This is the accessible text file for GAO report number GAO-14-416R entitled 'Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures' which was released on May 12, 2014. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-14-416R: [End of section] United States Government Accountability Office: GAO: 441 G St. N.W. Washington, DC 20548: May 12, 2014: The Honorable Mary Jo White: Chair: U.S. Securities and Exchange Commission: Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures: Dear Ms. White: On December 16, 2013, we issued our report containing our opinion on the U.S. Securities and Exchange Commission's (SEC) and its Investor Protection Fund's (IPF)[Footnote 1] fiscal years 2013 and 2012 financial statements.[Footnote 2] Our December 2013 report also included (1) our evaluation of SEC's compliance with selected provisions of applicable laws, regulations, contracts, and grant agreements during fiscal year 2013 and (2) our opinion on the effectiveness of SEC's internal control over financial reporting as of September 30, 2013, including a significant deficiency in SEC's internal control over financial reporting resulting from continuing and new deficiencies in SEC's internal control over information security.[Footnote 3] In April 2014, we issued a separate report on the information security issues identified during our fiscal year 2013 audit, including the new issues that collectively contributed to the significant deficiency, along with associated recommendations for corrective actions.[Footnote 4] The purpose of this report is to (1) communicate other less significant deficiencies we identified in SEC's internal controls during our fiscal year 2013 audit, along with our related recommendations, and (2) provide an overview of the status of our prior recommendations reported as new or open in our April 13, 2013, SEC management report (see enclosure I).[Footnote 5] Results in Brief: During our audit of SEC's fiscal year 2013 financial statements, we identified several new deficiencies in SEC's internal control over financial reporting that we did not consider to be material weaknesses or significant deficiencies, either individually or collectively, but nonetheless warrant SEC management's attention. These deficiencies related to: * procedures for transferring disgorgement and penalty-related funds to the Department of the Treasury (Treasury), * monitoring of disgorgement and penalty related cases filed in courts,[Footnote 6] * segregation of duties for recording disgorgement and penalty-related financial data, * safeguarding of SEC cash receipts received at its service provider, * recording of property and equipment transactions, and: * management's review of legal contingencies and significant events. We are making 9 new recommendations to address these deficiencies in SEC's controls over financial reporting. Further, our follow-up on the status of internal control recommendations we made in our prior reports found that SEC took action to fully address 24 of 40 prior years' recommendations that remained open at the beginning of fiscal year 2013.[Footnote 7] Consequently, SEC currently has 25 recommendations that need to be addressed--the 16 prior recommendations as well as the 9 new ones we are making in this report. Enclosure I provides summary information on the status of SEC's actions to address the recommendations reported as open from our prior audits as of the conclusion of our fiscal year 2013 audit. In commenting on a draft of this report, SEC acknowledged that the report contained a number of helpful recommendations to strengthen SEC's internal controls over financial reporting. Further, the SEC Chair stated that SEC is working to address the recommendations contained in the report and that SEC remains committed to investing the time and resources to maintain strong and sustainable internal control over financial reporting. SEC's written comments are reprinted in enclosure II. Scope and Methodology: As part of our audit of SEC's and IPF's fiscal years 2013 and 2012 financial statements, we evaluated SEC's and IPF's internal controls over financial reporting and tested SEC's compliance with selected provisions of laws, regulations, contracts, and grant agreements. We designed our audit procedures to test relevant controls over financial reporting, including those designed to provide reasonable assurance that transactions are properly recorded, processed, and summarized to permit the preparation of financial statements in conformity with U.S. generally accepted accounting principles, and that assets are safeguarded against loss from unauthorized acquisition, use, or disposition. As part of our audit, we considered and evaluated the work performed and conclusions reached by SEC management in its internal control assessment.[Footnote 8] A full discussion of our responsibility for the audit of SEC's and IPF's financial statements and internal control over financial reporting is included in our December 2013 report on our audit of SEC's and IPF's fiscal years 2013 and 2012 financial statements.[Footnote 9] We conducted our audit of SEC's and IPF's fiscal years 2013 and 2012 financial statements in accordance with U.S. generally accepted government auditing standards. We believe our audit provided a reasonable basis for our conclusions in this report. Procedures for Transferring Disgorgement and Penalty Related Funds to Treasury: During our fiscal year 2013 audit, we found that SEC did not have effective controls over funds transferred to Treasury. These funds represent disgorgement and penalty collections from violators of securities laws for which distribution to harmed investors is not feasible. Specifically, for 3 of 16 fund transfers to Treasury we tested, we found no evidence that SEC performed the required validation procedures to ensure that sufficient funds were available in the judgment accounts prior to the transfers. These transfers resulted in negative judgment account balances, which SEC subsequently found and corrected. As part of its enforcement responsibilities, SEC issues orders and administers judgments imposing disgorgement and civil monetary penalties on violators of federal securities laws and requiring payment of related interest. SEC establishes an accounts receivable and offsetting liability for these amounts ordered payable to SEC. Amounts collected by SEC are distributed to harmed investors when feasible, transferred to SEC's IPF, or transferred to the U.S. Treasury General Fund.