we noted numerous differences in the calculated balances and related balances maintained by SEC and those maintained by Treasury. In March 2010, we recommended that SEC establish and implement procedures for documenting data reliability checks at the enforcement case level for data extracted from non-integrated subsidiary systems to include appropriate supervisory reviews. In response to our recommendation, in fiscal year 2011, SEC re-designed the spreadsheet used to track investment balances to include pivot tables at the enforcement case level. This added functionality facilitated management's review of the information contained in this report and assisted in the reconciliation of investment balances with Treasury records. Our review SEC's reconciliation of the spreadsheet data and the general ledger for the months ended June 30, 2011 and September 30, 2011 did not identify any differences between investment balances reported by SEC and Treasury. As a result of these efforts, SEC has significantly reduced the risk of inaccurate reporting of investments balances.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should establish and implement procedures for documenting data reliability checks at the enforcement case level for data extracted from non-integrated subsidiary systems to include appropriate supervisory reviews until SEC is able to establish and implement procedures for fully integrating its detailed investment and disgorgement liability activity into its general ledger.

    Agency Affected: United States Securities and Exchange Commission

  8. Status: Closed - Implemented

    Comments: During our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's controls were not always effective in detecting misstatements that could occur as a result of SEC's extensive use of manual workarounds and data handling in its financial reporting processes due to certain key processes that were not integrated with the general ledger system. Specifically, SEC had not developed an automated interface between its disgorgement and penalty accounts receivable module, which was integrated with its general ledger system, and Phoenix?the database that is the source of the disgorgement and penalty data. We recommended that SEC develop and implement an automated solution that would eliminate the manual process of reentering disgorgement and penalties data from Phoenix into the general ledger system accounts receivable module. In response to our recommendation, in fiscal year 2012 SEC implemented ImageNow, a document management system, for capturing and warehousing all civil and administrative court judgments. Judgments entered in ImageNow are automatically routed to SEC personnel for review to determine if disgorgement and penalties financial receivable transactions need to be recorded in SEC's general ledger system accounts receivable module, which interfaces with SEC's general ledger system maintained by its shared service provider. As a result of the automated routing of accounts receivable documentation for review and the automated interface between the accounts receivable module and the general ledger, SEC has reduced its reliance on manual workarounds and data handling and increased the likelihood that misstatements will be prevented or timely detected and corrected.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should develop and implement an automated solution that will eliminate the manual process of reentering disgorgement and penalties data from Phoenix into the general ledger system accounts receivable module.

    Agency Affected: United States Securities and Exchange Commission

  9. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's general ledger did not recognize and properly record payments made through the Department of the Interior (DOI) for student loan payments, employee awards, and employee litigation settlements. Specifically, the general ledger posting model did not properly link the DOI payments to the related obligation thereby necessitating extensive ad-hoc queries to develop correcting entries. The posting of such correcting entries obscured management's ability to oversee activity in this area. During our audit, we found several instances of adjustment entries that were indistinguishable from original transaction activity in account reconciliations. In March 2010, we recommended that SEC establish and implement a cost effective procedure for accurately recording student loan payments and employee awards and settlements in the general ledger. In response to our recommendation, in fiscal year 2011, SEC created and implemented standard operating procedures for recording transactions to liquidate prior year obligations for payroll charges related to student loan repayments, employee awards and payments for settlement actions. As a result, internal controls over the accurate recording of payroll expenses have been improved and the risk that a material misstatement may occur in SEC's financial statements is significantly reduced.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should, in coordination with the Department of the Interior's (DOI) National Business Center (NBC), establish and implement a cost effective procedure for accurately recording student loan payments and employee awards in the general ledger.

    Agency Affected: United States Securities and Exchange Commission

  10. Status: Open

    Comments: We will review during our FY2014 audit.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should establish and implement procedures to properly record property and equipment receipt transactions using capitalizable project and budget object class codes within the general ledger system.

    Agency Affected: United States Securities and Exchange Commission

  11. Status: Open

    Comments: We will review during our FY2014 audit.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should establish and implement procedures for performing a comprehensive review of all posting configurations and recurring correcting journal entries to identify and address any additional departures from Treasury's prescribed posting models.

    Agency Affected: United States Securities and Exchange Commission

  12. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have a documented process for identifying, evaluating, and accounting for litigation, claims, and assessments as part of its process for preparing its financial statements, which resulted in inaccurate contingent liabilities disclosures in its financial statements. During our audit, we found that SEC did not disclose contingent liabilities from two cases totaling $9.5 million in its interim financial statements and related footnote at June 30, 2009. Similarly, our review at September 30, 2009, found that SEC's period-end financial reporting process did not detect unrecorded contingent liabilities of about $5 million resulting from the settlement of litigation. While SEC disclosed the settlement of these cases in its legal representation letter, we reported that until SEC implements effective procedures for identifying, evaluating, and accounting for litigation, claims, and assessments, the reliability of SEC's financial statements and related note disclosures may be impaired. In March 2010, we recommended that SEC develop and implement policies and procedures to identify, evaluate, and account for contingencies related to any litigation, claims, and assessments against SEC as part of the routine preparation of financial statements in conformity with generally accepted accounting principles. In response to our recommendation, in fiscal year 2010, SEC developed a new process document to describe SEC's procedure to identify, evaluate, and disclose contingencies in the financial statements. Our review of SEC's disclosures of contingent liabilities during the year ended September 30, 2010, found that these procedures were operating effectively. Further, we did not identify any unreported contingent liabilities during fiscal year 2010. SEC's newly implemented procedures should significantly increase management's assurance over the reliability and completeness of contingent liabilities presented in its financial statements.

