Internal Control:

Improvements Needed in SEC's Accounting and Financial Reporting Process

GAO-08-461R: Published: Apr 1, 2008. Publicly Released: Apr 1, 2008.

Additional Materials:

Contact:

Steven J. Sebastian
(202) 512-9471
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

On November 16, 2007, we issued our report on the U.S. Securities and Exchange Commission's (SEC) fiscal years 2007 and 2006 financial statements and on SEC's internal control as of September 30, 2007. We also reported on the results of our tests of SEC's compliance with selected provisions of laws and regulations during fiscal year 2007. The purpose of this report is to present areas of SEC's internal controls identified during our fiscal year 2007 audit that could be improved. This report contains 14 recommendations to SEC to improve these internal controls and procedures. These recommendations are in addition to those we already provided to SEC as a result of our prior audits of SEC's financial statements.

Our November 16, 2007, report concluded that SEC had a material weakness in internal control over its financial reporting process, and therefore did not maintain effective internal control over financial reporting as of September 30, 2007. This weakness is comprised of four significant deficiencies, which taken collectively result in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected. These significant deficiencies concern (1) the period-end financial reporting process, (2) disgorgements and penalties accounts receivable, (3) accounting for transaction fee revenue, and (4) preparing financial statement disclosures. In addition to the material weakness discussed above, we identified three significant deficiencies in internal control, which although not material weaknesses, represent significant deficiencies in the design or operation of internal control. These significant deficiencies concern (1) information security controls, (2) property and equipment, and (3) accounting for budgetary resources. As of January 2008, SEC had taken actions to fully address 3 of the 23 recommendations that remained open as of January 2007 from our audits of the agency's 2004, 2005, and 2006 financial statements. We also identified one other internal control weakness that although not considered to be a material weakness or significant deficiency, we believe warrants SEC management's consideration as to whether additional actions are warranted. This issue concerns certification of employees' time cards, documentation of monitoring of time card certification, and approval of personnel actions. In providing written comments on a draft of this report, the SEC Chairman expressed his commitment to remediate the control deficiencies this fiscal year and summarized SEC's corrective action plans to address GAO's recommendations.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve its period-end financial reporting process controls, SEC should integrate subsystems that process significant accounting data with the general ledger.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we found SEC's subsidiary systems for property and equipment and for disgorgements and penalties transactions did not share common data elements and common transaction processing with the general ledger system. As a result, SEC made extensive use of desktop applications and workstations to perform intermediary information processing steps necessary to process these transactions in SEC's general ledger. Our review of these applications found that they lacked the information security controls necessary to prevent or recover from any inadvertent data corruption or to permit independent verification of the processing that has taken place, which increases the risk that transactions are not recorded completely, properly, or consistently. Through our testing of property and equipment and disgorgement and penalties transactions, we noted numerous errors resulting from SEC's reliance on non-integrated subsidiary systems. In our April 2008 report, we recommended that SEC integrate subsystems that process significant data with the general ledger, and until subsystems are fully integrated, the SEC should develop and implement documented data reliability checks for data extracted from nonintegrated subsidiary systems, including spreadsheets. In response to our recommendation, SEC upgraded its core accounting system in fiscal year 2008 and deployed two integrated subsidiary modules to account for 1) disgorgement and penalties accounts receivables and 2) property and equipment transactions. In addition to these system enhancements, SEC developed and implemented weekly, monthly and quarterly reconciliations of data maintained in its case management, accounts receivable module, and general ledger systems. These system enhancements, substantially completed in fiscal year 2009, significantly improved the reliability of disgorgement and penalties accounts receivable and property and equipment transaction data.

    Recommendation: To improve its period-end financial reporting process controls, SEC should, until subsystems are fully integrated, develop and implement documented data reliability checks for data extracted from nonintegrated subsidiary systems, including spreadsheets. These data reliability checks should include supervisory review.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we found SEC's subsidiary systems for property and equipment and for disgorgements and penalties transactions did not share common data elements and common transaction processing with the general ledger system. As a result, SEC made extensive use of desktop applications and workstations to perform intermediary information processing steps necessary to process these transactions in SEC's general ledger. Our review of these applications found that they lacked the information security controls necessary to prevent or recover from any inadvertent data corruption or to permit independent verification of the processing that has taken place, which increases the risk that transactions are not recorded completely, properly, or consistently. Through our testing of property and equipment and disgorgement and penalties transactions, we noted numerous errors resulting from SEC's reliance on non-integrated subsidiary systems. In our April 2008 report, we recommended that SEC integrate subsystems that process significant data with the general ledger, and until subsystems are fully integrated, the SEC should develop and implement documented data reliability checks for data extracted from nonintegrated subsidiary systems, including spreadsheets. In response to our recommendation, SEC upgraded its core accounting system in fiscal year 2008 and deployed two integrated subsidiary modules to account for 1) disgorgement and penalties accounts receivables and 2) property and equipment transactions. In addition to these system enhancements, SEC developed and implemented weekly, monthly and quarterly reconciliations of data maintained in its case management, accounts receivable module, and general ledger systems. These system enhancements, substantially completed in fiscal year 2009, significantly improved the reliability of disgorgement and penalties accounts receivable and property and equipment transaction data.

