Skip to main content

Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures

GAO-13-274R Published: Apr 04, 2013. Publicly Released: Apr 05, 2013.
Jump To:
Skip to Highlights

Highlights

What GAO Found

GAO’s audit of U.S. Securities and Exchange Commission’s (SEC) fiscal years 2012 and 2011 financial statements identified two areas of deficiency in SEC’s internal control that GAO determined represented significant deficiencies. Specifically, as briefly discussed in GAO’s November 2012 audit report, the aggregation of both continuing and new deficiencies in SEC’s financial reporting controls over (1) budgetary resources and (2) property and equipment transactions each constituted significant deficiencies. These significant control deficiencies may adversely affect the accuracy and completeness of information used and reported by SEC’s management. GAO is making a total of nine new recommendations to address these significant internal control deficiencies.

In addition to the two significant deficiencies, GAO’s fiscal year 2012 financial audit identified other deficiencies in SEC’s internal control over financial reporting that while not considered material weaknesses or significant deficiencies, nonetheless warrant SEC management’s attention. GAO is making a total of nine recommendations to address these deficiencies in SEC’s controls over financial reporting related to

  • review and monitoring of disgorgement and penalty transactions,

  • supervisory review and monitoring procedures over manual journal entries,

  • the accounts payable accrual methodology, and

  • information security.

Further, GAO’s follow-up on the status of internal control recommendations made in GAO’s prior audits found that SEC took action to fully address 25 of GAO’s 47 prior years’ recommendations, as of the conclusion of our fiscal year 2012 audit.

Why GAO Did This Study

GAO’s November 15, 2012, report containing its audit of the SEC and its Investor Protection Fund’s (IPF) fiscal years 2012 and 2011 financial statements identified two significant deficiencies in SEC’s internal control over financial reporting on its budgetary resources and property and equipment.

The purpose of this report is to (1) present additional information regarding the significant deficiencies GAO identified in its November 2012 report, along with related new recommendations; (2) communicate other less significant control deficiencies GAO identified in SEC’s internal controls during its fiscal year 2012 audit along with its related recommended corrective actions; and (3) provide an overview of the status of GAO’s prior recommendations as of the end of its fiscal year 2012 audit.

Recommendations

GAO is making a total of 18 new recommendations related to SEC’s internal control deficiencies.