    Recommendation: To improveperiod-end financial reporting process controls related to contingent and intragovernmental liabilities, the Chairman should develop and implement policies and procedures to identify, evaluate, and account for contingencies related to any litigation, claims, and assessments against SEC as part of the routine preparation of financial statements in conformity with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

  13. Status: Closed - Implemented

    Comments: During our fiscal year 2009 financial statement audit of the Securities and Exchange Commission (SEC), we found that SEC's period-end financial reporting process did not appropriately account for certain intragovernmental accruals in accordance with its own guidance and generally accepted accounting principles (GAAP). Our review of SEC's accrual of intragovernmental expense and payable amounts with the General Services Administration (GSA) at September 30, 2009, found that SEC allocated an unsupported payable amount of approximately $7.7 million to contracts with GSA. Specifically, SEC recorded the GSA-stated receivable balance without reconciling such data to internal records. We recommended that SEC develop or update and implement policies and procedures for reconciling any SEC intragovernmental expense and payable amounts reported by GSA to internal SEC data records prior to recording an accrual in SEC's general ledger for financial statement reporting. In response to our recommendation, in fiscal year 2013, SEC updated and implemented its policies and procedures to conduct an internal quarterly call for data from Contracting Officer's Representatives (COR) for certain intragovernmental agreements prior to recording the intragovermental accruals in its financial system. As a result of these revised procedures, SEC improved controls over ensuring the accuracy of its accounting for and reporting of intragovernmental accruals.

    Recommendation: To improveperiod-end financial reporting process controls related to contingent and intragovernmental liabilities, the Chairman should develop or update and implement policies and procedures for reconciling any SEC intragovernmental expense and payable amounts reported by General Services Administration (GSA) to internal SEC data records prior to recording an accrual in SEC's general ledger for financial statement reporting.

    Agency Affected: United States Securities and Exchange Commission

  14. Status: Closed - Implemented

    Comments: Our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements found that SEC's period-end financial reporting process did not appropriately account for certain intragovernmental accruals in accordance with its own guidance and generally accepted accounting principles (GAAP). We recommended that SEC develop and implement control and verification procedures to ensure all of SEC's intragovernmental liability transactions comply with SEC's own guidance. In response to our recommendation, in fiscal year 2012, SEC updated its accrual procedures document to provide for additional review requirements over unrecorded intragovernmental collections and information provided by trading partners when determining its accrual estimate. As a result, SEC reduced the risk of material misstatement in SEC's financial statements.

    Recommendation: To improveperiod-end financial reporting process controls related to contingent and intragovernmental liabilities, the Chairman should develop and implement control and verification procedures to ensure all of SEC's contingency and intragovernmental liability transactions comply with SEC's Accounts Payable Accrual As-Is Process documentation.

    Agency Affected: United States Securities and Exchange Commission

  15. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC was not performing monthly reconciliations of its Fund Balance with Treasury (FBWT) accounts as required by Treasury guidance. Without the proper and timely reconciliation of its FBWT accounts, SEC is at an increased risk of (1) misstating deposit and disbursement data in SEC's FBWT and related accounts and (2) fraud, violations of appropriations laws, and mismanagement of funds. In March 2010, we recommended that SEC develop and implement procedures for timely performing, reviewing, and documenting reconciliation of SEC's FBWT accounts with balances reported by Treasury. In response to our recommendation, in fiscal year 2010, SEC developed and implemented new policies and procedures for performing, reviewing, and documenting its FBWT reconciliations. Our review of SEC's reconciliations of its FBWT accounts during our fiscal year 2010 audit found that SEC timely performed these reconciliations on a monthly basis throughout the fiscal year. As a result, internal controls over the timely, accurate, and consistent recording of FBWT transactions have been properly documented and the risk that FBWT transactions will not be completely, accurately, and consistently recorded and reported, is significantly reduced.

    Recommendation: As part of SEC's planned corrective measures to improve period-end Fund Balance with Treasury (FBWT) financial reporting process controls, the Chairman should develop and implement procedures for timely performing, reviewing, and documenting reconciliation of SEC's FBWT accounts with balances reported by Treasury.

    Agency Affected: United States Securities and Exchange Commission

  16. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not adequately resolve differences in disbursement records maintained by the Department of Treasury's Financial Management Service as reported on the monthly Statement of Differences. Not researching and resolving differences placed SEC at an increased risk (1) that the accuracy and timeliness of deposit and disbursement data reflected in SEC's Fund Balance with Treasury (FBWT) and related accounts are misstated and (2) of fraud, violations of appropriations laws, and mismanagement of funds. In March 2010, we recommended that SEC develop and implement procedures for timely resolving any identified differences in FBWT activity reported by Treasury and FBWT activity recorded by SEC. We found in FY 2010 that in response to our recommendation, SEC developed and implemented new procedures in May 2010 for (1) identifying, monitoring, and resolving SEC's monthly Statement of Differences and (2) documenting requirements for actions taken to address and correct differences. In addition, SEC's procedures now require that all differences be resolved within 60 days. If fully and effectively implemented, these procedures reduce the risk of management acceptance of unauthorized disbursement transactions and increases the accuracy and timeliness of deposit and disbursement data reflected in the financial statements.

    Recommendation: As part of SEC's planned corrective measures to improve period-end FBWT financial reporting process controls, the Chairman should develop and implement procedures for timely resolving any identified differences in FBWT activity reported by Treasury and FBWT activity recorded by SEC.

    Agency Affected: United States Securities and Exchange Commission

  17. Status: Closed - Implemented

    Comments: In our fiscal year 2010 financial statement audit of the Securities and Exchange Commission (SEC), GAO found amounts in the registrant deposit liability account that SEC earned in prior years and therefore should have been recognized as revenue in those years. Specifically, as of September 30, 2010, SEC included $1.9 million in the liability account that should have been recognized as revenue in prior years. We recommended that SEC design and implement controls to ensure that registrant filings and deposits are consistently matched to the year in which they were earned promptly and on an ongoing basis. In response to our recommendation, in fiscal year 2011, SEC reorganized the Financial Operations Branch (FOB) into two separate branches to increase managerial oversight over the offering review and verification process. GAO also noted during its fiscal year 2011 year end testing that as of September 30, 2011, the offering review and verification process was completed timely (within 1 month after SEC received the filing). As a result of these control enhancements SEC has improved the accuracy and completeness of revenue reported in the financial statements.

