Management Report:

Improvements Needed in SEC's Internal Controls and Accounting Procedures

GAO-10-443R: Published: Mar 31, 2010. Publicly Released: Mar 31, 2010.

Additional Materials:

Contact:

James R. Dalkin
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

On November 16, 2009, we issued our opinion on the U.S. Securities and Exchange Commission's (SEC) fiscal years 2009 and 2008 financial statements. We also issued our opinion on the effectiveness of SEC's internal controls over financial reporting as of September 30, 2009, and our evaluation of SEC's compliance with selected provisions of laws and regulations during fiscal year 2009. The purpose of this report is to present (1) our recommendations related to the significant deficiencies we reported and discussed in our opinion report; (2) less significant internal control issues we identified during our fiscal year 2009 audit of SEC's internal controls and accounting procedures, along with our related recommended corrective actions; (3) the status of the recommendations reported as open in our April 2, 2009, management report (see enclosure I), and (4) the status of the security weaknesses in information systems controls at SEC that we identified in public and "Limited Official Use Only" reports issued in 2005, 2007, 2008, and 2009, that were unresolved at the time of our March 16, 2009, information security reports.

As part of our audit of SEC's fiscal years 2009 and 2008 financial statements, we identified a material weakness6 in internal control over financial reporting that resulted from the cumulative effect of significant deficiencies we identified in six key areas of SEC's controls over financial reporting. These significant deficiencies concerned controls over: (1)information security, (2)financial reporting process, (3)fund balance with Treasury, (4)registrant deposits, (5)budgetary resources, and (6)risk assessment and monitoring processes. We discussed these significant deficiencies in detail in our audit opinion on the SEC's fiscal years 2009 and 2008 financial statements. We also identified other internal control issues that although not considered material weaknesses or significant deficiencies, warrant SEC management's consideration. These issues concern: (1)security over sensitive employee information, (2)policies and procedures documents related to or affecting financial reporting, (3)documentation of payroll controls, (4) prior period corrections, (5)preparation of labor surveys, (6)Prompt Payment Act interest payments, (7)excessive user access rights in SEC's time and attendance system, (8)financial statement closing schedule: cutoffs and related activities, (9)documentation of Contracting Officer's Technical Representative's review of contractor invoices prior to SEC payment, and (10)notes to interim financial statements and pro-forma financial reporting. We present a discussion of our findings and related recommendations for each of these less significant control deficiencies following the presentation of our recommendations to address SEC's significant financial reporting deficiencies.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improveperiod-end financial reporting process controls related to contingent and intragovernmental liabilities, the Chairman should develop and implement policies and procedures to identify, evaluate, and account for contingencies related to any litigation, claims, and assessments against SEC as part of the routine preparation of financial statements in conformity with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have a documented process for identifying, evaluating, and accounting for litigation, claims, and assessments as part of its process for preparing its financial statements, which resulted in inaccurate contingent liabilities disclosures in its financial statements. During our audit, we found that SEC did not disclose contingent liabilities from two cases totaling $9.5 million in its interim financial statements and related footnote at June 30, 2009. Similarly, our review at September 30, 2009, found that SEC's period-end financial reporting process did not detect unrecorded contingent liabilities of about $5 million resulting from the settlement of litigation. While SEC disclosed the settlement of these cases in its legal representation letter, we reported that until SEC implements effective procedures for identifying, evaluating, and accounting for litigation, claims, and assessments, the reliability of SEC's financial statements and related note disclosures may be impaired. In March 2010, we recommended that SEC develop and implement policies and procedures to identify, evaluate, and account for contingencies related to any litigation, claims, and assessments against SEC as part of the routine preparation of financial statements in conformity with generally accepted accounting principles. In response to our recommendation, in fiscal year 2010, SEC developed a new process document to describe SEC's procedure to identify, evaluate, and disclose contingencies in the financial statements. Our review of SEC's disclosures of contingent liabilities during the year ended September 30, 2010, found that these procedures were operating effectively. Further, we did not identify any unreported contingent liabilities during fiscal year 2010. SEC's newly implemented procedures should significantly increase management's assurance over the reliability and completeness of contingent liabilities presented in its financial statements.

