Management Report:

Improvements Needed in SEC's Internal Controls and Accounting Procedures

GAO-11-348R: Published: Mar 29, 2011. Publicly Released: Mar 29, 2011.

Additional Materials:

Contact:

James R. Dalkin
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

On November 15, 2010, we issued our opinion on the U. S. Securities and Exchange Commission's (SEC) fiscal years 2010 and 2009 financial statements. We also issued our opinion on the effectiveness of SEC's internal controls over financial reporting as of September 30, 2010, and our evaluation of SEC's compliance with selected provisions of laws and regulations during fiscal year 2010. In that report we identified material weaknesses in SEC's controls. The purpose of this report is to present (1) more detailed information and our recommendations related to the material weaknesses we reported and discussed in our opinion report; (2) less significant internal control issues we identified during our fiscal year 2010 audit of SEC's internal controls and accounting procedures, along with our related recommended corrective actions; (3) summary information on the status of the recommendations reported as open in our March 31, 2010, management report, and (4) the status of the security weaknesses in information systems controls at SEC that we identified in public and "Limited Official Use Only" reports issued in 2005 through 2009, that were unresolved at the time of our March 31, 2010, management report.

As part of our audit of SEC's fiscal years 2010 and 2009 financial statements, we identified two material weaknesses in internal control as of September 30, 2010. These material weaknesses concern SEC's (1) information systems controls and (2) controls over financial reporting and accounting processes. The material weakness we identified over information systems, including continuing deficiencies reported in prior audits, spanned both SEC's general support system and all key SEC financial reporting applications. The material weakness in financial reporting and accounting processes we identified encompassed deficiencies in five areas of SEC's operations and related reporting: (1) financial reporting process, (2) budgetary resources, (3) registrant deposits, (4) disgorgement and penalties, and (5) required supplementary information. These material weaknesses may adversely affect the accuracy and completeness of information used and reported by SEC's management. We are making a total of 30 new recommendations to address these material weaknesses. We also identified other internal control issues that, although not considered material weaknesses or significant control deficiencies, warrant SEC management's consideration. These issues concern: (1) proper and timely approvals of disbursements, (2) review of service providers' auditor reports, and (3) controls over travel transaction documentation. We are making a total of 3 new recommendations related to these less significant control deficiencies. We are also providing summary information on the status of SEC's actions to address the recommendations from our prior audits as of the conclusion of our fiscal year 2010 audit. Specifically, as summarized in enclosure I, by the end of our fiscal year 2010 audit, we found SEC took action to fully address 17 of the 50 recommendations from our prior audits that were open at the time of our March 31, 2010, management report. Lastly, we are providing summary information on the status of SEC's actions to address previously reported information system security weaknesses. Specifically, as of the end of fiscal year 2010, we found SEC took action to address 18 of the 22 security weaknesses in information systems controls that were open at the time of our March 31, 2010, management report. In providing written comments on a draft of this report, the SEC Chairman stated that remediation of the agency's two material weaknesses is a top priority for SEC. The Chairman stated that SEC is taking a number of steps to address the material weaknesses this fiscal year; however, putting SEC's internal controls on a solid footing over the long term primarily requires significant investment in SEC's financial systems. The Chairman also stated that the centerpiece of SEC's remediation strategy is to migrate its core financial system and transaction processing to a Federal Shared Service Provider. SEC also provided technical comments which we incorporated as appropriate. We will evaluate SEC's actions, strategies, and plans as part of our fiscal year 2011 audit.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2011, we reported that SEC did not implement all elements of an entitywide information security program consistent with Federal Information Security Management Act (FISMA) requirements and National Institute of Standards and Technology (NIST) guidance. We recommended that SEC establish a mechanism to ensure current procedures for implementing all elements of an entitywide information security program for General Support System are followed. In fiscal year 2011, we verified that SEC, in response to our recommendation, implemented a continuous vulnerability scanning process and established metrics that were incorporated into the CIO dashboard. As a result, SEC has greater assurance for the integrity of its financial reporting.