    Recommendation: As part of SEC's planned corrective measures to improve internal control over its registrant deposit account monitoring process and compliance with applicable federal regulations, the Chairman should design and implement controls to ensure registrant filings and deposits are consistently matched timely on an ongoing basis.

    Agency Affected: United States Securities and Exchange Commission

  18. Status: Closed - Implemented

    Comments: In our fiscal year 2009 financial statement audit of the Securities and Exchange Commission (SEC), GAO identified that approximately $27 million of registrant deposit accounts were dormant for six months or more, but were not returned to registrants as of September 30, 2009. GAO recommended that SEC allocate sufficient resources to fully resolve current registrant deposit liability account balances in accordance with SEC policy and federal regulations. In response to our recommendation, SEC's Office of Financial Management (OFM) employed a staff of 12 contractors to assist its fee account services personnel in conducting a full-scale audit of dormant registrant deposit accounts during fiscal year 2012. In addition, SEC revised its policy for when to consider a registrant deposit account dormant from 6 months to 3 years, which is consistent with federal regulations. As a result, SEC's dormant registrant deposit accounts have been audited and the appropriate action for each account has been initiated or fully executed. As of September 30, 2012, SEC has reduced the remaining dormant account balances to about $2.36 million.

    Recommendation: As part of SEC's planned corrective measures to improve internal control over its registrant deposit account monitoring process and compliance with applicable federal regulations, the Chairman should allocate sufficient resources to fully resolve current registrants' deposits liability balances in accordance with SEC policy and with federal regulations.

    Agency Affected: United States Securities and Exchange Commission

  19. Status: Closed - Implemented

    Comments: In our fiscal year 2009 financial statement audit of the Securities and Exchange Commission (SEC), GAO noted that there were no readily and routinely available reports for effectively managing the registrant deposit operations. For example, at September 30, 2010, SEC reported over $25 million in deposit accounts that were dormant for 6 months or more; however, federal regulations at that time was to return the amount in the deposit liability account to the registrant if the account had not had any activity against it for 6 months. We recommended the SEC develop and implement procedures to include the use of periodic (i.e., weekly and monthly) system generated reports to facilitate oversight of registrant deposit accounts, such as developing and using exception reports of registrant deposit account activity. In response to our recommendation, in fiscal year 2011, SEC's Office of Financial Management developed and implemented a number of procedures to facilitate the oversight of registrant deposits accounts including, (1) holding bi-weekly remediation status meetings of registrant deposit accounts with the Chief Financial Officer, the Chief Operating Officer, and the Chief Accounting Officer; (2) presenting remediation status of registrant deposit accounts to the Financial Management Oversight Committee; and (3) hiring contractor support to help facilitate the remediation of filing fee and registrant account issues. As a result of these control enhancements, if fully and effectively implemented, SEC has improved the oversight of registrant deposits.

    Recommendation: As part of SEC's planned corrective measures to improve internal control over its registrant deposit account monitoring process and compliance with applicable federal regulations, the Chairman should develop and implement procedures to include the use of periodic (i.e., weekly or monthly) system generated reports to facilitate oversight of registrant deposits accounts, such as developing and using exception reports of registrant account activity.

    Agency Affected: United States Securities and Exchange Commission

  20. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have key internal controls over obligations made using the miscellaneous purchase order document (MO). Such controls are critical to helping prevent obligations from exceeding budget authority. Specifically, we found that SEC's process for recording MOs did not require the use of approved purchase requisitions and linking obligations to approved purchase requisitions. Instead, MOs were generally approved by the budget analyst at the time of obligation. In fiscal year 2009, SEC obligated approximately $58 million through MO transactions. Because obligations incurred using MOs represent material amounts of SEC's budgetary resources, the ability for personnel to record obligations without a previously approved purchase requisition significantly increases the risk that obligations entered into the general ledger system may exceed the apportioned levels and result in an Antideficiency Act violation. In March 2010, we recommended that SEC strengthen existing control procedures for recording miscellaneous purchase order documents by requiring the use of an approved purchase requisition before certifying fund availability and recording the obligation. In response to our recommendation, in fiscal year 2011, SEC enhanced its policy on the administrative control of funds to require that purchase requisitions be completed for all obligation types, including MOs, and implemented a system control that linked MOs to the approved requisition within its financial system. Our testing of obligation transactions found that this control was operating effectively during fiscal year 2011. As a result of this added control activity, SEC has significantly reduced the risk of Antideficiency Act violations and enhanced the reliability of the obligation amounts reported in its financial statements.

    Recommendation: As part of SEC's planned corrective measures to strengthen internal control over the management of its budgetary resources, the Chairman should strengthen existing control procedures for recording miscellaneous purchase order documents by requiring an approved purchase requisition before certifying fund availability.

    Agency Affected: United States Securities and Exchange Commission

  21. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we identified that SEC's internal risk assessment did not consider the risks associated with its information systems which we have consistently reported as a control deficiencies since fiscal year 2004. We also found that SEC's risk assessment did not consider risks related to reliance on the Department of the Interior's National Business Center (NBC), a payroll service provider. In our March 31, 2010, report to management concerning this weakness, we recommended that SEC reevaluate the risk assessment and monitoring processes to ensure they consider all key elements of SEC's financial reporting control environment, including information systems and service providers. In response to our recommendation, in fiscal year 2011, SEC completed implemention of a more robust risk assessment and monitoring process which included the consideration of risk related to its information systems and reliance on service providers. We consider these enhancements a significant improvement over SEC's previous risk assessments prepared in previous years. As a result, SEC is more effective at identifying risks over its financial reporting control environment, thereby reducing the risk of material misstatements in its financial statements.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should reevaluate the risk assessment and monitoring processes to ensure they consider all key elements of SEC's financial reporting control environment, including information systems and service providers.