    Recommendation: To improveperiod-end financial reporting process controls related to contingent and intragovernmental liabilities, the Chairman should develop or update and implement policies and procedures for reconciling any SEC intragovernmental expense and payable amounts reported by General Services Administration (GSA) to internal SEC data records prior to recording an accrual in SEC's general ledger for financial statement reporting.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To improveperiod-end financial reporting process controls related to contingent and intragovernmental liabilities, the Chairman should develop and implement control and verification procedures to ensure all of SEC's contingency and intragovernmental liability transactions comply with SEC's Accounts Payable Accrual As-Is Process documentation.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: As part of SEC's planned corrective measures to improve period-end Fund Balance with Treasury (FBWT) financial reporting process controls, the Chairman should develop and implement procedures for timely performing, reviewing, and documenting reconciliation of SEC's FBWT accounts with balances reported by Treasury.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC was not performing monthly reconciliations of its Fund Balance with Treasury (FBWT) accounts as required by Treasury guidance. Without the proper and timely reconciliation of its FBWT accounts, SEC is at an increased risk of (1) misstating deposit and disbursement data in SEC's FBWT and related accounts and (2) fraud, violations of appropriations laws, and mismanagement of funds. In March 2010, we recommended that SEC develop and implement procedures for timely performing, reviewing, and documenting reconciliation of SEC's FBWT accounts with balances reported by Treasury. In response to our recommendation, in fiscal year 2010, SEC developed and implemented new policies and procedures for performing, reviewing, and documenting its FBWT reconciliations. Our review of SEC's reconciliations of its FBWT accounts during our fiscal year 2010 audit found that SEC timely performed these reconciliations on a monthly basis throughout the fiscal year. As a result, internal controls over the timely, accurate, and consistent recording of FBWT transactions have been properly documented and the risk that FBWT transactions will not be completely, accurately, and consistently recorded and reported, is significantly reduced.

    Recommendation: As part of SEC's planned corrective measures to improve period-end FBWT financial reporting process controls, the Chairman should develop and implement procedures for timely resolving any identified differences in FBWT activity reported by Treasury and FBWT activity recorded by SEC.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not adequately resolve differences in disbursement records maintained by the Department of Treasury's Financial Management Service as reported on the monthly Statement of Differences. Not researching and resolving differences placed SEC at an increased risk (1) that the accuracy and timeliness of deposit and disbursement data reflected in SEC's Fund Balance with Treasury (FBWT) and related accounts are misstated and (2) of fraud, violations of appropriations laws, and mismanagement of funds. In March 2010, we recommended that SEC develop and implement procedures for timely resolving any identified differences in FBWT activity reported by Treasury and FBWT activity recorded by SEC. We found in FY 2010 that in response to our recommendation, SEC developed and implemented new procedures in May 2010 for (1) identifying, monitoring, and resolving SEC's monthly Statement of Differences and (2) documenting requirements for actions taken to address and correct differences. In addition, SEC's procedures now require that all differences be resolved within 60 days. If fully and effectively implemented, these procedures reduce the risk of management acceptance of unauthorized disbursement transactions and increases the accuracy and timeliness of deposit and disbursement data reflected in the financial statements.