Recommendations for Executive Action

Agency Affected Recommendation Status
United States Securities and Exchange Commission To address the deficiencies in internal control over the financial reporting related to budgetary resources, the Chairman should direct the Chief Operating Officer (COO) and Chief Financial Officer (CFO) to finalize procedures requiring monitoring of SEC's service provider's accounting and reporting on budgetary resources to include required steps and documentation requirements for monthly review of the propriety and accuracy of downward adjustment transactions to identify and process any necessary adjusting entries.
Closed – Implemented
In fiscal year 2013, SEC finalized procedures that included use of a database for recalculating downward adjustments to obligations incurred in previous fiscal years. SEC's Office of Financial Management performs monthly analysis using the database and additional manual procedures to verify upward and downward adjustments calculated by the service provider. As a result of these actions, SEC improved control procedures for ensuring the propriety and accuracy of downward adjustments reported in its financial statements.
United States Securities and Exchange Commission To address the deficiencies in internal control over the financial reporting related to budgetary resources, the Chairman should direct the Chief Operating Officer (COO) and Chief Financial Officer (CFO) to, as part of the annual risk assessment process, include required steps for assessing SEC's monitoring controls to identify, document, and record any downward adjustment transactions to SEC's prior year obligations in the general ledger.
Closed – Implemented
During our audit of the Securities and Exchange Commission's (SEC) fiscal year 2012 financial statements, we found that SEC did not establish required internal control procedures for monitoring its service provider's capability for recording downward adjustment transactions (deobligations or cancellation of obligations recorded in prior budget fiscal years) to SEC's prior year obligations before the migration of its core financial systems to its service provider. As a result, we recommended that as part of SEC's annual risk assessment process, SEC include required steps for assessing its monitoring controls to identify, document, and record any downward adjustment transactions to SEC's prior year obligations in the general ledger. During our fiscal year 2014 audit, in response to our recommendation, we found that SEC's Office of Financial Management developed and implemented a key control to address this recommendation. Specifically, this control required the financial reporting branch chief to review the monthly adjusting entries for downward adjustments to obligations incurred in previous fiscal years to ensure these were properly reported and included in its Internal Control over Financial Reporting assessment process, the required steps for assessing SEC's monitoring controls to identify, document, and record any downward adjustment transactions. As a result, the new key control and revised risk assessment process should 1) help ensure that procedures are designed and operating effectively and 2) decrease SEC's risk of misstating downward adjustments and related activities in its Statement of Budgetary Resources.
United States Securities and Exchange Commission To address the deficiency in internal control over accounting and financial reporting for apportioned but unobligated balances, the Chairman should direct the COO and CFO to develop and implement control procedures to monthly reconcile the budget execution module (subsidiary ledger) to the related general ledger account balances for SEC's apportioned but unobligated balances.
Closed – Implemented
In fiscal year 2013, SEC developed and implemented a monthly reconciliation process between the subsidiary ledger and general ledger designed to identify manual journal adjustments and validate transactions in the subsidiary ledger that are posted to the general ledger. As a result, SEC improved control procedures for ensuring consistency of financial data in the subsidiary ledger and general ledger and reduced the risk of material misstatements for the related amounts report in its financial statements.
United States Securities and Exchange Commission To address the deficiencies GAO identified in the recording of property and equipment transactions, the Chairman should direct the COO and CFO to develop and implement control procedures to review all property and equipment acquisition transactions to ensure that they are properly accounted for in the year-end financial statements.
Closed – Implemented
In fiscal year 2013, SEC implemented procedures related to the documentation, review, and approval of property and equipment acquisitions to help ensure timely recording of transactions. As a result, SEC reduced the risk of material misstatement related to property and equipment acquisition transactions in its financial statements.
United States Securities and Exchange Commission To address the deficiencies GAO identified in the recording of property and equipment transactions, the Chairman should direct the COO and CFO to augment current procedures to require considering whether the cumulative effect of all misstatements of property transactions identified in the current year would require revision to prior year or current year financial statements.
Closed – Implemented
In fiscal year 2013, SEC revised its procedures to require a review of assets placed into service in prior years but recorded in SEC's fixed asset module during the current year in order to identify any prior period adjustment impact. As a result, SEC reduced the risk of material misstatement related to prior period misstatements resulting from property acquisition transactions in its financial statements.
United States Securities and Exchange Commission To address the deficiencies GAO identified in the recording of property and equipment transactions, the Chairman should direct the COO and CFO to develop and implement control procedures to require the review of underlying invoices and obligation documents at the time of capitalization to ensure that recorded asset acquisition costs represent capitalizable costs.
Closed – Implemented
In fiscal year 2013, SEC developed and implemented procedures to require review of purchasing transactions posted to the general ledger for accuracy. In addition, SEC implemented required approval procedures for all requisitions recorded to an asset-related budget object classification code, and provided training on transaction processing to all personnel involved in asset acquisitions. As a result of these improvements, SEC reduced the risk of reporting misstated property and equipment balances in its financial statements.
United States Securities and Exchange Commission To address the deficiencies GAO identified in the monitoring of property and equipment transactions, the Chairman should direct the COO and CFO to augment SEC's service provider monitoring spreadsheet to include all property and equipment acquisition and disposal transactions from all SEC offices.