    Recommendation: To improve its period-end financial reporting process controls, SEC should prepare written procedures which describe explicitly the steps required to accomplish and document each significant activity in the general ledger closing process and in the generation of the financial statements, including related disclosures.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have detailed written documentation of its methodologies and procedures for the general ledger closing process or generation of the financial statements, increasing the risk of inconsistency, improper reporting, and disruptions resulting from staff turnover. In our April 2008 report to SEC management concerning this weakness, we recommended that SEC prepare written procedures detailing the specific steps required to accomplish and document all significant activities in the general ledger closing process and in the generation of the financial statements, including related disclosures. In response to our recommendation, during fiscal year 2008 SEC issued procedures detailing the specific steps and documentation related to the closing process and generation of financial statements. These procedures if fully and effectively implemented, should significantly improve its internal control over the period-end financial reporting processes.

    Recommendation: To improve its disgorgement and penalties accounts receivable controls, SEC should develop and implement controls over the calculation of disgorgement and penalties accounts receivable, including the reliability of data downloaded from Phoenix and the accuracy of spreadsheet cell formulas and related methodologies.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: As part of its enforcement responsibilities, the Securities and Exchange Commission (SEC) orders and administers judgments ordering, among other things, disgorgement and civil monetary penalties against violators of federal securities laws. At September 30, 2007, the gross amount of disgorgements and penalties accounts receivable was $330 million. In our fiscal year 2007 audit of the SEC's financial statements, we found that manual controls, intended to compensate for the lack of an integrated accounting system for disgorgements and penalties, were not effective at ensuring the accuracy of data and spreadsheet formulas used to calculate balance totals. As a result, SEC's accounts receivable for disgorgement and penalty balances at both interim and yearend contained overstatements. In our April 2008 report, we recommended that SEC develop and implement controls over the calculation of disgorgement and penalties accounts receivable, including the reliability of data downloaded from its Phoenix database - which maintains financial data pertaining to disgorgement and penalties - and the accuracy of spreadsheet cell formulas and related methodologies. In response to our recommendation, in fiscal year 2009, the SEC implemented a subsidiary ledger within its core accounting system, Momentum, which eliminated the necessity for manual calculations of receivable balances. In addition, weekly, monthly, and quarterly reconciliations were established to assure the consistency of data maintained in the two systems. These system enhancements and reconciliation procedures significantly improved internal control over SEC's accounting for its disgorgement and penalty accounts receivable balances.

    Recommendation: To improve its accounting for transaction fee revenue controls, SEC should establish and implement detailed written procedures for recording transaction fee revenue and the related receivable, including procedures for recognizing data received after the balance sheet date but prior to issuance of the financial statements.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have written procedures to ensure that its estimates of amounts receivable for fees payable by self-regulatory organizations (SRO) for stock transactions were adjusted to reflect the actual volume of transactions occurring during the month of September as a routine part of its year-end financial reporting process. Specifically, SEC did not adjust its amount receivable to reflect actual transaction volume for the month of September which was reported by the SROs in October, after the balance sheet date but prior to the issuance of the financial statements. As a result, SEC's estimated receivable amount at September 30, 2007 of $100.6 million was not properly adjusted to reflect the $74.4 million of actual transactions reported by the SROs in mid-October. In our April 2008 report to SEC management concerning this weakness, we recommended that SEC establish and implement detailed written procedures for recording transaction fee revenue and the related receivable, including procedures for recognizing data received after the balance sheet date but prior to issuance of the financial statements. In response to our recommendation, during fiscal year 2008 SEC implemented detailed procedures specifying documentation requirements for recording transaction fee revenue and the related receivable and incorporated a procedure for adjusting the Section 31 Fee Receivable Balance into its year end closing schedule. If fully and effectively implemented, these new procedures should enable SEC to significantly improve its process for reporting and accounting for transaction fee revenue.