    Recommendation: As part of SEC's planned corrective measures to improve internal control over its registrant deposit account monitoring process and compliance with applicable federal regulations, the Chairman should design and implement controls to ensure registrant filings and deposits are consistently matched timely on an ongoing basis.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: As part of SEC's planned corrective measures to improve internal control over its registrant deposit account monitoring process and compliance with applicable federal regulations, the Chairman should allocate sufficient resources to fully resolve current registrants' deposits liability balances in accordance with SEC policy and with federal regulations.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: As part of SEC's planned corrective measures to improve internal control over its registrant deposit account monitoring process and compliance with applicable federal regulations, the Chairman should develop and implement procedures to include the use of periodic (i.e., weekly or monthly) system generated reports to facilitate oversight of registrant deposits accounts, such as developing and using exception reports of registrant account activity.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: As part of SEC's planned corrective measures to strengthen internal control over the management of its budgetary resources, the Chairman should strengthen existing control procedures for recording miscellaneous purchase order documents by requiring an approved purchase requisition before certifying fund availability.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should establish and implement procedures for performing a comprehensive review of all posting configurations and recurring correcting journal entries to identify and address any additional departures from Treasury's prescribed posting models.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should establish and implement procedures to properly record property and equipment receipt transactions using capitalizable project and budget object class codes within the general ledger system.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: In addition to completing actions to address the 22 outstanding previously reported automated system security-related weaknesses, and as part of SEC's planned corrective measures to improve automated information system security controls, the Chairman should reevaluate existing automated information system security controls in light of the risks identified in SEC's October 2009 certification and accreditation procedures for the general ledger system and supporting processes.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: During our fiscal year 2009 audit, we found weaknesses in the Securities and Exchange Commission's (SEC) information security controls over key financial reporting systems which jeopardized the confidentiality, availability, and integrity of automated information processed by SEC's financial reporting systems and increased the risk of material misstatement in the financial statements. Subsequent to fiscal year end, in October 2009, SEC completed the certification and accreditation (C&A) procedures for its general ledger system and supporting processes, and identified similar risks associated with its financial reporting processes. In March 2010, we recommended that SEC reevaluate existing automated information system security controls in light of the risks identified in SEC's October 2009 certification and accreditation procedure for the general ledger system and supporting processes. In response to our recommendation, we found in fiscal year 2010, that SEC conducted a thorough review of vulnerabilities identified during the 2009 C&A process, as well as vulnerabilities identified during subsequent C&As, reevaluated risk levels for vulnerabilities, and implemented mitigating controls. As a result of these actions, SEC should be better able to identify and address weaknesses in information security controls which present the greatest risk to the confidentiality, availability, and integrity of information.

    Recommendation: In addition to completing actions to address the 22 outstanding previously reported automated system security-related weaknesses, and as part of SEC's planned corrective measures to improve automated information system security controls, the Chairman should establish and implement appropriate controls to mitigate any additional risks that were identified as a result of this reevaluation.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should reconfigure the general ledger system to produce reports necessary to both prepare the financial statements and support managing operations, such as a consolidated trial balance report and undelivered order aging report, respectively, on an ongoing basis.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should reconfigure the disgorgements and penalty accounts receivable module to enable production of an accounts receivable aging report.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should reconfigure the property and equipment module to enable production of a property register report.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted that the SEC's property module could not generate a property register that supported balances for capitalized cost and accumulated depreciation associated with property and equipment balances reported on the financial statements in compliance with Office of Management and Budget (OMB) Circular No. A-127, Financial Management Systems. A-127 provides that agency financial management systems are to provide financial information in a timely and useful fashion to comply with internal and external reporting requirements, including financial statements prepared in accordance with OMB and Treasury reporting requirements. As a result, management executed manual queries of property data to extract cost, accumulated depreciation, and other pertinent information to generate a property register that could be reconciled to financial statement account balances. In April 2009, we recommended that SEC reconfigure the property and equipment module to enable production of a property register report. In response to our recommendation, SEC developed and implemented new procedures in fiscal year 2010 to produce a property register from its property and equipment module. Our review of SEC's property register as of September 30, 2010, did not identify significant differences between the property register and general ledger balances reported in the financial statements for capitalized cost and accumulated depreciation. As a result of these improvements, SEC management has significantly improved its accountability for property and equipments balances reported in the financial statements.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should develop and implement an automated sub-ledger that interfaces with the general ledger for investment and disgorgement and penalty liability transaction activity.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should establish and implement procedures for documenting data reliability checks at the enforcement case level for data extracted from non-integrated subsidiary systems to include appropriate supervisory reviews until SEC is able to establish and implement procedures for fully integrating its detailed investment and disgorgement liability activity into its general ledger.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should develop and implement an automated solution that will eliminate the manual process of reentering disgorgement and penalties data from Phoenix into the general ledger system accounts receivable module.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To improve period-end financial reporting process controls, the Chairman should, in coordination with the Department of the Interior's (DOI) National Business Center (NBC), establish and implement a cost effective procedure for accurately recording student loan payments and employee awards in the general ledger.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should reevaluate the risk assessment and monitoring processes to ensure they consider all key elements of SEC's financial reporting control environment, including information systems and service providers.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should establish and implement procedures for performing and documenting risk assessment and monitoring processes in a timely manner throughout the year, based on the frequency and sensitivity of certain control activities.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: As part of SEC's planned corrective measures to improve controls over the Statement of Net Cost preparation, the Chairman should revise and implement procedures over the preparation of the Statement of Net Cost to utilize actual data reported by employees on their biweekly time and attendance reports.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: As part of SEC's planned corrective measures to improve controls over disbursements transactions, the Chairman should investigate the causes of late payments and any interest penalties incurred and develop and implement any necessary corrective actions.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, our testing of non-payroll disbursements found instances in which SEC did not process invoices for payments in accordance with the time lines designated in the Prompt Payment Act. This resulted in SEC incurring Prompt Pay interest costs that could have been avoided. In March 2011, we reaffirmed our prior recommendation that SEC investigate the causes of late payments and develop and implement any necessary corrective action. In response to our recommendation, during fiscal year 2011, SEC's Office of Financial Management (OFM) implemented a workflow process for invoices. One purpose of this workflow process was to reduce the processing delays by automating the invoice review and approval process, and thus reduce occurrences of having to pay prompt pay interest. After implementation of the new process, we noted an improving trend on the timely processing of payments. For example, in the first quarter of 2011, SEC incurred Prompt Pay interest costs for approximately 50% of the invoices it processed. While in the fourth quarter of 2011, SEC incurred Prompt Pay interest costs for approximately 5% of the invoices it processed. Given the improving trend, we conclude that SEC's corrective actions have improved the timeliness of its processing and reduced late payments and prompt pay interest penalties and thereby reduced the risk of non-compliance with the Prompt Payment Act.