[Footnote 10] Amounts collected on behalf of harmed investors, but for which distribution is not feasible, are included in SEC's fund balance with Treasury and tracked internally by SEC in individual judgment accounts until transferred to Treasury. [Footnote 11] SEC's procedures require that staff perform validation of funds availability procedures monthly to ensure that the judgment accounts have sufficient funds available to cover any transfers and that those procedures be reviewed by responsible personnel prior to transferring such amounts to Treasury. However, SEC's procedures did not include detailed requirements for documenting (1) the funds availability validation procedures performed and (2) the supervisory review to ensure that the funds availability validation procedures were properly performed. Standards for Internal Control in the Federal Government provides that internal control activities include a wide range of diverse control activities that management should establish, such as approvals, reconciliations, authorizations, and verifications, to ensure that all transactions are completely and accurately recorded.[Footnote 12] Although SEC subsequently corrected the errors resulting from the erroneous transfers, the lack of specific procedures for documenting performance and review of the validation of funds availability increases the risk that this validation process does not occur, which, in turn, increases the risk of misstatements in individual judgment accounts that are collectively reported in SEC's financial statements. Recommendation for Executive Action: We recommend that the Chair direct the COO and CFO to take the following specific actions: 1. Develop and implement specific procedures for documenting (1) the funds availability validation procedures performed and (2) the supervisory review to ensure that validation of funds availability procedures is appropriately performed prior to transferring disgorgement and penalty-related funds to Treasury. Monitoring of Disgorgement and Penalty Related Cases Filed in Court: During our fiscal year 2013 audit, we found that SEC did not always implement existing reconciliation procedures or have effective review procedures to help ensure that all disgorgement and penalty cases that include amounts payable to SEC were identified and uploaded into ImageNow, SEC's system for tracking these cases to determine whether an accounts receivable should be recorded. Specifically, our testing of SEC's daily reconciliations found that three civil cases were not properly uploaded into ImageNow. In one case, the error would have resulted in an understatement of SEC's accounts receivable of at least $1 million had we not brought this issue to SEC's attention. SEC uses the LexisNexis CourtLink docket research tool to identify civil cases filed in court that could result in final judgments against a securities law violator with amounts ordered payable to SEC, or third parties (disgorgement and penalty judgment cases).[Footnote 13] To help ensure the completeness of its recorded accounts receivable, SEC's daily procedures require SEC staff to (1) review CourtLink alerts of newly filed cases to identify potential disgorgement and penalty judgment cases where SEC is the litigant, (2) establish or turn on an automatic tracking option in CourtLink to monitor the progress of SEC cases that were identified, and (3) update a spreadsheet that SEC maintains to track SEC civil cases for the new cases that were identified. ImageNow interfaces with and uploads CourtLink case docket information that has been identified for automated tracking. SEC personnel then review the case docket information in ImageNow to determine whether a disgorgement and penalty financial transaction, such as establishing an accounts receivable, is required. If required, the information is forwarded to the responsible offices and personnel to create, review, audit, and post the disgorgement and penalty transaction into SEC's financial system. Further, SEC's daily procedures require the reconciliation of the spreadsheet to the related cases in ImageNow. However, our review of SEC's daily reconciliations for the last few days before the close of the fiscal year found that the reconciliations did not identify differences between the spreadsheet and ImageNow, which occurred because alerts were not turned on in CourtLink. Consequently, the case information for these cases was not uploaded into ImageNow and reviewed to determine whether a disgorgement and penalty transaction should have been recorded for any of these cases in SEC's financial system. The existing requirement for reconciliations was not effectively implemented, and review procedures did not detect the error because the procedures for reviewing the reconciliations did not include specific review procedures to be followed, such as verifying that the alert in CourtLink was actually established and documenting that this review procedure had been performed. Standards for Internal Control in the Federal Government provides that an agency's control activities should be established to ensure that all transactions are completely and accurately recorded.[Footnote 14] The lack of sufficiently detailed review procedures to ensure that reconciliation is performed consistently and effectively increases the risk of misstatements in SEC's financial statements related to receivables that may not be recorded timely. Recommendation for Executive Action: We recommend that the Chair direct the Chief Operating Officer (COO) and Chief Financial Officer (CFO) to take the following specific action: 2. Enhance current SEC procedures over the daily reconciliation process by developing and implementing sufficiently detailed operating procedures that include specific review procedures to be followed, such as verifying that the alert in CourtLink was actually established and documenting that this review procedure had been performed, to ensure that all SEC disgorgement and penalty judgment cases are tracked in CourtLink and uploaded into ImageNow. Segregation of Duties for Recording Disgorgement and Penalty Related Financial Data: During our fiscal year 2013 audit, we found that SEC did not fully segregate certain incompatible duties in assigning user roles in SEC's system used for tracking disgorgement and penalty cases. This system has numerous user roles--such as creating, editing, reviewing, auditing, and approving--leading to the recording of financial data for disgorgement and penalties.