Closed – Implemented
In fiscal year 2013, SEC's Office of Financial Management coordinated with the Office of Information Technology and the Office of Support Operations to develop a consolidated asset log containing all fixed asset worksheets for new assets and disposals to be used for monitoring property and equipment transactions. As a result, SEC improved its monitoring controls over property and equipment transactions, and reduced the risk of misstatements in its financial statements related to property and equipment transactions.
United States Securities and Exchange Commission To address the deficiencies GAO identified in the monitoring of property and equipment transactions, the Chairman should direct the COO and CFO to finalize procedures documenting the required steps to be followed for monitoring the service provider's calculation and recording of property and equipment, depreciation, and related transactions in the general ledger.
Closed – Implemented
In fiscal year 2013, SEC finalized and implemented procedures requiring a quarterly review of all asset costs to identify assets that should be depreciated. The procedure also required a semi-annual recalculation of depreciation on a sample of assets. As a result, SEC helped to ensure that any errors in the recording of depreciation and related transactions will be timely detected and corrected, and reduced the risk of misstatements in its financial statements related to depreciation and related transactions.
United States Securities and Exchange Commission To address the deficiencies GAO identified in SEC's procedures for conducting its annual property and equipment physical inventory count, the Chairman should direct the COO and CFO to revise control procedures for conducting the annual physical inventory count of property and equipment to include specific steps required to (1) reconcile capitalized property and equipment to be counted with related general ledger balances, (2) reconcile division and office responses to the items listed in the property and equipment report used for the physical count, and (3) assess and appropriately reflect any financial statement impact of any issues identified during the physical count.
Closed – Implemented
During our fiscal year 2012 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's procedures for conducting its annual physical inventory count did not include specific steps to ensure all capitalized assets were counted and that the results were properly reflected in its financial statements. We recommended that SEC revise control procedures for conducting the annual physical inventory count to include specific steps to reconcile capitalized property and equipment to be counted with related general ledger balances, reconcile division and office responses to the items listed in the property and equipment report used for the physical count, and assess and appropriately reflect any financial statement impact of any issues identified during the physical count. In response to our recommendation, in fiscal year 2014, SEC (1) reconciled the inventory report used for performing the physical inventory count of capitalized property and equipment (capitalized assets) to the general ledger balances; (2) reconciled division and office responses to the items listed in the property and equipment report used for the physical count; and (3) used a Board of Survey to assess and appropriately reflect any financial statement impact of any issues identified during the physical count. Therefore, we concluded that SEC has significantly improved its control procedures for conducting the annual physical count of its capitalized assets. As a result, SEC decreased its risk of inaccurate reporting of its capitalized assets in certain of its financial statements.
United States Securities and Exchange Commission The Chairman should direct the COO and CFO to revise existing collection procedures to provide for segregating incompatible responsibilities, including prohibiting an individual from both processing and reviewing electronic collections transactions.
Closed – Implemented
In fiscal year 2013, SEC established a requirement for a secondary review to help ensure accuracy and proper posting of any individual electronic collection transaction in excess of $100,000. As a result, SEC reduced the risk that an individual could both create and conceal an error or irregularity in SEC's collections and accounts receivable balance.
United States Securities and Exchange Commission The Chairman should direct the COO and CFO to revise existing procedures for review of disbursements transactions to include specifically required steps for verification of individual disbursements processed by Treasury to ensure that these disbursements were made for the correct amounts and to the correct payees.
Closed – Implemented
In response to our recommendation, in fiscal year 2013, SEC reviewed disbursements information in its primary financial system and compared the amount and other details to the Treasury schedule amount to ensure accuracy. Additionally, in June 2014 and May 2015, SEC revised its policies to require reviews of disbursements transactions at a detailed level. These revised procedures should reduce the risk of SEC making disgorgement and penalty disbursements for the incorrect amounts and to the incorrect payees.
United States Securities and Exchange Commission The Chairman should direct the COO and CFO to develop and implement control procedures to include specific steps for the review, classification, and disposition of collections in order to properly apply collections to an SEC accounts receivable or transfer collections to either another entity or to Treasury.
Closed – Implemented
In response to our recommendation, in January 2015, SEC designed and implemented control procedures including a monthly review of collections not applied to SEC accounts receivable to determine whether certain of these collections require further action. A SEC staff member documents the results of the review, including classifying collections not applied to SEC accounts receivables, and applying collections to accounts receivable as necessary or transferring collections to Treasury or another entity, as required. If fully and effectively implemented, these control procedures should decrease the risk that the Custodial and Disgorgement and Penalty liability balances will be misstated.
United States Securities and Exchange Commission The Chairman should direct the COO and CFO to revise existing procedures for the monitoring of accounts receivable transactions recorded in the general ledger to specifically require review of all types of accounting entries that could affect the accounts receivable balance, including correcting entries.
Closed – Implemented