    Recommendation: As part of SEC's planned corrective measures to improve access control within the time and attendance system, the Chairman should develop and implement controls over access rights in the time and attendance system to prevent or timely correct any excessive access in the system.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted a lack of controls over SEC's monitoring of access rights to its time and attendance system. These controls are designed to prevent or timely correct any excessive access in the system. Because SEC lacked such controls, our review of user rights within the time and attendance system identified instances in which individuals were assigned levels of access that were excessive relative to their job functions. For example, we identified one user who was assigned the incompatible roles of administrator, certifier, and timekeeper within the system. This broad level of access in the time and attendance system was unnecessary given that the user's job was to extract payroll and time sheet data for use in other financial reporting activities. In March 2010, we recommended that SEC develop and implement controls over access rights in the time and attendance system to prevent or timely correct any excessive access in the system. In response to our recommendation, during fiscal year 2011, SEC's Office of Human Resources formally issued and implemented its Time and Attendance process, SEC Regulation at SECR 6-2. Section L of SEC Regulation SECR 6-2 describes the required process to review the propriety of access rights assigned in Quick time "to minimize risk of mistake and abuse". As a result of these actions, SEC management has significantly improved its control over access rights to its time and attendance system and reduced the risk that possible inadvertent or deliberate misuse, fraudulent use, or improper disclosure of payroll data may occur and not be detected.

    Recommendation: As part of SEC's planned corrective measures to improve period-end financial reporting closing process, the Chairmand should develop and implement a standardized financial statement closing schedule with cutoff dates for key month-end accounting transactions that should be completed prior to the closing of an accounting period.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: As part of SEC's planned corrective measures to improve period-end financial reporting closing process, the Chairmand should develop and implement control procedures to ensure prior period accrual accounting entries are reversed in the following accounting period and current period accrual accounting entries are recorded prior to the accounting period closing date.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC lacked effective control procedures for accurately recording key month-end accounting transactions prior to the closing of an accounting period and preparation of the financial statements and footnotes. Specifically, we found that several closing journal vouchers prepared as part of the November 2008 monthly closing process were not posted to the general ledger. In addition, several accrual transactions improperly recorded in one period were not appropriately reversed in the succeeding period. As a result of these errors, SEC was unable to accurately prepare its interim financial statements for the first 2 months of fiscal year 2009. In March 2010, we recommended that SEC develop and implement control procedures to ensure accrual accounting entries are reversed in the following accounting period and current period accrual accounting entries are recorded prior to the accounting period closing date. In response to our recommendation, SEC developed and implemented in fiscal year 2010 a new procedure as part of its monthly closing process which requires a Senior Accountant within the Financial Reporting and Policy Branch to perform an analysis to ensure that all prior period accrual accounting entries are reversed and current period accrual accounting entries are recorded. We did not find unreversed prior period accruals in our testing of journal vouchers in the financial reporting audit cycle in fiscal year 2010. As a result of this added control, SEC has significantly improved management's assurance over the accuracy of the interim financial statements.