[Footnote 15] During our audit, we found that both an SEC branch chief and the branch chief's backup had access to all roles (e.g., create, audit, and approve recording of transactions) in the system. Given that the SEC branch chief's roles were reviewer and approver of disgorgement and penalty transactions, allowing the branch chief and the branch chief's backup to have access to other roles, such as the creation and edit roles, increases the risk that they could both create and conceal or perpetuate an error or irregularity in the processing of SEC's financial transactions. For example, a staff member with access to all roles in the system could both create and approve fraudulent transactions and have these processed and recorded in SEC's financial records. This lack of segregation of duties in the system occurred because the user roles given to the branch chief and the branch chief's backup were not appropriately reviewed to ensure that they complied with SEC's segregation of duties and least privilege policies. SEC's practice permits business process owners, in this case the branch chief, to authorize and approve roles assigned to staff for accessing SEC's systems. SEC's least privilege policy states that all information system users should be granted the minimum set of privileges necessary to accomplish assigned tasks in accordance with SEC's mission and business processes. Further, Standards for Internal Control in the Federal Government states that key duties and responsibilities need to be divided or segregated among different people to reduce the risk of error or fraud. This should include separating the responsibilities of authorizing transactions, processing and recording them, reviewing the transactions, and handling any related assets. Allowing staff the ability to both create and approve transactions in SEC's system increases SEC's risk of fraud or error. Recommendation for Executive Action: We recommend that the Chair direct the COO and CFO to take the following specific action: 3. Restrict user roles in SEC's system for tracking and documenting processes leading to the recording of financial data related to disgorgement and penalty transactions to ensure proper segregation of duties and compliance with SEC's policies and procedures for assigning user roles. Safeguarding of SEC Cash Receipts Received at Its Service Provider: During our fiscal year 2013 audit, we found that SEC did not ensure that effective safeguarding controls were in place for checks collected on its behalf by its external federal shared service provider (service provider). SEC's service provider is responsible for the full accounting and reporting of SEC's financial transactions, including receipt of checks on SEC' s behalf for payments of amounts assessed against violators of securities laws relating to disgorgement of illegal gains, civil penalties, and related assessed interest. However, our review of the service provider's auditor's (service auditor) report found that the service auditor did not report on any testing of safeguarding controls over SEC cash receipts.[Footnote 16] In response to GAO's inquiry, SEC followed up with its service provider regarding safeguarding controls over SEC's collections and found that the service provider did not have (1) procedures in place to ensure that checks received in the mailroom, on behalf of SEC, were properly secured prior to delivery and processing in the general accounting branch or (2) safeguards in place in the general accounting branch to ensure that mail was logged as it was opened and checks were stored in a safe or other locked facility until deposited. Standards for Internal Control in the Federal Government provides that an agency must establish physical control to secure and safeguard vulnerable assets. Examples include security for and limited access to assets such as cash, securities, inventories, and equipment that might be vulnerable to risk of loss or unauthorized use. Such assets should be periodically counted and compared to control records. Further, the internal control standards require that management should establish specific control activities to ensure that transactions are completely and accurately recorded. The lack of safeguarding controls over SEC's cash collections at its service provider exposed SEC to risk of loss from theft or misappropriation. Recommendations for Executive Action: We recommend that the Chair direct the COO and CFO to take the following specific actions: 4. Coordinate with SEC's service provider to develop and implement controls to (1) physically secure cash receipts received by the service provider on SEC's behalf prior to delivery and processing in the general accounting branch and (2) log mail as it is opened in the general accounting branch and store checks in a safe or other locked facility until deposited. 5. Coordinate with SEC's service provider to request that its service auditor test safeguarding controls over cash receipts received by the service provider on SEC's behalf and report on the design and operation of such controls in the service auditor's report. Recording of Property and Equipment Transactions: During our fiscal year 2013 audit, we found that SEC lacked effective controls to ensure timely recording of its property and equipment transactions in its Fixed Asset (FA) module (subsidiary ledger), which is maintained by its service provider.[Footnote 17] Specifically, we found that SEC did not always timely complete and submit required documentation[Footnote 18] to its service provider, which depends on SEC's timely processing of these documents in order to record receipt of property and equipment assets in the FA subsidiary ledger. Of 45 randomly selected asset acquisitions tested, we that found 25 were not processed in the FA module in the accounting month when the asset was received to ensure accurate monthly financial reporting. The variance between the actual asset receipt date and the receiving office's review date on the documentation ranged from 1 to 6 months. This occurred because SEC's policies and procedures for property and equipment did not establish time frames for completion and submission of documentation to the service provider and because SEC did not have controls in place, such as monitoring procedures, to ensure that responsible offices timely completed and submitted required documentation to SEC's service provider for processing