Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures
Highlights
What GAO Found
During its audit of the U.S. Securities and Exchange Commission’s (SEC) fiscal year 2013 financial statements, GAO identified several deficiencies in SEC’s internal control over financial reporting that it did not consider to be material weaknesses or significant deficiencies, either individually or collectively, but which nonetheless warrant SEC management’s attention. These deficiencies related to
- procedures for transferring disgorgement and penalty-related funds to the Department of the Treasury (Treasury),
- monitoring of disgorgement and penalty related cases filed in courts,
- segregation of duties for recording disgorgement and penalty-related financial data,
- safeguarding of SEC cash receipts received at its service provider,
- recording of property and equipment transactions, and
- management’s review of legal contingencies and significant events.
GAO is making 9 new recommendations to address these deficiencies in SEC’s controls over financial reporting. Further, GAO’s follow-up on the status of internal control recommendations that it made in prior reports found that SEC took action to fully address 24 of 40 prior years’ recommendations that remained open at the beginning of fiscal year 2013. Consequently, SEC currently has 25 recommendations that need to be addressed—the 16 prior recommendations and the 9 new ones being made in this report.
Why GAO Did This Study
During GAO’s audit of SEC’s fiscal year 2013 financial statements, GAO identified several deficiencies in SEC’s internal control over financial reporting that it did not consider to be material weaknesses or significant deficiencies, either individually or collectively, but which nonetheless warrant SEC management’s attention. The recommendations provided in this report will help improve internal control over financial reporting at SEC. In addition, this report provides summary information on the status of SEC’s actions to address the open recommendations from prior GAO reports.
Recommendations
GAO is making nine new recommendations to address deficiencies in SEC’s controls over financial reporting.
In commenting on a draft of this report, SEC acknowledged that the report contained a number of helpful recommendations to strengthen SEC’s internal controls over financial reporting. Further, the SEC Chair stated that SEC is working to address the recommendations contained in the report and that SEC remains committed to investing the time and resources to maintain strong and sustainable internal control over financial reporting.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
United States Securities and Exchange Commission | The Chair should direct the Chief Operating Officer (COO) and Chief Financial Officer (CFO) to develop and implement specific procedures for documenting (1) the funds availability validation procedures performed and (2) the supervisory review to ensure that validation of funds availability procedures is appropriately performed prior to transferring disgorgement and penalty-related funds to Treasury. |
In response to our recommendation, in July 2014, SEC developed, and in August 2015, SEC implemented specific procedures to validate funds availability, to document the validation, and to document a supervisory review to ensure sufficient funds were available in the judgment accounts prior to the transfers to Treasury. If fully and effectively implemented, the new procedures will decrease the risk of misstatements in individual judgment accounts that are collectively reported in SEC's financial statements.
|
United States Securities and Exchange Commission | The Chair should direct the COO and CFO to enhance current SEC procedures over the daily reconciliation process by developing and implementing sufficiently detailed operating procedures that include specific review procedures to be followed, such as verifying that the alert in CourtLink was actually established and documenting that this review procedure had been performed, to ensure that all SEC disgorgement and penalty judgment cases are tracked in CourtLink and uploaded into ImageNow. |
In response to our recommendation, in April 2015 , SEC designed and implemented detailed operating procedures for reviewing reconciliations to ensure that all receivables and adjustments impacting SEC's financial statements are tracked in Courtlink (a research service SEC uses to obtain notification of new civil cases filed in court) and uploaded into ImageNow (SEC's system for tracking disgorgement and penalty cases to determine whether accounts receivable should be recorded). Specifically, on a monthly basis, SEC staff review the reconciliation between ImageNow and the CourtLink interface. The staff verifies the CourtLink alerts are established and that ImageNow is uploading documents for all SEC disgorgement and penalty judgment cases that are tracked. These revised processes should decrease the risk that SEC's disgorgement and penalty transactions will not be properly and timely recorded.
|
United States Securities and Exchange Commission | The Chair should direct the COO and CFO to restrict user roles in SEC's system for tracking and documenting processes leading to the recording of financial data related to disgorgement and penalty transactions to ensure proper segregation of duties and compliance with SEC's policies and procedures for assigning user roles. |
During our fiscal year 2013 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not fully segregate certain incompatible duties in assigning user roles in SEC's system used for tracking disgorgement and penalties cases. Specifically, we found that both an SEC branch chief and the branch chief's backup had access to all user roles (e.g., create, audit, and approve the recording of transactions) in the system. We recommended that SEC restrict user roles in SEC's system for tracking and documenting processes leading to the recording of financial data related to disgorgement and penalty transactions to ensure proper segregation of duties and compliance with SEC's policies and procedures for assigning user roles. In response to our recommendation, in August 2014, SEC updated its procedures and implemented controls, such as approval of user privileges by a designated manager and a semiannual review of user privileges, to mitigate the segregation of duties risk and restrict user roles for tracking and documenting the recording of financial data related to disgorgement and penalty transactions Also, in fiscal year 2014, SEC restricted user roles in the system to ensure proper segregation of duties. As a result, SEC has reduced the risk of fraud or error in the recording of disgorgement and penalty transactions.
|
United States Securities and Exchange Commission | The Chair should direct the COO and CFO to coordinate with SEC's service provider to develop and implement controls to (1) physically secure cash receipts received by the service provider on SEC's behalf prior to delivery and processing in the general accounting branch and (2) log mail as it is opened in the general accounting branch and store checks in a safe or other locked facility until deposited. |
In response to our recommendation, SEC coordinated with its shared-service provider to implement controls in May 2016 over its daily deposit procedures. These procedures required cash receipts to be secured in a lockbox until deposited, two personnel to open and log cash receipts, and segregation of duties for staff assignments. These controls will help reduce the risk of loss to SEC collections processed by its service provider.