    Recommendation: As part of SEC's planned corrective measures to improve period-end financial reporting closing process, the Chairmand should develop and implement policies and procedures to ensure that only designated senior staff and management (such as branch chief level and above) have the authority to reopen previous accounting periods. Such procedures should provide for (a) documenting the required protocols to follow for requesting to reopen a closed accounting period and approval of such request, (b) specifying required documentation for situations that caused a closed accounting period to be reopened, and (c) as applicable, documenting any corrective actions that were taken to preclude such circumstances from reoccurring.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have a policy regarding the formal assignment of authority and responsibility for the reopening of closed accounting periods in Momentum, its general ledger system. During our audit, we found that, while not explicitly authorized, staff accountants from two disparate branches routinely performed this task. As a result of not clearly delineating what level staff should have the authority and responsibility for reopening closed accounting periods, SEC's financial statements were at risk of misstatement. In March 2010, we recommended that SEC develop and implement policies and procedures to ensure that only designated senior staff and management (such as branch chief level and above) have the authority to reopen closed accounting periods. We recommended that such procedures should also provide for (1) documenting the required protocols to follow for requesting to reopen a closed accounting period and approval of such request, (2) specifying required documentation for situations that caused a closed accounting period to be reopened, and (3) as applicable, documenting any corrective actions that were taken to preclude such circumstances from reoccurring. In response to our recommendation, in fiscal year 2010, SEC developed and implemented policies and procedures regarding the reopening of a closed accounting period in its general ledger system, Momentum. Under these procedures, SEC designated senior personnel who may approve the reopening of a closed accounting period and the protocols that must be followed to reopen a closed accounting period. These controls, if fully and effectively implemented, should better ensure that only those with delineated responsibilities can open closed accounting periods in SEC's general ledger system and thereby better ensure timely and accurate preparation of its financial statements.