after receipt of property and equipment assets. We also found a reclassification form for $3.2 million erroneously expensed capitalizable costs that was not recorded in the FA module until 7 months after the assets were placed in service. SEC reviews its expense accounts monthly to identify and correct capitalizable costs that were erroneously expensed. Delayed recording of the reclassification form occurred because SEC did not have procedures or a policy in place requiring the timely processing of reclassification forms in the FA module to properly record any costs that had been erroneously expensed. To compensate for the delayed processing of property and equipment transactions in the FA module, SEC routinely prepared manual adjustments to record the property and equipment items and related depreciation in the general ledger until such time that the transaction was processed in the FA module. However, the lack of systematic and timely processing of transactions in the FA module and reliance on manual adjustments place SEC at increased risk that its property and equipment balances may be misstated. Standards for Internal Control in the Federal Government provides that management should establish specific control activities to ensure that all transactions are timely, completely, and accurately recorded. SEC's lack of adequate controls increases the risk of misstatements in the financial statements related to property and equipment transactions. Recommendations for Executive Action: We recommend that the Chair direct the COO and CFO to take the following specific actions: 6. Develop and implement control procedures to ensure that responsible offices timely complete and submit the required documentation to the service provider for recording of an asset into the FA module in the same accounting month as it is received or placed in service. 7. Develop and implement control procedures for the timely processing of reclassification forms into the FA module to ensure that such forms are processed in the same month that the assets are placed into service. Management's Review of Legal Contingencies and Significant Events: During our fiscal year 2013 audit, we found that SEC's controls over its management review process for (1) legal contingencies reflected in the management schedule and (2) significant events occurring during the year were not operating effectively, as specified below. * We found certain inconsistencies during our review of legal contingencies discussed in SEC's interim legal representation letter (letter) and the related management schedule prepared to document management's evaluation of the contingencies discussed in the letter. [Footnote 19] For example, the letter stated that discussions were ongoing related to certain claims that appeared to constitute liabilities to be recorded in SEC's financial statements. Although SEC did not ultimately record these claims as liabilities, the management schedule did not sufficiently document management's assessment that these asserted claims were not liabilities. This occurred because established procedures were not followed. SEC's procedures require the management schedule to be reviewed by the CFO, the Chief Accounting Officer, the Office of Financial Management (OFM) Assistant Director, and the OFM Financial Reporting Branch Chief. However, SEC officials informed us that only SEC's CFO had reviewed the interim management schedule. Additionally, the CFO's review of this schedule was not documented, and SEC's procedures did not require that the review be documented. Although SEC subsequently modified the interim management schedule, resolving the inconsistencies we had identified by stating that the claims remained unsupported and that the likelihood of a liability was remote, SEC's lack of sufficient review and documentation of such review increases the risk of misstatement in SEC's financial statements related to legal liabilities. * SEC did not have a process for ensuring that it timely analyzed significant events with potential financial consequences and recorded any necessary transactions in its financial records. Specifically, SEC management did not review the financial implications of its April 23, 2013, announcement informing its employees of a 1 percent supplemental retirement benefit until October 2013, after the end of the fiscal year. SEC did not have a process in place for reviewing significant events at interim periods to ensure accurate and complete interim financial reporting. SEC only performed this review in conjunction with its year-end financial reporting processes. Although SEC considered this an uncorrected misstatement that did not significantly misstate its fiscal year 2013 financial statements, it nevertheless understated both its interim and year-end fiscal year 2013 financial statements by about $4.5 million. Standards for Internal Control in the Federal Government provides that management should establish specific control activities to ensure that transactions are timely, completely, and accurately recorded. Without effective management review procedures over contingencies and significant events, SEC will continue to be at risk of misstatements in its financial statements. Recommendations for Executive Action: We recommend that the Chair direct the COO and CFO to take the following specific actions: 8. Implement controls to ensure that procedures for reviewing legal contingencies reflected in the management schedule are followed and that such reviews are properly documented. 9. Develop and implement control procedures for timely assessment and, as applicable, timely recording of significant events with financial consequences. Overview of the Status of Prior Audit Recommendations: During our audit of SEC's fiscal year 2013 financial statements, we found that SEC took action to address many of the recommendations from our prior reports. Specifically, as summarized in enclosure I, SEC took action to fully address 24 of the 40 recommendations reported as open in our April 4, 2013, management report.