    Agency Affected: United States Securities and Exchange Commission

  22. Status: Closed - Implemented

    Comments: During our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that management did not develop an understanding of its complete financial reporting control environment sufficient to identify all relevant risks. Among others, we recommended the SEC establish and implement procedures for performing and documenting risk assessment and monitoring processes in a timely manner throughout the year, based on the frequency and sensitivity of certain control activities. In response to our recommendation, in fiscal year 2013, SEC developed and implemented a detailed project plan for assessment of internal control over financial reporting that takes into consideration planning and scoping, documentation, testing and evaluation, and remediation and reporting of internal control over financial reporting. The project plan includes a timeline for risk assessment and monitoring processes that extends over the course of the year. As a result of the processes SEC implemented, SEC has significantly improved its risk assessment and monitoring activities throughout the year and its ability to timely identify relevant risks.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should establish and implement procedures for performing and documenting risk assessment and monitoring processes in a timely manner throughout the year, based on the frequency and sensitivity of certain control activities.

    Agency Affected: United States Securities and Exchange Commission

  23. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that the SEC internal risk assessment and monitoring process did not include documentation supporting management's evaluation of the design effectiveness of the key controls. Office of Management and Budget (OMB) Circular No. A-123 provides that a control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. The evaluation of the design effectiveness of key controls is an essential part of the risk assessment process and the only way management may identify whether controls necessary to meet control objectives are missing or whether existing controls, if operating as designed, meet the intended control objectives. Failure to assess whether key controls are meeting the control objectives could result in management not identifying the need for additional controls where gaps exist. In March 2010, we recommended that SEC document the evaluation of the design effectiveness of key controls as part of the risk assessment process. In response to our recommendation SEC enhanced its procedures during its fiscal year 2010 internal risk assessment to include use of risk and control matrices as a tool to link identified risks to key controls which address that risk. Our 2010 review of the risk and control matrices prepared for each of the accounting cycles found that each included management's evaluation of the design effectiveness of key controls. As a result of these improvements to its risk assessment and monitoring process, SEC should be able to better assure internal control activities are designed to achieve control objectives.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should, as part of the risk assessment process, document the evaluation of the design effectiveness of key controls.

    Agency Affected: United States Securities and Exchange Commission

  24. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC lacked procedures to comprehensively identify and assess risk related to SEC's payroll-related control activities, including risk associated with user controls identified by its payroll service provider in Statement on Auditing Standards (SAS) 70 reports. Based on our review of SEC's risk assessment of internal controls over financial reporting, we found that management did not develop an understanding of its complete financial reporting control environment sufficient to identify all relevant risks and effectively plan and test controls. For example, a significant portion of SEC's payroll processing relies on the Department of the Interior's National Business Center (NBC), a payroll service provider. As such, SEC places significant reliance on reports generated by NBC to determine whether its payroll disbursements were complete, valid, accurate, and timely. Specifically, in processing payroll disbursements, SEC management relies on exception reports generated by NBC as a basis for adjusting internal payroll records. Despite such reliance, management's risk assessment of payroll controls did not initially consider SEC's internal control environment related to NBC's processing of its payroll. The service provider's SAS 70 report, related to its payroll servicing operations listed user controls that should be in place at SEC, as a user organization, in order for SEC to rely on the specified internal controls at NBC. As a result of weaknesses in SEC's risk assessment and control oversight monitoring process, SEC did not consider the complete financial reporting control environment for the areas evaluated and management did not identify all risks, effectively implement monitoring controls in high-risk areas, or test many of the key controls that drive operations. Moreover, SEC did not document its evaluation of the design of the key controls that were identified as part of the risk assessment process. In March 2010, we recommended that SEC establish procedures to comprehensively identify and assess risk related to SEC's payroll-related control activities, including risk associated with user controls identified by its payroll service provider in SAS 70 reports. In response to our recommendation, during fiscal year 2011, SEC management established and implemented a formal process to review the payroll service provider's SAS 70 report. In October 2011, SEC management issued a formal report of its review of the SAS 70 report and evaluated SEC's key controls in the context of that report. As a result of these actions, SEC management has significantly reduced the risk that management will not properly consider their complete financial reporting control environment for payroll-related control activities.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should establish procedures to comprehensively identify and assess risk related to SEC's payroll-related control activities, including risk associated with user controls identified by its payroll service provider in SAS 70 reports.

    Agency Affected: United States Securities and Exchange Commission

  25. Status: Closed - Implemented

    Comments: During our fiscal year 2009 financial statement audit of the Securities and Exchange Commission (SEC), GAO identified weaknesses in SEC's entity-level risk assessment. We recommended that SEC enhance its risk assessment and mitigation control procedures to include maintaining a list of any internally identified control breakdowns that occur during the year, documenting an evaluation of the financial reporting impact as a result of any such control breakdowns, and documenting any corrective actions taken. In response to our recommendation, in fiscal year 2011, SEC created a SharePoint site documenting an evaluation of the financial reporting impact as a result of any internal control breakdowns and any corrective actions taken. In addition, SEC implemented performing an Internal Controls over Financial Reporting (ICFR) review on at least an annual basis. The annual review identifies control risks, objectives, and activities as well as the results of control testing. As a result of these enhancements, SEC has improved its risk assessment and mitigation processes thereby enhancing control procedures over financial reporting.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should enhance risk assessment and mitigation control procedures to include maintaining a list of any internally identified control breakdowns that occur during the year, documenting an evaluation of financial reporting impact as a result of any such control breakdown, and any corrective actions taken.

    Agency Affected: United States Securities and Exchange Commission

  26. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of SEC's financial statements, we found that SEC used employee social security numbers as the vendor codes within its general ledger system when processing employee travel authorizations. We recommended that SEC review the usage of social security numbers as a personal identifier for federal employees in agency systems and programs and establish and implement alternative procedures to eliminate any such usage. In fiscal year 2012, SEC transitioned its general ledger system of record to a shared service provider's financial system, which uses a generic number instead of social security numbers as the vendor code in processing employee disbursements. As a result, SEC significantly reduced the susceptibility of employee information to identity theft or other fraudulent use.