    Recommendation: In addition to completing actions that address the outstanding previously reported information system security-related weaknesses, the Chairman of the SEC should direct the Chief Operating Officer (COO) and Chief Information Officer (CIO) to establish a mechanism to ensure current procedures for implementing all elements of an entitywide information security program for GSS are followed, consistent with Federal Information Security Management Act (FISMA) requirements and National Institute of Standards and Technology (NIST) guidance.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: In fiscal year 2011, we reported that SEC did not adequately implement all elements of an entitywide information security program for the general support system (GSS) consistent with Federal Information Security Management Act (FISMA) requirements and National Institute of Standards and Technology (NIST) guidance. We recommended that SEC establish a mechanism to ensure current procedures to ensure timely follow up on outstanding GSS POA&M items are followed, consistent with SEC policy. In fiscal year 2011, we verified that SEC, in response to our recommendation, reviewed POA&M items weekly at a meeting of all senior OIT staff. SEC tracked POA&M items using a web-based tool. In fiscal year 2011, we also verified that SEC, in response to our recommendation, implemented a continuous vulnerability scanning process and established metrics that were incorporated into the CIO dashboard. As a result, SEC has greater assurance for the integrity of its financial reporting.

    Recommendation: In addition to completing actions that address the outstanding previously reported information system security-related weaknesses, the Chairman of the SEC should direct the COO and CIO to establish a mechanism to ensure current procedures to ensure timely follow up on outstanding general support system (GSS) Plan of Action and Milestones (POA&M) items are followed, consistent with SEC policy.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: In fiscal year 2011, we reported that SEC did not adequately monitor system security audit logs. We recommended that SEC establish a mechanism to ensure current procedures for audit logging and audit log monitoring activities are followed for all financial systems. In fiscal year 2011, we verified that SEC, in response to our recommendation, established logging and auditing activities for financial applications and developed a procedure for database audits. As a result, SEC has greater assurance for the integrity of its financial reporting.

    Recommendation: In addition to completing actions that address the outstanding previously reported information system security-related weaknesses, the Chairman of the SEC should direct the COO and CIO to establish a mechanism to ensure current procedures for audit logging and audit log monitoring activities are followed for all financial systems.

    Agency Affected: United States Securities and Exchange Commission

  4. Status: Closed - Implemented

    Comments: In fiscal year 2011, we reported that SEC did not always adequately segregate computer-related duties and functions. We recommended that SEC establish a mechanism to ensure current procedures to periodically review the information system access and roles of all SEC personnel for suitability and compliance with authorized security forms are followed, consistent with SEC policy. In fiscal year 2011, we verified that SEC, in response to our recommendation, established procedures for segregation of duties process and validated the process through the user account management validation. As a result, SEC has greater assurance that personnel with inappropriate access to accounts unrelated to their duties and job requirements could not jeopardize data integrity.

    Recommendation: The Chairman of the SEC should direct the COO and CIO to establish a mechanism to ensure current procedures to periodically review the information system access and roles of all SEC personnel for suitability and compliance with authorized security forms are followed, consistent with SEC policy.

    Agency Affected: United States Securities and Exchange Commission

  5. Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not perform a required business impact analysis (BIA) for the general support system (GSS). The BIA is an essential component of the SEC business continuity management program. The BIA links specific system components with the critical services they provide, identifying the consequences that disrupting of the system's availability would have on the SEC mission. In fiscal year 2011, we verified that SEC, in response to our recommendation, documented recovery time objectives for its applications. The GSS supports the recovery time objective for each of the applications in SEC's network.

    Recommendation: The Chairman of the SEC should direct the COO and CIO to perform and document a business impact analysis (BIA) for the GSS in accordance with SEC policy.

    Agency Affected: United States Securities and Exchange Commission

  6. Status: Closed - Implemented

    Comments: In fiscal year 2011, we reported that SEC did not conduct a cost analysis relative to the geographic separation of the primary operations center and alternate data center (ADC). We recommended that SEC conduct an analysis of the cost and benefits of relocating the ADC to a different geographical area in comparison with the cost of recreating data if a major disaster compromised data at both operations center and alternate data center. In fiscal year 2011, we verified that SEC, in response to our recommendation, conducted a study that determined the cost and performance degradation with geographically separating data centers. As a result, SEC has greater assurance that its decision with regard to data center location is supported by analysis.