[Footnote 20] The 16 recommendations that remained open as of the end of our fiscal year 2013 financial statement audit relate to budgetary resources, disgorgement and penalties and investments, financial reporting, payroll, property and equipment, and information security. Agency Comments and Our Evaluation: In her April 30, 2014, written comments on a draft of this report, the SEC Chair stated that the report contained a number of helpful recommendations to strengthen SEC's internal controls over financial reporting. Further, the SEC Chair stated that SEC is working to address the recommendations contained in the report and that SEC remains committed to investing the time and resources to maintain strong and sustainable internal control over financial reporting. Specifically, the Chair stated that efforts are under way in such areas as: * new procedures for transferring disgorgement and penalty-related funds to Treasury, * improved monitoring of disgorgement and penalty related-cases filed in courts, * better segregation of duties for recording disgorgement and penalty- related financial data, * further safeguards for SEC cash receipts received at its service provider, * enhancements to the process for recording property and equipment transactions, and: * tightened management review of legal contingencies and significant events. * We believe SEC's proposed actions, if effectively designed and implemented, will address the issues we reported and thus satisfy our recommendations. We will follow-up on the progress of SEC's actions in these areas during our fiscal year 2014 financial statement audit. SEC's written comments are reprinted in enclosure II. This report contains recommendations to you. The head of a federal agency is required by 31 U.S.C. § 720 to submit a written statement on actions taken on the recommendations to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Oversight and Government Reform not later than 60 days from the date of this report. A written statement also must be sent to the House and Senate Committees on Appropriations with your agency's first request for appropriations made more than 60 days after the date of this report. This report is intended for use by SEC management. We are sending copies of this report to the Chairmen and Ranking Members of the Senate Committee on Banking, Housing, and Urban Affairs; the Senate Committee on Homeland Security and Governmental Affairs; the House Committee on Financial Services; and the House Committee on Oversight and Government Reform. We are also sending copies to the Secretary of the Treasury, the Director of the Office of Management and Budget, and other interested parties. In addition, this report is available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. We acknowledge and appreciate the cooperation and assistance provided by SEC management and staff during our audit of SEC's fiscal years 2013 and 2012 financial statements. If you have any questions about this report or need assistance in addressing these issues, please contact James R. Dalkin at (202) 512-3133 or dalkinj@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff members who made key contributions to this report are listed in enclosure III. Sincerely yours, Signed by: James R. Dalkin: Director, Financial Management and Assurance: Enclosures - 3: [End of section] Enclosure I: Status of Recommendations from Prior Audits Reported as Open in GAO's 2012 Management Report[Footnote 21] Audit area: Budgetary resources; 1. Correct general ledger system configurations to properly account for upward and downward adjustments of prior years' undelivered orders in accordance with the U.S. Standard General Ledger; Year initially reported: 2008; Status of corrective action: In progress. 2. Develop and implement reconciliation, validation, and analytical procedures to ensure the reliability of the Open Obligations Review Reports used by the various SEC divisions and offices in their review of unliquidated obligations; Year initially reported: 2011; Status of corrective action: Completed. 3. Augment existing policies and procedures for recording obligations to include, at a minimum, (a) backup procedures for the recording of obligations in the event that responsible employees are unable to perform their assigned duties and (b) controls designed to ensure that SEC offices submit obligating documents to OFM for processing as obligations are incurred; Year initially reported: 2011; Status of corrective action: In progress. 4. Develop and implement documented control procedures to ensure liquidation and/or deobligation of remaining travel obligations after the completion of the travel; Year initially reported: 2011; Status of corrective action: In progress. 5. Until such time that SEC is able to correct configuration limitations of its general ledger system, implement procedures to prepare and post correcting budgetary transactions prior to the close of the monthly accounting period; Year initially reported: 2011; Status of corrective action: Completed. 6. Develop and implement policies and procedures detailing the steps and documentation required to effectively control and monitor travel expenses paid through the central billing account (CBA), including steps required to ensure documented receipt of refunds or credits for travel/tickets that were previously paid for by SEC but subsequently canceled; Year initially reported: 2011; Status of corrective action: In progress. 7. Enhance current procedures for supervisory review to include required steps for ensuring (a) the accuracy and completeness of the obligation transaction and contract information prior to recording the obligation in the general ledger records and (b) timely recording of obligation transactions in the general ledger; Year initially reported: 2012; Status of corrective action: Completed. 8. Implement system controls to ensure that all applicable information (such as POP) is recorded in the financial system and can be associated with its obligation record; Year initially reported: 2012; Status of corrective action: Completed. 9. Implement system controls to provide for the review and approval of all obligation transactions and all related contract information by appropriate officials prior to posting the information in the general ledger records; Year initially reported: 2012; Status of corrective action: Completed. 10. Revise agency regulation SECR 14-1 to clearly delineate circumstances under which authority for obligating agency budgetary resources can be delegated to appropriate personnel other than the CO, compare current SOPs and BPPs with SECR 14-1, and make any necessary conforming changes; Year initially reported: 2012; Status of corrective action: In progress. 