    Recommendation: To improve internal control over vendor invoice payments, the Chairman should develop and implement procedures to provide for appropriately documented COTR review of all vendor invoices prior to payment in compliance with SEC regulation.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To improve internal control over vendor invoice payments, the Chairman should establish and implement procedures to provide periodic training to Contracting Officer's Technical Representatives(COTR)and project managers regarding their responsibilities for reviewing and approving invoices.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Not Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: To improve internal control over its financial statement preparation process, the Chairman should develop and implement a process for reliably preparing accurate pro forma financial statements and updating the notes that accompany financial statements prior to yearend, preferably with the third quarter reporting.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: As part of SEC's planned corrective measures to improve controls over the Statement of Net Cost preparation, the Chairman should modify existing policy and procedures to require all employees to report labor hours using preset activity and project codes within the time and attendance system and establish and implement applicable controls to ensure compliance.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: As part of SEC's planned corrective measures to improve controls over the Statement of Net Cost preparation, the Chairman should update the time and attendance system to establish preset active activity and project codes for all activities used by SEC in its process for allocating gross costs to program costs by the strategic goals presented in its Statement of Net Cost.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In fiscal year 2008, the Securities and Exchange Commission (SEC) implemented an automated time and attendance system to, among other things, enhance the level of data collected and used to allocate program costs by the strategic goals presented on the Statement of Net Cost. Specifically, the time and attendance system allowed employees to record work hours to preset activity codes on their biweekly time and attendance report. However, during our fiscal year 2009 audit, we found that SEC's preset activity and project coding had not been fully updated in the time and attendance system. As such, management relied on quarterly data calls (labor surveys) to allocate labor costs to the four strategic goals presented in SEC's Statement of Net Cost. Based on our review of SEC's labor survey process, we found that the accumulation of cost data was inherently subjective and that the procedures used to compile such information varied greatly from one unit to another. In March 2010, we recommended that SEC update the time and attendance system to establish fully updated preset activity and project codes for all activities used by SEC in its process for allocating gross costs to program costs by the strategic goals presented in its Statement of Net Cost. In response to our recommendation, we found in FY 2010 that SEC updated the preset activity and project codes in its time and attendance system which facilitated employees' accurately reporting of time worked by strategic goals. These actions should better assure employee reported hours are more appropriately aligned to the program goals presented on SEC's Statement of Net Cost and the accuracy of cost data presented on SEC's Statement of Net Cost is significantly improved.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should, as part of the risk assessment process, document the evaluation of the design effectiveness of key controls.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that the SEC internal risk assessment and monitoring process did not include documentation supporting management's evaluation of the design effectiveness of the key controls. Office of Management and Budget (OMB) Circular No. A-123 provides that a control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. The evaluation of the design effectiveness of key controls is an essential part of the risk assessment process and the only way management may identify whether controls necessary to meet control objectives are missing or whether existing controls, if operating as designed, meet the intended control objectives. Failure to assess whether key controls are meeting the control objectives could result in management not identifying the need for additional controls where gaps exist. In March 2010, we recommended that SEC document the evaluation of the design effectiveness of key controls as part of the risk assessment process. In response to our recommendation SEC enhanced its procedures during its fiscal year 2010 internal risk assessment to include use of risk and control matrices as a tool to link identified risks to key controls which address that risk. Our 2010 review of the risk and control matrices prepared for each of the accounting cycles found that each included management's evaluation of the design effectiveness of key controls. As a result of these improvements to its risk assessment and monitoring process, SEC should be able to better assure internal control activities are designed to achieve control objectives.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should establish procedures to comprehensively identify and assess risk related to SEC's payroll-related control activities, including risk associated with user controls identified by its payroll service provider in SAS 70 reports.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC lacked procedures to comprehensively identify and assess risk related to SEC's payroll-related control activities, including risk associated with user controls identified by its payroll service provider in Statement on Auditing Standards (SAS) 70 reports. Based on our review of SEC's risk assessment of internal controls over financial reporting, we found that management did not develop an understanding of its complete financial reporting control environment sufficient to identify all relevant risks and effectively plan and test controls. For example, a significant portion of SEC's payroll processing relies on the Department of the Interior's National Business Center (NBC), a payroll service provider. As such, SEC places significant reliance on reports generated by NBC to determine whether its payroll disbursements were complete, valid, accurate, and timely. Specifically, in processing payroll disbursements, SEC management relies on exception reports generated by NBC as a basis for adjusting internal payroll records. Despite such reliance, management's risk assessment of payroll controls did not initially consider SEC's internal control environment related to NBC's processing of its payroll. The service provider's SAS 70 report, related to its payroll servicing operations listed user controls that should be in place at SEC, as a user organization, in order for SEC to rely on the specified internal controls at NBC. As a result of weaknesses in SEC's risk assessment and control oversight monitoring process, SEC did not consider the complete financial reporting control environment for the areas evaluated and management did not identify all risks, effectively implement monitoring controls in high-risk areas, or test many of the key controls that drive operations. Moreover, SEC did not document its evaluation of the design of the key controls that were identified as part of the risk assessment process. In March 2010, we recommended that SEC establish procedures to comprehensively identify and assess risk related to SEC's payroll-related control activities, including risk associated with user controls identified by its payroll service provider in SAS 70 reports. In response to our recommendation, during fiscal year 2011, SEC management established and implemented a formal process to review the payroll service provider's SAS 70 report. In October 2011, SEC management issued a formal report of its review of the SAS 70 report and evaluated SEC's key controls in the context of that report. As a result of these actions, SEC management has significantly reduced the risk that management will not properly consider their complete financial reporting control environment for payroll-related control activities.

    Recommendation: As part of SEC's planned corrective measures to improve risk assessment and monitoring process controls, the Chairman should enhance risk assessment and mitigation control procedures to include maintaining a list of any internally identified control breakdowns that occur during the year, documenting an evaluation of financial reporting impact as a result of any such control breakdown, and any corrective actions taken.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: As part of SEC's planned corrective measures to reduce the availability of personally identifiable information, the Chairman should review current usage of social security numbers as a personal identifier for federal employees in agency systems and programs and establish and implement alternative procedures to eliminate any such usage.