During our fiscal year 2012 financial statement audit of the Securities and Exchange Commission (SEC), we found that SEC's monitoring procedures for disgorgement and penalty accounts receivable transactions recorded in the general ledger did not require the review of all transactions affecting the balance of accounts receivables. While the procedures provided for daily review of original receivable transactions recorded in the general ledger, the procedures did not require review of all types of accounting entries that could affect the disgorgement and penalty accounts receivable balance, such as correcting entries. We recommended that SEC revise existing procedures for the monitoring of accounts receivable transactions recorded in the general ledger to specifically require review of all types of accounting entries that could affect the accounts receivable balance, including correcting entries. In response to our recommendation, in March 2013, SEC revised its procedures for the daily review of disgorgement and penalty accounts receivable transactions to include all accounting entries that could affect the accounts receivable balance, including correcting entries. These revised processes should decrease the risk that SEC's disgorgement and penalty transactions will not be properly recorded and reported or that any errors will not be detected and corrected timely.
United States Securities and Exchange Commission The Chairman should direct the COO and CFO to establish a mechanism to ensure that existing supervisory review procedures over manual journal voucher adjustment entries (JV) transactions are followed to ensure that all manual JVs are properly prepared and accurately and timely recorded. These procedures could include sending periodic reminders to JV reviewers emphasizing existing procedures and the importance of adhering to them.
Closed – Implemented
During our fiscal year 2012 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that controls over SEC's supervisory review process for nonrecurring manual journal voucher adjustment entries (JV transactions) were not operating effectively. Specifically, our tests identified several instances in which SEC's controls for review of manual JV transactions did not prevent or timely detect and correct errors made by SEC personnel. We recommended that SEC establish a mechanism to ensure that existing supervisory review procedures over manual JV transactions are followed to ensure that all manual JV transactions are properly prepared and accurately and timely recorded. These procedures could include sending periodic reminders to JV transaction reviewers emphasizing existing procedures and the importance of adhering to them. In response to our recommendation, in August 2012, SEC created a journal voucher policy which details procedures for the review of journal vouchers. Also, in fiscal year 2014, we did not identify issues in our testing of SEC's JV transactions. We therefore determined that SEC had established appropriate mechanisms for review of its JV transactions, which helped to ensure that existing supervisory review procedures over JV transactions were followed and that JV transactions were properly prepared and accurately and timely recorded. Further, these procedures decreased the risk of material misstatements in SEC's financial statements that may occur from its processing and recording of JV transactions.
United States Securities and Exchange Commission The Chairman should direct the COO and CFO to establish a mechanism to ensure that procedures for reviewing JV's processed by SEC's service provider are followed to ensure that all manual JVs are recorded in the general ledger in accordance with the JV forms approved by SEC management.
Closed – Implemented
In fiscal year 2013, SEC's Office of Financial Management developed and implemented procedures for reviewing JVs. Specifically, SEC developed a list of recurring JV entries to facilitate the efficiency of the JV review process and implemented quality-control monitoring processes that required the review and approval of the JVs by the appropriate branch chief. As a result of these new review procedures, SEC significantly improved internal controls over manual JVs and reduced the risk of misstatements in its financial statements resulting from erroneous JVs.
United States Securities and Exchange Commission The Chairman should direct the COO and CFO to revise SEC's procedures for evaluating the ongoing reasonableness of its account payable accrual methodology to include steps to ensure that the results of reviews will be projectable to the population and any variances derived from its review, in aggregate, are acceptable for financial reporting purposes.
Closed – Implemented
In fiscal year 2013, SEC revised its accounts payable accrual review process to consider all accounts payable accrual amounts, incorporate analytical review and statistical sampling procedures, and increase the number of items reviewed. As a result, SEC reduced the risk of misstatements related to accounts payable accrual amounts reported in its financial statements.
United States Securities and Exchange Commission The Chairman should direct the COO and CFO to revise the accounts payable accrual methodology to specify required steps for properly considering obligation amounts for capitalized assets.
Closed – Implemented
In fiscal year 2013, SEC revised its accounts payable accrual review process to consider all accounts payable accrual amounts, incorporate analytical review and statistical sampling procedures, and increase the number of items reviewed. As a result, SEC reduced the risk of misstatements related to accounts payable accrual amounts reported in its financial statements.
United States Securities and Exchange Commission The Chairman should direct the COO and Chief Information Officer to augment control procedures over SEC's information security to include specific steps for (1) configuring SEC's remote host and network infrastructure devices to require the use of strong passwords; (2) disabling access of all contractors and employees to SEC's networks or financial applications upon separation from SEC; (3) monitoring compliance with information security policies, such as by enabling audit and monitoring of software on servers that support financial applications; and (4) mitigating software vulnerabilities, for example, by requiring installation (or deployment) of high-risk patches, consistent with SEC policy.
Closed – Implemented
Recommendation closed based on agency corrective actions implemented in fiscal years 2015 and 2016. We confirmed that SEC (1) strengthened its password configuration, (2) disabled access of contractors and employees to SEC's networks or financial applications upon separation from SEC, (3) enabled audit and monitoring capabilities to help ensure compliance with information security policies, and (4) deployed high-risk patches on its financial applications to mitigate software vulnerabilities.

Full Report

GAO Contacts

James R. Dalkin
Director
Financial Management and Assurance

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Risk assessmentMonitoringDocumentationRecords managementFinancial auditsInternal controlsFinancial reportingFinancial statementsBudgetary resourcesFinancial instruments