11. Develop and implement procedures for ongoing monitoring of open obligations for validity and timely closeout of any open obligations that are no longer valid. These should include (a) quarterly review of open obligations for ongoing validity based on end of POP or contract completion dates and (b) reconciling SEC's records of contract activity and balances with its key vendors, at least annually; Year initially reported: 2012; Status of corrective action: Completed. 12. Finalize procedures requiring monitoring of SEC's service provider's accounting and reporting on budgetary resources to include required steps and documentation requirements for monthly review of the propriety and accuracy of downward adjustment transactions to identify and process any necessary adjusting entries; Year initially reported: 2013; Status of corrective action: Completed. 13. As part of the annual risk assessment process, include required steps for assessing SEC's monitoring controls to identify, document, and record any downward adjustment transactions to SEC's prior year obligations in the general ledger; Year initially reported: 2013; Status of corrective action: In progress. 14. Develop and implement control procedures to monthly reconcile the budget execution module (subsidiary ledger) to the related general ledger account balances for SEC's apportioned but unobligated balances; Year initially reported: 2013; Status of corrective action: Completed. Audit area: Disgorgement and penalties and investments: 15. Develop and implement an automated subledger that interfaces with the general ledger for investment and disgorgement and penalty liability transaction activity; Year initially reported: 2010; Status of corrective action: In progress. 16. Revise existing posting configurations to account for liability balances related to compounded postjudgment interest amounts in accordance with SEC policy; Year initially reported: 2012; Status of corrective action: Completed. 17. Augment existing policies and procedures for check collections to include specific required steps for handling amounts remitted to SEC field offices to ensure compliance with the Miscellaneous Receipts Statute and related Treasury regulation; Year initially reported: 2012; Status of corrective action: Completed. 18. Revise existing collection procedures to provide for segregating incompatible responsibilities, including prohibiting an individual from both processing and reviewing electronic collections transactions; Year initially reported: 2013; Status of corrective action: Completed. 19. Revise existing procedures for review of disbursements transactions to include specifically required steps for verification of individual disbursements processed by Treasury to ensure that these disbursements were made for the correct amounts and to the correct payees; Year initially reported: 2013; Status of corrective action: Completed. 20. Develop and implement control procedures to include specific steps for the review, classification, and disposition of collections in order to properly apply collections to an SEC accounts receivable or transfer collections to either another entity or to Treasury; Year initially reported: 2013; Status of corrective action: In progress. 21. Revise existing procedures for the monitoring of accounts receivable transactions recorded in the general ledger to specifically require review of all types of accounting entries that could affect the accounts receivable balance, including correcting entries; Year initially reported: 2013; Status of corrective action: In progress. Audit area: Financial reporting: 22. Establish and implement procedures for performing a comprehensive review of all posting configurations and recurring correcting journal entries to identify and address any additional departures from Treasury's prescribed posting models; Year initially reported: 2010; Status of corrective action: In progress. 23. Modify existing policy and procedures to require all employees to report labor hours using preset activity and project codes within the time and attendance system and establish and implement applicable controls to ensure compliance; Year initially reported: 2010; Status of corrective action: Completed. 24. Revise and implement procedures over the preparation of the statement of net cost to utilize actual data reported by employees on their biweekly time and attendance reports; Year initially reported: 2010; Status of corrective action: Completed. 25. Document and implement quality assurance procedures over the preparation of the statement of net cost, including a procedure to compare the sum of all allocated costs to the total actual costs of the various organizations to ensure that all such costs are properly and fully allocated; Year initially reported: 2012; Status of corrective action: In progress. 26. Establish a mechanism to ensure that existing supervisory review procedures over manual JV transactions are followed to ensure that all manual JVs are properly prepared and accurately and timely recorded. These procedures could include sending periodic reminders to JV reviewers emphasizing existing procedures and the importance of adhering to them; Year initially reported: 2013; Status of corrective action: In progress. 27. Establish a mechanism to ensure that procedures for reviewing JV's processed by SEC's service provider are followed to ensure that all manual JVs are recorded in the general ledger in accordance with the JV forms approved by SEC management; Year initially reported: 2013; Status of corrective action: Completed. Audit area: Nonpayroll expenses: 28. Develop or update and implement policies and procedures for reconciling any SEC intragovernmental expense and payable amounts reported by GSA to internal SEC data records prior to recording an accrual in SEC's general ledger for financial statement reporting; Year initially reported: 2010; Status of corrective action: Completed. 29. Develop and implement procedures to provide for appropriately documented COTR review of all vendor invoices prior to payment in compliance with SEC regulation; Year initially reported: 2010; Status of corrective action: Completed. 30. Revise SEC's procedures for evaluating the ongoing reasonableness of its accounts payable accrual methodology to include steps to ensure that the results of reviews will be projectable to the population and any variances derived from its review, in aggregate, are acceptable for financial reporting purposes; Year initially reported: 2013; Status of corrective action: Completed. 