    Agency Affected: United States Securities and Exchange Commission

    Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: As part of SEC's planned corrective measures to improve financial reporting process controls, the Chairman should finalize the policies and procedures for the procurement and purchases and Section 31 revenue processing to include incorporating any changes needed to resolve all recommendations or deficiencies identified during the development of these draft documents.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that some of SEC's policies and procedures for several financial reporting processes were still in draft form or contained incomplete, incorrect, or outdated information. Specifically, we found that SEC's procurement and purchases process and Section 31 fees process documents contained multiple recommendations for internal process improvements that were not acted upon or reviewed by appropriate departments. This was the result of these process documents being in draft form and not finalized as of the time of our audit. We reported that SEC's incomplete, incorrect, and outdated policies and procedures hindered management's ability to identify the key risks and corresponding controls over financial reporting in all of its key business processes. In addition, without formal finalized documented policies and procedures, staff may not consistently implement control activities as designed. In March 2010, we recommended that SEC finalize the policies and procedures for the procurement and purchases processing and Section 31 fees processing to include incorporating any changes needed to resolve all recommendations or deficiencies identified during the development of these draft documents. In response to our recommendation, during fiscal year 2011, SEC's Office of Financial Management (OFM) finalized several policies and procedures chapters for its OFM Reference Guide. Three of those chapters addressed SEC's procurement and purchases processes including procurement vendor maintenance, its unliquidated obligations review process, and its process for miscellaneous obligating documents process. Another chapter addressed standard operating procedures for computing, billing, and recording Section 31 fees. As a result of finalizing these chapters, SEC management has significantly improved its policies and procedures over its procurement and purchases processes to help ensure consistent implementation of control activities as designed.

    Recommendation: As part of SEC's planned corrective measures to improve financial reporting process controls, the Chairman should revise the Standard Voucher (SV) Creation and Modification process document to clearly define (1)the purpose and use of SV transactions; (2)the process for entering SV transactions into the general ledger system, including the performance and documentation of supervisory review; and (3) monitoring procedures to ensure that SV transactions post to the general ledger system as intended.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's Standard Voucher (SV) Creation and Modification Standard Operating Procedure did not discuss the definition and purpose of using SVs. That is, SVs were used to record both original transactions and to correct recurring errors. In addition, SEC's procedures did not provide steps to follow to properly create, review, and approve SV transactions. We found that several SV transactions in the general ledger system were not completed (i.e. pending approval or held) for up to 6 months. Because of SEC's lack of documented procedures concerning how to monitor and resolve SV entries it was unclear how long these transactions would have remained in SEC's financial system in an incomplete status. In March 2010, we recommended that SEC revise procedures to clearly define the purpose and use of SV transactions; the process for entering SV transactions into the general ledger system, including the performance and documentation of supervisory review; and monitoring procedures to ensure that SV transactions post to the general ledger system as intended. We found in FY 2010 that in response to our recommendation, the SEC developed procedures addressing (1) the purpose and use of SV transactions; (2) the process for entering SV transactions into the general ledger, including the performance and documentation of supervisory review; and (3) monitoring procedures to ensure that SV transactions post to the general ledger system as intended. With these control enhancements SEC mitigated the risk that SV transactions will not be completely, accurately, and consistently recorded in the general ledger and that related SV financial statement balances will be misstated.

    Recommendation: As part of SEC's planned corrective measures to improve financial reporting process controls, the Chairman should establish and implement procedures to monitor and update policy and procedure documents in a timely manner to ensure key risks and corresponding controls are documented for each key process.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: As part of SEC's planned corrective measures to improve internal controls over payroll transactions, the Chairman should develop and implement written procedures that (a) standardize required documentation related to resolution of NBC's biweekly payroll exception reports and (b) extend the retention period for supporting documentation long enough to facilitate internal and external audit or review, such as a period of 18 months after payment.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we noted that SEC lacked written procedures to standardize its resolution of biweekly payroll exception reports and to retain those reports to facilitate internal and external audit or review. During our audit, we noted that SEC did not consistently document evidence of payroll-related internal control procedures. Specifically, we noted that SEC did not have documentation supporting the Office of Human Resources' (OHR) resolution of biweekly payroll exception reports. Although OHR provided evidence of resolution on the exception reports, we found that documentation of such resolution was unavailable for 11 of the 17 pay periods that we reviewed. Specifically, OHR was unable to provide clear documented evidence for the resolution of 10 exception reports we reviewed and could not produce the report for one pay period because under existing SEC practices, exception reports were generally not retained for greater than 6 months. Consequently, SEC management's lack of a documented policy and procedure to retain reports for the entire period under audit and consistently provide evidence for resolution of exceptions raised uncertainty as to whether key personnel actions that affect staff employment and salaries had been accomplished accurately and timely. In March 2010, we recommended that SEC develop and implement written procedures that (a) standardize required documentation related to resolution of biweekly payroll exception reports and (b) extend the retention period for supporting documentation to facilitate internal and external audit or review, such as a period of 18 months after payment. In response to our recommendation, during fiscal year 2011, SEC's Office of Human Resources formally issued and implemented its Time and Attendance process, SEC Regulation at SECR 6-2. Section J of SECR 6-2 describes the required process for review of the biweekly payroll reports, including a process to document resolution of exception reports. Section F and Section 5 of SECR 6-2 addressed the formal retention of payroll documentation. As a result of these actions, SEC management has significantly improved procedures to standardize its resolution and retention of biweekly payroll exception reports and reduced the risk that personnel actions will not be processed accurately or timely.