    Recommendation: As part of SEC's planned corrective measures to reduce the availability of personally identifiable information, the Chairman should review current usage of social security numbers as a personal identifier for federal employees in agency systems and programs and establish and implement alternative procedures to eliminate any such usage.

    Agency Affected: United States Securities and Exchange Commission

  27. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that some of SEC's policies and procedures for several financial reporting processes were still in draft form or contained incomplete, incorrect, or outdated information. Specifically, we found that SEC's procurement and purchases process and Section 31 fees process documents contained multiple recommendations for internal process improvements that were not acted upon or reviewed by appropriate departments. This was the result of these process documents being in draft form and not finalized as of the time of our audit. We reported that SEC's incomplete, incorrect, and outdated policies and procedures hindered management's ability to identify the key risks and corresponding controls over financial reporting in all of its key business processes. In addition, without formal finalized documented policies and procedures, staff may not consistently implement control activities as designed. In March 2010, we recommended that SEC finalize the policies and procedures for the procurement and purchases processing and Section 31 fees processing to include incorporating any changes needed to resolve all recommendations or deficiencies identified during the development of these draft documents. In response to our recommendation, during fiscal year 2011, SEC's Office of Financial Management (OFM) finalized several policies and procedures chapters for its OFM Reference Guide. Three of those chapters addressed SEC's procurement and purchases processes including procurement vendor maintenance, its unliquidated obligations review process, and its process for miscellaneous obligating documents process. Another chapter addressed standard operating procedures for computing, billing, and recording Section 31 fees. As a result of finalizing these chapters, SEC management has significantly improved its policies and procedures over its procurement and purchases processes to help ensure consistent implementation of control activities as designed.

    Recommendation: As part of SEC's planned corrective measures to improve financial reporting process controls, the Chairman should finalize the policies and procedures for the procurement and purchases and Section 31 revenue processing to include incorporating any changes needed to resolve all recommendations or deficiencies identified during the development of these draft documents.

    Agency Affected: United States Securities and Exchange Commission

  28. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's Standard Voucher (SV) Creation and Modification Standard Operating Procedure did not discuss the definition and purpose of using SVs. That is, SVs were used to record both original transactions and to correct recurring errors. In addition, SEC's procedures did not provide steps to follow to properly create, review, and approve SV transactions. We found that several SV transactions in the general ledger system were not completed (i.e. pending approval or held) for up to 6 months. Because of SEC's lack of documented procedures concerning how to monitor and resolve SV entries it was unclear how long these transactions would have remained in SEC's financial system in an incomplete status. In March 2010, we recommended that SEC revise procedures to clearly define the purpose and use of SV transactions; the process for entering SV transactions into the general ledger system, including the performance and documentation of supervisory review; and monitoring procedures to ensure that SV transactions post to the general ledger system as intended. We found in FY 2010 that in response to our recommendation, the SEC developed procedures addressing (1) the purpose and use of SV transactions; (2) the process for entering SV transactions into the general ledger, including the performance and documentation of supervisory review; and (3) monitoring procedures to ensure that SV transactions post to the general ledger system as intended. With these control enhancements SEC mitigated the risk that SV transactions will not be completely, accurately, and consistently recorded in the general ledger and that related SV financial statement balances will be misstated.

    Recommendation: As part of SEC's planned corrective measures to improve financial reporting process controls, the Chairman should revise the Standard Voucher (SV) Creation and Modification process document to clearly define (1)the purpose and use of SV transactions; (2)the process for entering SV transactions into the general ledger system, including the performance and documentation of supervisory review; and (3) monitoring procedures to ensure that SV transactions post to the general ledger system as intended.

    Agency Affected: United States Securities and Exchange Commission

  29. Status: Closed - Implemented

    Comments: In our fiscal year 2009 financial statement audit of the Securities and Exchange Commission (SEC), GAO identified weaknesses in SEC's monitoring and provided needed updates to its accounting policies and procedures. Specifically, SEC had not acted on recommendations to improve procurement and purchases processes. Process changes were in draft form but had not been finalized at the time of our audit. Also, SEC's travel expenses policies and procedures document contained several instances of references to incorrect or outdated information. We also found that SEC's Standard Voucher (SV) Creation and Modification Standard Operating Procedure did not discuss the definition and purpose of using SVs. Finally, we found that SEC's process document for securities transaction fees paid by Self Regulatory Organization (Section 31 Fees) was in draft form at September 30, 2009. We recommended the SEC establish and implement procedures to monitor and update policy and procedure documents in a timely manner to ensure key risks and corresponding controls are documented for each key process. In response to our recommendation, in fiscal years 2010 and 2011, SEC established a framework for developing policies and procedures and developed a dedicated Microsoft SharePoint site, which is deployed as a central repository for all approved policies and procedures. The SEC also formalized the Internal Control over Financial Reporting process. As part of this process, risks and key controls are to be documented on Risk and Control Matrices, and areas requiring improved policy and procedure documentation are to be identified. The updating and creation of new policies and procedures included the review and consideration of any corresponding risks and internal control activities documented on SEC risk and control matrices. As a result of these enhancements, SEC has improved its ability to monitoring and appropriately and timely update its accounting policy and procedures.

    Recommendation: As part of SEC's planned corrective measures to improve financial reporting process controls, the Chairman should establish and implement procedures to monitor and update policy and procedure documents in a timely manner to ensure key risks and corresponding controls are documented for each key process.