    Recommendation: To improve its financial statement disclosure preparation controls, SEC should establish and implement detailed written procedures for the preparation and review of the financial statement disclosures, including the comparison of financial statement disclosure amounts to related information presented in the current and previous year financial statements and Management's Discussion and Analysis.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we identified numerous errors in SEC's year-end draft financial statement footnote disclosures, including misstated amounts, improper breakout of line items, and amounts incorrectly brought forward as beginning balances. We also found SEC did not have a documented timeline and process for completing the fiscal year 2007 financial statements and disclosures, including provisions for review of the disclosures. The lack of such an established process prevented SEC finance staff from scheduling sufficient time to carry out thorough and complete reviews of the disclosures and still meet the reporting deadline. In our April 2008 report to SEC management concerning this weakness, we recommended that SEC establish and implement detailed written procedures for the preparation and review of the financial statement disclosures, including the comparison of disclosure amounts to the related information presented in the financial statements and Management's Discussion and Analysis. In response to our recommendation, during fiscal year 2008 SEC established and implemented documented procedures for the preparation of financial statement footnotes. If fully and effectively implemented, these new procedures should enable SEC to significantly improve financial reporting controls over its process for preparing financial statement footnotes.

    Recommendation: To improve its property and equipment controls, in addition to GAO's previous recommendations in this area, SEC should establish and implement controls over invoiced property costs and dates to ensure that property and equipment acquisitions are accurately recorded in the relevant subsidiary ledgers for personal property, leasehold improvement, and software.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted numerous instances of inaccuracies in recorded acquisition dates and costs for property and equipment purchases, as well as errors in amounts capitalized for internal-use software projects thereby misstating SEC's property, plant, and equipment line item and current year expenses. Contributing to these errors was SEC's lack of an integrated subsidiary ledger and formalized processes for comparing quantity and type of items received against the corresponding purchase orders. In our April 2008 report, we recommended that SEC establish and implement controls over invoiced property costs and dates to ensure that property and equipment acquisitions are accurately recorded in the relevant subsidiary ledgers for personal property, leasehold improvement, and software. In response to our recommendation, SEC upgraded its core accounting system in fiscal year 2008 and deployed an integrated subsidiary module to account for property and equipment transactions. Under this new process, substantially completed in fiscal year 2009, the capitalization amounts are automatically populated into the general ledger using the original purchase order, thereby eliminating clerical errors. These system enhancements significantly improved the accuracy of recording and reporting property and equipment transaction data thereby increasing the reliability of related balances presented on its financial statements.

    Recommendation: To improve its property and equipment controls, in addition to GAO's previous recommendations in this area, SEC should establish and implement controls to ensure proper calculation of depreciation and amortization of additions to existing items over the remaining useful lives of the associated items.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we identified formula errors in SEC's spreadsheet used to calculate depreciation and amortization related to property acquisitions or improvements. In our April 2008 report to SEC management concerning this weakness, we recommended that SEC establish and implement controls to ensure proper calculation of depreciation and amortization of property additions. In July 2008, in response to our recommendation, and as part of the new integrated property and equipment subsidiary ledger, SEC established standard depreciation schedules within its core financial system for the automatic depreciation and amortization of its capitalized assets. Based on our recalculation of accumulated depreciation and amortization of balances at September 30, 2008, we concluded that SEC has established effective controls over such calculations. This automated calculation capability significantly improved property and equipment financial reporting reliability, including controls to assure the accurate calculation of depreciation and amortization of property and equipment additions.

    Recommendation: To improve its budgetary accounting controls, SEC should correct general ledger system configurations to properly account for upward and downward adjustments of prior-years' undelivered orders in accordance with the U.S. Standard General Ledger.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review this recommendation during our FY2012 audit.

    Recommendation: To improve its budgetary accounting controls, SEC should establish and implement controls over obligation-related entries (including original obligations, corrections, and deobligations) to ensure the use of correct U.S. Standard General Ledger accounts and the recording of correct amounts.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities Exchange Commission's (SEC) financial statements, we noted approximately $76 million in general ledger posting errors, including both upward and downward adjustments to prior year undelivered orders. In addition, we noted numerous instances in which SEC recorded original obligations at incorrect amounts in the general ledger. In our April 2008 report, we recommended that SEC establish and implement controls over obligation-related entries (including original obligations, corrections, and deobligations) to ensure the use of correct U.S. Standard General Ledger accounts and the recording of correct amounts. In response to our recommendation, the SEC reviewed the general ledger posting logic in June 2009 and made revisions as necessary. Our subsequent review of SEC's posting logic for budgetary transactions identified no exceptions. As a result of these actions, SEC has enhanced its accounting for budgetary transactions and thereby reduced the risk that the amounts recorded in the general ledger and reported on SEC's Statement of Budgetary Resources are misstated.

