Management Report:

Improvements Needed in SEC's Internal Controls and Accounting Procedures

GAO-12-424R: Published: Apr 13, 2012. Publicly Released: Apr 13, 2012.

Additional Materials:

Contact:

James R. Dalkin
(202) 512-3000
dalkinj@gao.gov

 

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

In our audit of SEC’s fiscal years 2011 and 2010 financial statements, we identified four significant deficiencies in internal control as of September 30, 2011. These significant internal control deficiencies represent continuing deficiencies concerning controls over (1) information systems, (2) financial reporting and accounting processes, (3) budgetary resources, and (4) registrant deposits and filing fees. These significant control deficiencies may adversely affect the accuracy and completeness of information used and reported by SEC’s management. We are making a total of 10 new recommendations to address these continuing significant internal control deficiencies.

We also identified other internal control issues that although not considered material weaknesses or significant control deficiencies, nonetheless warrant SEC management’s attention. These issues concern SEC’s controls over:

  • payroll monitoring,
  • implementation of post-judgment interest accounting procedures,
  • accounting for disgorgement and penalty transactions, and
  • the government purchase card program.

We are making a total of 9 new recommendations related to these other internal control deficiencies.

We are also providing summary information on the status of SEC’s actions to address the recommendations from our prior audits as of the conclusion of our fiscal year 2011 audit. By the end of our fiscal year 2011 audit, we found that SEC took action to fully address 38 of the 66 recommendations from our prior audits, subsequent to our March 29, 2011, management report.

Lastly, we found that SEC took action to address and resolve all four weaknesses in information systems controls that we identified in public and “Limited Official Use Only” reports issued in 2008 through 2009 that were reported as open at the time of our March 29, 2011, management report.

Why GAO Did This Study

On November 15, 2011, we issued our opinion on the U.S. Securities and Exchange Commission’s (SEC) and its Investor Protection Fund’s (IPF) fiscal years 2011 and 2010 financial statements. We also issued our opinion on the effectiveness of SEC’s internal controls over financial reporting as of September 30, 2011, and our evaluation of SEC’s compliance with selected provisions of laws and regulations during fiscal year 2011. In that report, we identified significant deficiencies in SEC’s internal control over financial reporting.

The purpose of this report is to (1) present new recommendations related to the significant deficiencies we identified in our November 2011 report; (2) communicate less significant internal control issues we identified during our fiscal year 2011 audit of SEC’s internal controls and accounting procedures, along with our related recommended corrective actions; and (3) summarize information on the status of the recommendations reported as open in our March 29, 2011, management report.

What GAO Recommends

We are making a total of 19 new recommendations related to internal control deficiencies.

For more information, contact Jim Dalkin at (202) 512-3133 or dalkinj@gao.gov or Greg Wilshusen at (202) 512-6244 or wilshuseng@gao.gov .