    Agency Affected: United States Securities and Exchange Commission

  30. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted that SEC lacked written procedures to standardize its resolution of biweekly payroll exception reports and to retain those reports to facilitate internal and external audit or review. During our audit, we noted that SEC did not consistently document evidence of payroll-related internal control procedures. Specifically, we noted that SEC did not have documentation supporting the Office of Human Resources' (OHR) resolution of biweekly payroll exception reports. Although OHR provided evidence of resolution on the exception reports, we found that documentation of such resolution was unavailable for 11 of the 17 pay periods that we reviewed. Specifically, OHR was unable to provide clear documented evidence for the resolution of 10 exception reports we reviewed and could not produce the report for one pay period because under existing SEC practices, exception reports were generally not retained for greater than 6 months. Consequently, SEC management's lack of a documented policy and procedure to retain reports for the entire period under audit and consistently provide evidence for resolution of exceptions raised uncertainty as to whether key personnel actions that affect staff employment and salaries had been accomplished accurately and timely. In March 2010, we recommended that SEC develop and implement written procedures that (a) standardize required documentation related to resolution of biweekly payroll exception reports and (b) extend the retention period for supporting documentation to facilitate internal and external audit or review, such as a period of 18 months after payment. In response to our recommendation, during fiscal year 2011, SEC's Office of Human Resources formally issued and implemented its Time and Attendance process, SEC Regulation at SECR 6-2. Section J of SECR 6-2 describes the required process for review of the biweekly payroll reports, including a process to document resolution of exception reports. Section F and Section 5 of SECR 6-2 addressed the formal retention of payroll documentation. As a result of these actions, SEC management has significantly improved procedures to standardize its resolution and retention of biweekly payroll exception reports and reduced the risk that personnel actions will not be processed accurately or timely.

    Recommendation: As part of SEC's planned corrective measures to improve internal controls over payroll transactions, the Chairman should develop and implement written procedures that (a) standardize required documentation related to resolution of NBC's biweekly payroll exception reports and (b) extend the retention period for supporting documentation long enough to facilitate internal and external audit or review, such as a period of 18 months after payment.

    Agency Affected: United States Securities and Exchange Commission

  31. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that management did not have a process to evaluate the impact of all prior years corrections on the current and prior year financial statements. Specifically, during our audit we found equipment additions exceeding $1 million that were expensed and placed into service in fiscal year 2008, but capitalized in fiscal year 2009; software placed in production in December 2007, but not recorded as placed in service until December 2008; and $3.6 million in filing fee revenue that was earned in prior fiscal years but recorded during the first 9 months of fiscal year 2009. The lack of an effective process for evaluating the cumulative effect of prior period corrections increases the risk of misstated SEC financial statements. In March 2010, we recommended that SEC develop and implement procedures to provide for a review of all transactions resulting in prior period corrections, including filing fee revenue and property and equipment transactions, and to quantify the cumulative effect of known and likely prior period corrections in the current fiscal year. In response to our recommendation, in fiscal year 2010, SEC developed and implemented procedures establishing a process for (1) recording corrections affecting prior years and evaluating whether the misstatement is material, individually and in aggregate and (2) restating applicable prior year financial statements when material errors are discovered. Our review of SEC's tracking of prior period adjustments during the year ended September 30, 2010, found that these procedures were operating effectively and that the procedures address our recommendation. If effectively implemented, these procedures should significantly improve management's awareness of the impact of prior period corrections on the current and prior period financial statements, enhancing SEC's ability to better ensure the reliability of SEC's financial statements.

    Recommendation: As part of SEC's planned corrective measures to improve period-end financial reporting process controls, the Chairman should develop and implement procedures to provide for a review of all transactions resulting in prior period corrections, including filing fee revenue and property and equipment transactions, and to quantify the cumulative effect of known and likely prior period corrections in the current fiscal year.

    Agency Affected: United States Securities and Exchange Commission

  32. Status: Closed - Implemented

    Comments: In fiscal year 2008, the Securities and Exchange Commission (SEC) implemented an automated time and attendance system to, among other things, enhance the level of data collected and used to allocate program costs by the strategic goals presented on the Statement of Net Cost. Specifically, the time and attendance system allowed employees to record work hours to preset activity codes on their biweekly time and attendance report. However, during our fiscal year 2009 audit, we found that SEC's preset activity and project coding had not been fully updated in the time and attendance system. As such, management relied on quarterly data calls (labor surveys) to allocate labor costs to the four strategic goals presented in SEC's Statement of Net Cost. Based on our review of SEC's labor survey process, we found that the accumulation of cost data was inherently subjective and that the procedures used to compile such information varied greatly from one unit to another. In March 2010, we recommended that SEC update the time and attendance system to establish fully updated preset activity and project codes for all activities used by SEC in its process for allocating gross costs to program costs by the strategic goals presented in its Statement of Net Cost. In response to our recommendation, we found in FY 2010 that SEC updated the preset activity and project codes in its time and attendance system which facilitated employees' accurately reporting of time worked by strategic goals. These actions should better assure employee reported hours are more appropriately aligned to the program goals presented on SEC's Statement of Net Cost and the accuracy of cost data presented on SEC's Statement of Net Cost is significantly improved.

    Recommendation: As part of SEC's planned corrective measures to improve controls over the Statement of Net Cost preparation, the Chairman should update the time and attendance system to establish preset active activity and project codes for all activities used by SEC in its process for allocating gross costs to program costs by the strategic goals presented in its Statement of Net Cost.

    Agency Affected: United States Securities and Exchange Commission

  33. Status: Open

    Comments: We will review during our FY2014 audit.

    Recommendation: As part of SEC's planned corrective measures to improve controls over the Statement of Net Cost preparation, the Chairman should modify existing policy and procedures to require all employees to report labor hours using preset activity and project codes within the time and attendance system and establish and implement applicable controls to ensure compliance.

    Agency Affected: United States Securities and Exchange Commission

  34. Status: Open

    Comments: We will review during our FY2014 audit.

    Recommendation: As part of SEC's planned corrective measures to improve controls over the Statement of Net Cost preparation, the Chairman should revise and implement procedures over the preparation of the Statement of Net Cost to utilize actual data reported by employees on their biweekly time and attendance reports.