    Recommendation: To improve its budgetary accounting controls, SEC should clarify administrative control of funds guidance and document the responsibilities of the staff performing obligation-related activities with regard to recording obligations in accordance with the recording statute.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted that SEC lacked procedures for documenting monitoring of time card certifications and any identified exceptions. Specifically, during our fiscal year 2007 audit, we observed that SEC did not consistently monitor time card certifications and did not document when, or what, they were monitoring with respect to time card certifications or the results of what they found. We concluded that the lack of documentation of these control procedures may delay or prevent SEC management from identifying any breakdown in time card certifications or any instances of employees certifying higher-level officials' time cards on an other than emergency basis. Consistent with GAO's Standards for Internal Control in the Federal Government, internal control should be clearly documented, and the documentation readily available for examination. In April 2008, we recommended that SEC establish and implement procedures for documenting evidence of monitoring of time card certifications to include procedures to document any identified exceptions. In response to our recommendation, during fiscal year 2011, SEC's Office of Human Resources formally issued and implemented its Time and Attendance processes in SEC Regulation 6-2, Sections G, H, I, and O. These new procedures describe processes for timecard certification and reviews of the certifications to ensure that any exceptions are identified. As a result of these improvements, SEC management has reduced the risk that time card certification monitoring control objectives may become ineffective.

    Recommendation: To improve its budgetary accounting controls, SEC should establish and implement controls to ensure that SEC staff adheres to existing policies and procedures to prevent violations of the recording statute.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review this recommendation during our FY2012 audit.

    Recommendation: To improve its payroll controls, in addition to GAO's previous recommendations in this area, SEC should establish and implement procedures for documenting evidence of monitoring of time card certifications and include procedures to document any identified exceptions.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted that SEC lacked procedures for documenting monitoring of time card certifications and any identified exceptions. Specifically, during our fiscal year 2007 audit, we observed that SEC did not consistently monitor time card certifications and did not document when, or what, they were monitoring with respect to time card certifications or the results of what they found. We concluded that the lack of documentation of these control procedures may delay or prevent SEC management from identifying any breakdown in time card certifications or any instances of employees certifying higher-level officials' time cards on an other than emergency basis. Consistent with GAO's Standards for Internal Control in the Federal Government, internal control should be clearly documented, and the documentation readily available for examination. In April 2008, we recommended that SEC establish and implement procedures for documenting evidence of monitoring of time card certifications to include procedures to document any identified exceptions. In response to our recommendation, during fiscal year 2011, SEC's Office of Human Resources formally issued and implemented its Time and Attendance processes in SEC Regulation 6-2, Sections G, H, I, and O. These new procedures describe processes for timecard certification and reviews of the certifications to ensure that any exceptions are identified. As a result of these improvements, SEC management has reduced the risk that time card certification monitoring control objectives may become ineffective.

    Recommendation: To improve its payroll controls, in addition to GAO's previous recommendations in this area, SEC should segregate key responsibilities over the approval of personnel actions so that no one individual approves his own personnel action.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2007 audit of the Securities and Exchange Commission's (SEC) financial statements, we identified an employee who approved a valid personnel action for an increase in his own salary without evidence of additional review from another level of management. In our April 2008 report, we recommended that SEC segregate key responsibilities over the approval of personnel actions so that no one individual approves his own personnel action. In response to our recommendation, SEC's Office of Human Resources (OHR) implemented a personnel action workflow in 2009 to describe the required steps in its process. In addition, OHR assigned an OHR analyst to review the processing of personnel actions of staff with "superuser" rights. Further, OHR issued a directive in 2009 addressing T&A administration matters, including appropriate certification and approval of employees' T&A transactions. As a result, SEC strengthened the overall control environment for personnel action and payroll processing and reduced the risk of fraudulent approval of employee personnel actions.

    Jul 30, 2014

    Jul 9, 2014

    Jun 19, 2014

    May 30, 2014

    May 15, 2014

    May 13, 2014

    May 12, 2014

    May 2, 2014

    Mar 27, 2014

    Looking for more? Browse all our products here