|
United States Securities and Exchange Commission | The Chair should direct the COO and CFO to coordinate with SEC's service provider to request that its service auditor test safeguarding controls over cash receipts received by the service provider on SEC's behalf and report on the design and operation of such controls in the service auditor's report. |
In response to our recommendation, SEC coordinated with its service provider to request that the service provider's auditor (1) test safeguarding controls over cash receipts received by the service provider on SEC's behalf and (2) report on the design and operation of such controls in the auditor's report on the service provider. As a result, the service auditor's report, issued August 2016, included the results of the auditor's assessment of the design and operation of the service provider's controls to safeguard cash. These actions addressed our recommendation.
|
United States Securities and Exchange Commission | The Chair should direct the COO and CFO to develop and implement control procedures to ensure that responsible offices timely complete and submit the required documentation to the service provider for recording of an asset into the FA module in the same accounting month as it is received or placed in service. |
In response to our recommendation, in May 2015 SEC implemented a Mass Additions SharePoint site that allows SEC to automate and monitor activity to help ensure that required documents are submitted for timely posting of property and equipment transactions in its subsidiary ledger. The Mass Additions site captures invoice information entered by the service provider and newly acquired asset information entered by property personnel upon receipt of the asset. When requested information needed to complete processing of transactions are overdue, e-mail alerts are sent to managers to notify them of the delay. These corrective actions have resulted in the timely posting of capital assets in the subsidiary ledger, as evidenced by the results of a June 2016 analysis, which showed that a majority of new and reclassified asset transactions that post on the Mass Additions site are recorded into the subsidiary ledger within 30 days. These actions address our recommendation.
|
United States Securities and Exchange Commission | The Chair should direct the COO and CFO to develop and implement control procedures for the timely processing of reclassification forms into the Fixed Asset module to ensure that such forms are processed in the same month that the assets are placed into service. |
During our fiscal year 2013 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC lacked effective controls to ensure the timely recording of its property and equipment transactions in its Fixed Asset (FA) module (subsidiary ledger). Specifically, we found a reclassification form for $3.2 million, to capitalize previously expensed costs, was not recorded until 7 months after the assets were placed in service. We recommended that SEC develop and implement control procedures for the timely processing of reclassification forms into the FA module to ensure that such forms are processed in the same month that the assets are placed into service. In response to our recommendation, in June 2014, SEC established procedures to review, weekly, expensed asset acquisitions to determine the need to reclassify asset acquisitions that meet SEC's capitalization criteria prior to being posted into the FA module. During our fiscal year 2014 audit of SEC's financial statements, specifically, our test of capitalizable asset acquisitions, did not find untimely recording of capitalizable asset acquisition. We therefore concluded that reclassifications of expensed capitalizable costs were timely performed and that SEC effectively implemented control procedures that ensured timely processing of asset reclassification forms into the FA module. As a result, SEC reduced the risk of misstatement in SEC's property and equipment balances reported in its financial statements.
|
United States Securities and Exchange Commission | The Chair should direct the COO and CFO to implement controls to ensure that procedures for reviewing legal contingencies reflected in the management schedule are followed and that such reviews are properly documented. |
During our fiscal year 2013 audit of the Securities and Exchange Commission's (SEC) financial statements, we found certain inconsistencies of legal contingencies discussed in SEC's interim legal representation letter (letter) and the related management schedule prepared to document management's evaluation of the contingencies discussed in the letter. For example, the letter stated that discussions were ongoing related to certain claims that appeared to constituted liabilities to be recorded in SEC's financial statements. Although SEC did not ultimately record these claims as liabilities, the management schedule did not sufficiently document management's assessment that these asserted claims were not liabilities. We recommended that SEC implement controls to ensure that procedures for reviewing legal contingencies reflected in the management schedule are followed and that such reviews are properly documented. In response to our recommendation, in May 2014, SEC updated its contingency and subsequent events policy and procedures to include steps to cross reference the management schedule to the legal representation letter and to specify the individuals who must review the management schedule. Also, in fiscal year 2014, we did not find errors or inconsistencies in the legal representation letter and the related Office of Financial Management's management schedules. Therefore, we determined that SEC had implemented adequate controls for reviewing legal contingencies, as we recommended. As a result, SEC significantly improved its procedures for reviewing legal contingencies and reduced the risk of misstatement related to legal liabilities reported in its financial statements.
|
United States Securities and Exchange Commission | The Chair should direct the COO and CFO to develop and implement control procedures for timely assessment and, as applicable, timely recording of significant events with financial consequences. |
During our fiscal year 2013 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have a process for ensuring that it timely analyzed significant events with potential financial consequences and recorded any necessary transactions in its financial records. Specifically, SEC management did not review the financial implications of its April 23, 2013, announcement informing its employees of a 1 percent supplemental retirement benefit until October 2013, after the end of the fiscal year. We recommended that SEC develop and implement control procedures for timely assessment and, as applicable, timely recording of significant events with financial consequences. In response to our recommendation, in May 2014 SEC updated its control procedures for subsequent events to require a data call with the Office of Human Resources to discuss any significant events. SEC's Office of Financial Management and Office of Human Resources met in the third and fourth quarter of fiscal year 2014 and documented this meeting. As a result, we determined that SEC has improved its procedures for assessing and recording significant events and therefore reduced the risk of misstatements related to significant events reported in its financial statements.
|