    Agency Affected: United States Securities and Exchange Commission

  35. Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, our testing of non-payroll disbursements found instances in which SEC did not process invoices for payments in accordance with the time lines designated in the Prompt Payment Act. This resulted in SEC incurring Prompt Pay interest costs that could have been avoided. In March 2011, we reaffirmed our prior recommendation that SEC investigate the causes of late payments and develop and implement any necessary corrective action. In response to our recommendation, during fiscal year 2011, SEC's Office of Financial Management (OFM) implemented a workflow process for invoices. One purpose of this workflow process was to reduce the processing delays by automating the invoice review and approval process, and thus reduce occurrences of having to pay prompt pay interest. After implementation of the new process, we noted an improving trend on the timely processing of payments. For example, in the first quarter of 2011, SEC incurred Prompt Pay interest costs for approximately 50% of the invoices it processed. While in the fourth quarter of 2011, SEC incurred Prompt Pay interest costs for approximately 5% of the invoices it processed. Given the improving trend, we conclude that SEC's corrective actions have improved the timeliness of its processing and reduced late payments and prompt pay interest penalties and thereby reduced the risk of non-compliance with the Prompt Payment Act.

    Recommendation: As part of SEC's planned corrective measures to improve controls over disbursements transactions, the Chairman should investigate the causes of late payments and any interest penalties incurred and develop and implement any necessary corrective actions.

    Agency Affected: United States Securities and Exchange Commission

  36. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted a lack of controls over SEC's monitoring of access rights to its time and attendance system. These controls are designed to prevent or timely correct any excessive access in the system. Because SEC lacked such controls, our review of user rights within the time and attendance system identified instances in which individuals were assigned levels of access that were excessive relative to their job functions. For example, we identified one user who was assigned the incompatible roles of administrator, certifier, and timekeeper within the system. This broad level of access in the time and attendance system was unnecessary given that the user's job was to extract payroll and time sheet data for use in other financial reporting activities. In March 2010, we recommended that SEC develop and implement controls over access rights in the time and attendance system to prevent or timely correct any excessive access in the system. In response to our recommendation, during fiscal year 2011, SEC's Office of Human Resources formally issued and implemented its Time and Attendance process, SEC Regulation at SECR 6-2. Section L of SEC Regulation SECR 6-2 describes the required process to review the propriety of access rights assigned in Quick time "to minimize risk of mistake and abuse". As a result of these actions, SEC management has significantly improved its control over access rights to its time and attendance system and reduced the risk that possible inadvertent or deliberate misuse, fraudulent use, or improper disclosure of payroll data may occur and not be detected.

    Recommendation: As part of SEC's planned corrective measures to improve access control within the time and attendance system, the Chairman should develop and implement controls over access rights in the time and attendance system to prevent or timely correct any excessive access in the system.

    Agency Affected: United States Securities and Exchange Commission

  37. Status: Closed - Implemented

    Comments: Our fiscal year 2009 financial statement audit we found that the Securities and Exchange Commission (SEC) lacked control procedures to establish a standardized timeline with cutoff dates for the completion and recording of key month-end accounting transactions prior to the closing of an accounting period and preparation of the financial statements and footnotes. We recommended that SEC develop and implement a standardized financial statement closing schedule with cutoff dates for key month-end accounting transactions that should be completed prior to the closing of an accounting period. In response to our recommendation, in fiscal year 2012, SEC developed a policy document which lists key closing activities and generalized due dates applicable to each accounting period. As a result SEC has reduced the risk of delays and omission of key closing procedures when preparing its financial statements.

    Recommendation: As part of SEC's planned corrective measures to improve period-end financial reporting closing process, the Chairmand should develop and implement a standardized financial statement closing schedule with cutoff dates for key month-end accounting transactions that should be completed prior to the closing of an accounting period.

    Agency Affected: United States Securities and Exchange Commission

  38. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC lacked effective control procedures for accurately recording key month-end accounting transactions prior to the closing of an accounting period and preparation of the financial statements and footnotes. Specifically, we found that several closing journal vouchers prepared as part of the November 2008 monthly closing process were not posted to the general ledger. In addition, several accrual transactions improperly recorded in one period were not appropriately reversed in the succeeding period. As a result of these errors, SEC was unable to accurately prepare its interim financial statements for the first 2 months of fiscal year 2009. In March 2010, we recommended that SEC develop and implement control procedures to ensure accrual accounting entries are reversed in the following accounting period and current period accrual accounting entries are recorded prior to the accounting period closing date. In response to our recommendation, SEC developed and implemented in fiscal year 2010 a new procedure as part of its monthly closing process which requires a Senior Accountant within the Financial Reporting and Policy Branch to perform an analysis to ensure that all prior period accrual accounting entries are reversed and current period accrual accounting entries are recorded. We did not find unreversed prior period accruals in our testing of journal vouchers in the financial reporting audit cycle in fiscal year 2010. As a result of this added control, SEC has significantly improved management's assurance over the accuracy of the interim financial statements.

    Recommendation: As part of SEC's planned corrective measures to improve period-end financial reporting closing process, the Chairmand should develop and implement control procedures to ensure prior period accrual accounting entries are reversed in the following accounting period and current period accrual accounting entries are recorded prior to the accounting period closing date.

    Agency Affected: United States Securities and Exchange Commission

  39. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have a policy regarding the formal assignment of authority and responsibility for the reopening of closed accounting periods in Momentum, its general ledger system. During our audit, we found that, while not explicitly authorized, staff accountants from two disparate branches routinely performed this task. As a result of not clearly delineating what level staff should have the authority and responsibility for reopening closed accounting periods, SEC's financial statements were at risk of misstatement. In March 2010, we recommended that SEC develop and implement policies and procedures to ensure that only designated senior staff and management (such as branch chief level and above) have the authority to reopen closed accounting periods. We recommended that such procedures should also provide for (1) documenting the required protocols to follow for requesting to reopen a closed accounting period and approval of such request, (2) specifying required documentation for situations that caused a closed accounting period to be reopened, and (3) as applicable, documenting any corrective actions that were taken to preclude such circumstances from reoccurring. In response to our recommendation, in fiscal year 2010, SEC developed and implemented policies and procedures regarding the reopening of a closed accounting period in its general ledger system, Momentum. Under these procedures, SEC designated senior personnel who may approve the reopening of a closed accounting period and the protocols that must be followed to reopen a closed accounting period. These controls, if fully and effectively implemented, should better ensure that only those with delineated responsibilities can open closed accounting periods in SEC's general ledger system and thereby better ensure timely and accurate preparation of its financial statements.