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop and implement monitoring procedures to ensure that all time and attendance sheets recorded and submitted on behalf of another employee are supported by documented input from either the employee or the employee's certifier and include a valid reason for why a designated timekeeper is submitting a time and attendance sheet on behalf of another employee.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop procedures to provide for documented evidence of a certifying official’s approval of leave and compensatory time before recording such transactions in the time and attendance system.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop and implement monitoring procedures to ensure that responsible management officials submit personnel on board listings (POL) within the 30-day SEC policy requirement.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to perform a review of roles within SEC’s time and attendance system to ensure that all supervisors or managers designated as certifiers have an alternate responsible for reviewing the accuracy of time cards in their absence.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: 10.To address the deficiencies in internal control over the accounting for obligation activity, the Chairman of the SEC should direct the COO and CFO to develop and implement procedures for ongoing monitoring of open obligations for validity and timely closeout of any open obligations that are no longer valid. These should include (a) quarterly review of open obligations for ongoing validity based on end of POP or contract completion dates and (b) reconciling SEC’s records of contract activity and balances with its key vendors at least annually.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over the accounting and reporting of budgetary resources, the Chairman of the SEC should direct the COO and CFO to revise agency regulation SEC’s Regulation (SECR) 14-1 to clearly delineate circumstances under which authority for obligating agency budgetary resources can be delegated to appropriate personnel other than the contracting officer (CO), compare current SOPs and business process procedures documents (BPPs) with SECR 14-1, and make any necessary conforming changes.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over the accounting and reporting of budgetary resources, the Chairman of the SEC should direct the COO and CFO to implement system controls to ensure that all applicable information (such as period of performance, POP) is recorded in the financial system and can be associated with its obligation record.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over the accounting and reporting of budgetary resources, the Chairman of the SEC should direct the COO and CFO to enhance current procedures for supervisory review to include required steps for ensuring (a) the accuracy and completeness of the obligation transaction and contract information prior to recording the obligation in the general ledger records and (b) timely recording of obligation transactions in the general ledger.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes, the Chairman of the SEC should direct the COO and CFO to document and implement quality assurance procedures over the preparation of the statement of net cost, including a procedure to compare the sum of all allocated costs to the total actual costs of the various organizations to ensure that all such costs are properly and fully allocated.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over review of service auditors’ reports, the Chairman of the SEC should direct the COO and Chief Financial Officer (CFO) to, as part of the risk assessment process, include steps for reviewing the Statement on Standards for Attestation Engagements (SSAE) No. 16 reports from all service organizations key to SEC’s financial reporting control environment in time to allow appropriate actions to be taken before the end of the fiscal year to address any identified deficiencies in the design and operating effectiveness of service organization or user entity controls.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop and implement monitoring procedures to ensure that all time and attendance sheets recorded and submitted on behalf of another employee are supported by documented input from either the employee or the employee’s certifier and include a valid reason for why a designated timekeeper is submitting a time and attendance sheet on behalf of another employee.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop an oversight mechanism to ensure that disgorgement and penalty collections are processed and reported in accordance with existing SEC policies and procedures.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop procedures to provide for documented evidence of a certifying official's approval of leave and compensatory time before recording such transactions in the time and attendance system.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to perform a review of roles within SEC's time and attendance system to ensure that all supervisors or managers designated as certifiers have an alternate responsible for reviewing the accuracy of time cards in their absence.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: 10.To address the deficiencies in internal control over the accounting for obligation activity, the Chairman of the SEC should direct the COO and CFO to develop and implement procedures for ongoing monitoring of open obligations for validity and timely closeout of any open obligations that are no longer valid. These should include (a) quarterly review of open obligations for ongoing validity based on end of POP or contract completion dates and (b) reconciling SEC's records of contract activity and balances with its key vendors at least annually.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over the accounting and reporting of budgetary resources, the Chairman of the SEC should direct the COO and CFO to revise agency regulation SEC's Regulation (SECR) 14-1 to clearly delineate circumstances under which authority for obligating agency budgetary resources can be delegated to appropriate personnel other than the contracting officer (CO), compare current SOPs and business process procedures documents (BPPs) with SECR 14-1, and make any necessary conforming changes.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over information security, the Chairman of the SEC, should direct the COO and CIO to develop and implement a comprehensive vulnerability management strategy that includes routine scanning of SEC's systems and evaluation of such scanning to provide for any needed corrective actions.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to establish an oversight monitoring mechanism to ensure that periodic reviews of cardholder and approving officials (AO) accounts are being performed in accordance with Appendix B of OMB Circular No. A-123.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to augment existing policies and procedures for check collections to include specific required steps for handling amounts remitted to SEC field offices to ensure compliance with the Miscellaneous Receipts Statute and related Treasury regulation.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to revise existing procedures to account for amounts collected on behalf of other federal entities as intragovernmental liabilities.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to revise existing posting configurations to account for liability balances related to compounded post-judgment interest amounts in accordance with SEC policy.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over information security, the Chairman of the SEC, should direct the COO and CIO to develop and implement a comprehensive vulnerability management strategy that includes routine scanning of SEC’s systems and evaluation of such scanning to provide for any needed corrective actions.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over information security, the Chairman of the SEC, should direct the COO and CIO to enhance the EDGAR security plan to document security requirements for the EDGAR/Fee Momentum subsystem.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over information security, the Chairman of the Securities and Exchange Commission (SEC), should direct the Chief Operating Officer (COO) and Chief Information Officer (CIO) to establish configuration baselines and related guidance for securing systems and monitoring system configuration baseline implementation.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over review of service auditors' reports, the Chairman of the SEC should direct the COO and Chief Financial Officer (CFO) to, as part of the risk assessment process, include steps for reviewing the Statement on Standards for Attestation Engagements (SSAE) No. 16 reports from all service organizations key to SEC's financial reporting control environment in time to allow appropriate actions to be taken before the end of the fiscal year to address any identified deficiencies in the design and operating effectiveness of service organization or user entity controls.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To address the deficiencies in internal control over the accounting and reporting of budgetary resources, the Chairman of the SEC should direct the COO and CFO to implement system controls to provide for the review and approval of all obligation transactions and all related contract information by appropriate officials prior to posting the information in the general ledger records.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Mar 27, 2014

    Mar 13, 2014

    Mar 12, 2014

    Feb 27, 2014

    Dec 23, 2013

    Dec 16, 2013

    Dec 12, 2013

    Dec 11, 2013

    Looking for more? Browse all our products here