31. Revise the accounts payable accrual methodology to specify required steps for properly considering obligation amounts for capitalized assets; Year initially reported: 2013; Status of corrective action: Completed. Audit area: Payroll: 32. Develop procedures to provide for documented evidence of a certifying official's approval of leave and compensatory time before recording such transactions in the time and attendance system; Year initially reported: 2012; Status of corrective action: In progress. Audit area: Property and equipment: 33. Establish and implement procedures to properly record property and equipment receipt transactions using capitalizable project and budget object class codes within the general ledger system; Year initially reported: 2010; Status of corrective action: In progress. 34. Develop and implement control procedures to review all property and equipment acquisition transactions to ensure that they are properly accounted for in the year-end financial statements; Year initially reported: 2013; Status of corrective action: Completed. 35. Augment current procedures to require considering whether the cumulative effect of all misstatements of property transactions identified in the current year would require revision to prior year or current year financial statements; Year initially reported: 2013; Status of corrective action: Completed. 36. Develop and implement control procedures to require the review of underlying invoices and obligation documents at the time of capitalization to ensure that recorded asset acquisition costs represent capitalizable costs; Year initially reported: 2013; Status of corrective action: Completed. 37. Augment SEC's service provider monitoring spreadsheet to include all property and equipment acquisition and disposal transactions from all SEC offices; Year initially reported: 2013; Status of corrective action: Completed. 38. Finalize procedures documenting the required steps to be followed for monitoring the service provider's calculation and recording of property and equipment, depreciation, and related transactions in the general ledger; Year initially reported: 2013; Status of corrective action: Completed. 39. Revise control procedures for conducting the annual physical inventory count of property and equipment to include specific steps required to (a) reconcile capitalized property and equipment to be counted with related general ledger balances, (b) reconcile division and office responses to the items listed in the property and equipment report used for the physical count, and (c) assess and appropriately reflect any financial statement impact of any issues identified during the physical count; Year initially reported: 2013; Status of corrective action: In progress. Audit area: Information security: 40. Augment control procedures over SEC's information security to include specific steps for (a) configuring SEC's remote host and network infrastructure devices to require the use of strong passwords; (b) disabling access of all contractors and employees to SEC's networks or financial applications upon separation from SEC; (c) monitoring compliance with information security policies, such as by enabling audit and monitoring of software on servers that support financial applications; and (d) mitigating software vulnerabilities, for example, by requiring installation (or deployment) of high-risk patches, consistent with SEC policy; Year initially reported: 2013; Status of corrective action: In progress. Source: GAO analysis of SEC data. [End of table] [End of section] Enclosure II: Comments from the U.S. Securities and Exchange Commission: United States Securities and Exchange Commission: The Chair: Washington, D.C. 20549: April 30, 2014: Mr. James R. Dalkin: Director: Financial Management and Assurance: United States Government Accountability Office: 441 G Street, N.W. Washington, DC 20548: Dear Mr. Dalkin: Thank you for the opportunity to respond to the draft report entitled Management Report: improvements Needed in SEC's Internal Controls and Accounting Procedures (GAO-14-416R). The report contains a number of helpful recommendations to strengthen the SEC's internal controls over financial reporting. I am extremely pleased that the SEC was able to successfully demonstrate its commitment to strong internal controls, as evidenced by our positive audit results in 2013. am gratified that the agency staff's hard work and dedication over the last several years have succeeded in continually improving our system of internal controls. Enhancing our processes and controls will continue to be a critical focus for the SEC. Your draft report provided helpful recommendations on further enhancements that management should consider with respect to our internal controls. We are working to address these recommendations, through efforts such as: * New procedures for transferring disgorgement and penalty-related funds to Treasury; * Improved monitoring of disgorgement and penalty related-cases filed in courts; * Better segregation of duties for recording disgorgement and penalty- related financial data; * Further safeguards for SEC cash receipts received at its service provider; * Enhancements to the process for recording property and equipment transactions; and; * Tightened management review of legal contingencies and significant events. The SEC remains committed to investing the time and resources to maintain strong and sustainable internal controls over financial reporting. I look forward to continuing to work with you in the coming months on the issues described above as we begin the audit for FY 2014. If you have any questions, please do not hesitate to contact Kenneth A. Johnson, the SEC's Chief Financial Officer, at (202) 551-4306. Sincerely, Signed by: Mary Jo White: Chair: [End of section] Enclosure III: GAO Contact and Staff Acknowledgments: GAO Contact: James R. Dalkin, (202) 512-3133 or dalkinj@gao.gov: Staff Acknowledgments: In addition to the contact named above, the following individuals made key contributions to this report: Nicole Dow, Meafelia P. Gusukuma, Kristen A. Kociolek (Lead Assistant Director), Bernice Lemaire, and Mary Osorno. [End of section] Footnotes: [1] IPF was established in 2010 to fund the activities of SEC's whistleblower award program and the SEC Office of Inspector General suggestion program for SEC employees. Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 922, 124 Stat. 1376, 1841 (2010) (classified at 15 U.S.C. § 78u-6). IPF is a separate fund reported on in SEC's and IPF's financial statements that is presented as a segment of SEC financial activity. Accordingly, IPF's financial transactions are also included in SEC's financial statements. However, the significant deficiency discussed in our audit report [hyperlink, http://www.gao.gov/products/GAO-14-213R] pertains to SEC's information security but not that of IPF because of the nature of IPF's financial transactions during fiscal year 2013. [2] GAO, Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Years 2013 and 2012, [hyperlink, http://www.gao.gov/products/GAO-14-213R] (Washington, D.C.: Dec. 16, 2013). [3] A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance. A material weakness is a deficiency, or combination of deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. A control deficiency exists when the design or operation of a control does not allow management or employees in the normal course of performing their assigned functions to prevent, or detect and correct, misstatements on a timely basis. [4] GAO, Information Security: SEC Needs to Improve Controls over Financial Systems and Data, [hyperlink, http://www.gao.gov/products/GAO-14-419] (Washington, D.C. Apr. 17, 2014). [5] GAO, Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures, [hyperlink, http://www.gao.gov/products/GAO-13-274R] (Washington, D.C.: Apr. 4, 2013). [6] A disgorgement is the repayment of illegally gained profits (or avoided losses) for distribution to harmed investors whenever feasible. A penalty is a monetary payment from a violator of securities law that SEC obtains pursuant to statutory authority. A penalty is fundamentally a punitive measure, although penalties occasionally can be used to compensate harmed investors. [7] [hyperlink, http://www.gao.gov/products/GAO-13-274R]. [8] Office of Management and Budget Circular No. A-123, Management's Responsibility for Internal Control, defines management's responsibility for internal control in federal agencies and establishes requirements for documenting, testing, and making an assessment on the effectiveness of internal controls. [9] [hyperlink, http://www.gao.gov/products/GAO-14-213R]. [10] The order or judgment specifies if disgorgement and penalty collections are to be distributed to harmed investors. [11] Judgment account balances are reported in SEC's Disgorgements, Penalty, and Asset Management report. The report provides detailed information by judgment account and a total at the agency level. [12] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [13] CourtLink is a docket and document research service for tracking civil cases; the service is provided by LexisNexis through an RSS feed. This service provides case information from the initial filing of a case in court and any future case activity in court. CourtLink includes various features used for monitoring court proceedings, such as tracking and alerts. The tracking service allows users to monitor new activity through predefined tracking profiles and receive automatic e-mail notifications. [14] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [15] Role-based access privileges restrict and track user activities within the system consistent with assigned job responsibilities. For disgorgement and penalties, workflow activities include creation, edit, review, approval, and verification of payment of receivable transactions. [16] SEC's service providers contract with an independent auditor to perform an audit of controls related to its service operations under Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. SSAE No. 16 provides authoritative guidance for service auditors to report on the design and operating effectiveness of controls at organizations that provide services to user entities, such as SEC, when those controls are likely to be relevant to user entities' internal control over financial reporting. The issuance of a service auditor's report prepared in accordance with SSAE No. 16 signifies that a service organization has had its control objectives and control activities examined by an independent auditing firm. The service auditor's report includes valuable information regarding the service organization's controls and the effectiveness of those controls and also identifies complementary controls that should be implemented by the user entity to ensure that its control objectives are met. AT Section 801, Reporting on Controls at a Service Organization, defines complementary user entity controls as controls that management of the service organization assumes, in the design of the service provided by the service organization, will be implemented by user entities, and that if necessary to achieve the control objectives stated in management's description of the service organization's system, are identified as such in that description. [17] The FA module is a property and equipment subsidiary ledger that interfaces with the general ledger maintained by SEC's service provider and automatically posts applicable transactions into the general ledger. The FA module provides detailed information on SEC's capitalizable property and equipment, such as a description of the capitalizable asset, its estimated useful life, its cost, the date it was placed into service, and other information, to facilitate, among other things, recording of the capitalizable asset and calculating and recording of the related depreciation expense. [18] The required documentation is called the FA worksheet, which is a document that in addition to documenting receipt of the asset, includes other essential information for recording the asset in the FA module such as cost, estimated life, and date when the asset was placed into service. [19] The management schedule reflects management's evaluation of litigation, claims, and assessments that existed at the date of the financial statements being reported on and during the period from the date of the financial statements to the date the information is furnished, including an identification of those matters referred to legal counsel and described in the legal representation letter. [20] [hyperlink, http://www.gao.gov/products/GAO-13-274R]. [21] GAO, Management Report: Improvements Needed in SEC's Internal Controls and Accounting Procedures, [hyperlink, http://www.gao.gov/products/GAO-13-274R] (Washington, D.C.: Apr. 4, 2013). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO's actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO's website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, DC 20548. [End of document]