    Recommendation: As part of SEC's planned corrective measures to improve period-end financial reporting process controls, the Chairman should develop and implement procedures to provide for a review of all transactions resulting in prior period corrections, including filing fee revenue and property and equipment transactions, and to quantify the cumulative effect of known and likely prior period corrections in the current fiscal year.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that management did not have a process to evaluate the impact of all prior years corrections on the current and prior year financial statements. Specifically, during our audit we found equipment additions exceeding $1 million that were expensed and placed into service in fiscal year 2008, but capitalized in fiscal year 2009; software placed in production in December 2007, but not recorded as placed in service until December 2008; and $3.6 million in filing fee revenue that was earned in prior fiscal years but recorded during the first 9 months of fiscal year 2009. The lack of an effective process for evaluating the cumulative effect of prior period corrections increases the risk of misstated SEC financial statements. In March 2010, we recommended that SEC develop and implement procedures to provide for a review of all transactions resulting in prior period corrections, including filing fee revenue and property and equipment transactions, and to quantify the cumulative effect of known and likely prior period corrections in the current fiscal year. In response to our recommendation, in fiscal year 2010, SEC developed and implemented procedures establishing a process for (1) recording corrections affecting prior years and evaluating whether the misstatement is material, individually and in aggregate and (2) restating applicable prior year financial statements when material errors are discovered. Our review of SEC's tracking of prior period adjustments during the year ended September 30, 2010, found that these procedures were operating effectively and that the procedures address our recommendation. If effectively implemented, these procedures should significantly improve management's awareness of the impact of prior period corrections on the current and prior period financial statements, enhancing SEC's ability to better ensure the reliability of SEC's financial statements.

    Recommendation: To improve internal control over its financial statement preparation process, the Chairman should augment current procedures to provide specific steps for ensuring the consistency of related information reported in the Management's Discussion and Analysis (MD&A) and the financial statements and related notes.

    Agency Affected: United States Securities and Exchange Commission

    Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's Management's Discussion and Analysis (MD&A) included information that was inconsistent with related information in its financial statements and/or related notes. For example, the draft MD&A initially reported disbursements to harmed investors of $2.1 billion, which differed from the approximately $1.1 billion shown in its financial statements. In another example, SEC's draft MD&A showed offsetting collections of $1.016 billion, which differed from the $1.018 billion of such collections presented in its Statement of Budgetary Resources. We concluded that management had not established effective procedures to ensure that information reported in the MD&A was reviewed for consistency with related information reported in the financial statements and related notes, thereby increasing the risk that inaccurate information could be reported in the MD&A and go undetected. In March 2010, we recommended that SEC augment current procedures to provide specific steps for ensuring the consistency of related information reported in the MD&A and the financial statements and related notes. In response to our recommendation, in fiscal year 2010, SEC updated its financial reporting process documents, Notes Methodology and Monthly Close Process, to include procedures for reviewing the consistency of related financial information reported in the financial statements, accompanying financial statement notes, and MD&A. The procedures provide for cross-referencing and consistency checks to be documented in supporting work-papers, better version control of shared documents circulating during the revision process, and supervisory review of financial highlights information reported in the MD&A. Our review of these procedures during the year ended September 30, 2010, found that these procedures were operating effectively at year end. Further, we did not find inconsistencies between the MD&A and related information in the financial statements and notes during our fiscal year 2010 audit. As a result of these added control procedures, SEC has significantly mitigated the risk that inaccurate or inconsistent information will be reported in the MD&A.

    Jul 9, 2014

    Jun 19, 2014

    May 30, 2014

    May 15, 2014

    May 13, 2014

    May 12, 2014

    May 2, 2014

    Mar 27, 2014

    Mar 13, 2014

    Looking for more? Browse all our products here