    Recommendation: As part of SEC's planned corrective measures to improve period-end financial reporting closing process, the Chairmand should develop and implement policies and procedures to ensure that only designated senior staff and management (such as branch chief level and above) have the authority to reopen previous accounting periods. Such procedures should provide for (a) documenting the required protocols to follow for requesting to reopen a closed accounting period and approval of such request, (b) specifying required documentation for situations that caused a closed accounting period to be reopened, and (c) as applicable, documenting any corrective actions that were taken to preclude such circumstances from reoccurring.

    Agency Affected: United States Securities and Exchange Commission

  40. Status: Closed - Implemented

    Comments: During our fiscal year 2009 financial statement audit of the Securities and Exchange Commission (SEC), we identified two instances in which evidence of the Contracting Officer's Technical Representative (COTR) review of the invoice was not clearly documented. We recommended that SEC develop and implement procedures to provide for appropriately documented COTR review of all vendor invoices prior to payment, in compliance with SEC regulation. In response to our recommendation, in fiscal year 2013, SEC developed and implemented procedures, such as workflow systems and a monitoring program, and increased training and targeted outreach to Contracting Officer's Representatives (COR), as the position is now titled, to provide for appropriately documented COR review of all invoices prior to payment. As a result, SEC improved controls for ensuring and reducing the risk that errors in amounts billed to SEC may not be detected and that incorrect amounts may be disbursed.

    Recommendation: To improve internal control over vendor invoice payments, the Chairman should develop and implement procedures to provide for appropriately documented COTR review of all vendor invoices prior to payment in compliance with SEC regulation.

    Agency Affected: United States Securities and Exchange Commission

  41. Status: Closed - Implemented

    Comments: During our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we identified two instances in which evidence of the Contracting Officer's Technical Representative (COTR) review of an invoice was not clearly documented. We recommended that SEC establish and implement procedures to provide periodic training to COTRs and project managers regarding their responsibilities for reviewing and approving invoices. In response to our recommendation, SEC documented procedures that describe the COTR's responsibilities for review of invoices. In addition, SEC incorporated procedures for receiving and reviewing invoices into its standard COTR training. Our test of controls over the approval of invoices during our fiscal year 2013 audit found that SEC effectively implemented its procedures. As a result, SEC increased the likelihood that review of invoices will be consistently performed and clearly documented, thereby reducing the risk that errors in amounts billed to SEC may not be detected and incorrect amounts may be disbursed.

    Recommendation: To improve internal control over vendor invoice payments, the Chairman should establish and implement procedures to provide periodic training to Contracting Officer's Technical Representatives(COTR)and project managers regarding their responsibilities for reviewing and approving invoices.

    Agency Affected: United States Securities and Exchange Commission

  42. Status: Closed - Implemented

    Comments: Our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements found numerous instances of errors in and inconsistencies between SEC's financial statements and related notes. We recommended that SEC develop and implement a process for reliably preparing accurate pro-forma financial statements and updating the notes that accompany financial statements prior to year-end, preferably with the third quarter reporting. In response to our recommendation, in fiscal year 2012, SEC revised its policy over financial reporting to establish steps to ensure consistency between the financial statements and the related notes and require the preparation of pro-forma financial statements. As a result, SEC significantly reduced the risk of material misstatements to its financial statements and inconsistencies between its financial statements and related information in the notes to its financial statements.

    Recommendation: To improve internal control over its financial statement preparation process, the Chairman should develop and implement a process for reliably preparing accurate pro forma financial statements and updating the notes that accompany financial statements prior to yearend, preferably with the third quarter reporting.

    Agency Affected: United States Securities and Exchange Commission

  43. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's Management's Discussion and Analysis (MD&A) included information that was inconsistent with related information in its financial statements and/or related notes. For example, the draft MD&A initially reported disbursements to harmed investors of $2.1 billion, which differed from the approximately $1.1 billion shown in its financial statements. In another example, SEC's draft MD&A showed offsetting collections of $1.016 billion, which differed from the $1.018 billion of such collections presented in its Statement of Budgetary Resources. We concluded that management had not established effective procedures to ensure that information reported in the MD&A was reviewed for consistency with related information reported in the financial statements and related notes, thereby increasing the risk that inaccurate information could be reported in the MD&A and go undetected. In March 2010, we recommended that SEC augment current procedures to provide specific steps for ensuring the consistency of related information reported in the MD&A and the financial statements and related notes. In response to our recommendation, in fiscal year 2010, SEC updated its financial reporting process documents, Notes Methodology and Monthly Close Process, to include procedures for reviewing the consistency of related financial information reported in the financial statements, accompanying financial statement notes, and MD&A. The procedures provide for cross-referencing and consistency checks to be documented in supporting work-papers, better version control of shared documents circulating during the revision process, and supervisory review of financial highlights information reported in the MD&A. Our review of these procedures during the year ended September 30, 2010, found that these procedures were operating effectively at year end. Further, we did not find inconsistencies between the MD&A and related information in the financial statements and notes during our fiscal year 2010 audit. As a result of these added control procedures, SEC has significantly mitigated the risk that inaccurate or inconsistent information will be reported in the MD&A.

    Recommendation: To improve internal control over its financial statement preparation process, the Chairman should augment current procedures to provide specific steps for ensuring the consistency of related information reported in the Management's Discussion and Analysis (MD&A) and the financial statements and related notes.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Sep 22, 2014

Jul 9, 2014

Jun 19, 2014

May 30, 2014

May 15, 2014

May 13, 2014

May 12, 2014

May 2, 2014

Mar 27, 2014

Looking for more? Browse all our products here