    Recommendation: The Chairman of the SEC should direct the COO and CIO to conduct an analysis of the cost and benefits of relocating the Alternate Data Center (ADC) to a different geographical area in comparison with the cost of recreating data if a major disaster compromised data at both primary Operations Center (OPC) and ADC locations.

    Agency Affected: United States Securities and Exchange Commission

  7. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission's (SEC) procedures to prepare monthly financial statements and trial balance reports used transaction journals extracted from the general ledger (GL), the GL Summary file. In our fiscal year 2010 audit of SEC's financial statements, we found that SEC did not have controls in place to ensure the GL Summary file was complete to rely on for preparing monthly financial reports. For example, we found the version of the GL Summary file used to calculate and prepare manual adjustments was missing over 57,000 records. The lack of controls to reasonably assure the GL Summary file was complete significantly increased the risk of errors in the monthly financial reporting. In March 2011, we recommended that SEC augment policies and procedures to (i) ensure the completeness of the GL Summary file used to prepare monthly trial balance reports, including procedures for identifying and notifying management and key users of any errors or omissions detected in the report; and (ii) require documented approval by SEC management before making the file available to key users to calculate manual adjustments. In response to our recommendation, in fiscal year 2011, SEC established and implemented controls to ensure the completeness of the GL Summary file used by SEC staff to generate monthly and yearend closing entries. Our review of SEC's yearend closing process during our fiscal year 2011 audit found that SEC had procedures in place to ensure accuracy of the GL Summary file including reconciling pre closing trial balance before the file was made available to staff. These added controls significantly reduced the risk that SEC's GL summary file will not be completely, accurately, and consistently recorded and reported.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and Chief Financial Officer (CFO) to augment policies and procedures to ensure the completeness of the "GL Summary file" used to prepare monthly trial balance reports, including procedures for identifying and notifying management and key users of any errors or omissions detected in the report.

    Agency Affected: United States Securities and Exchange Commission

  8. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission's (SEC) procedures to prepare monthly financial statements and trial balance reports used transaction journals extracted from the general ledger (GL), the GL Summary file. In our fiscal year 2010 audit of SEC's financial statements, we found that SEC did not have controls in place to ensure the GL Summary file was complete to rely on for preparing monthly financial reports. For example, we found the version of the GL Summary file used to calculate and prepare manual adjustments was missing over 57,000 records. The lack of controls to reasonably assure the GL Summary file was complete significantly increased the risk of errors in the monthly financial reporting. In March 2011, we recommended that SEC augment policies and procedures to (i) ensure the completeness of the GL Summary file used to prepare monthly trial balance reports, including procedures for identifying and notifying management and key users of any errors or omissions detected in the report; and (ii) require documented approval by SEC management before making the file available to key users to calculate manual adjustments. In response to our recommendation, in fiscal year 2011, SEC established and implemented controls to ensure the completeness of the GL Summary file used by SEC staff to generate monthly and yearend closing entries. Our review of SEC's yearend closing process during our fiscal year 2011 audit found that SEC had procedures in place to ensure accuracy of the GL Summary file including reconciling pre closing trial balance before the file was made available to staff. These added controls significantly reduced the risk that SEC's GL summary file will not be completely, accurately, and consistently recorded and reported.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment existing control procedures over the "GL Summary file" by requiring documented approval by SEC management before making the file available to key users to calculate manual adjustments.

    Agency Affected: United States Securities and Exchange Commission

  9. Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that the SEC's procedures over the preparation of its monthly accounts payable accrual entry did not provide for identification of all instances in which goods or services were received and accepted but not yet paid prior to month-end. Consequently, SEC did not accurately and completely capture all of the appropriate accounts payable activity during a month, resulting in an understatement of SEC's monthly accounts payable. According to SEC's accounts payable policy, and in accordance with Statement of Federal Financial Accounting Standards (SFFAS) No. 5, accounts payable accruals should be established when a good or service has been received but not yet paid for. In its June 2010 accrual estimate, SEC's accrual process did not consider nearly $3 million in unpaid invoices for which the related goods or services were received and accepted. In each case, the invoices were entered into the general ledger system for tracking purposes, but were erroneously excluded from the data extracts used to calculate the accounts payable liability. These errors were not identified through SEC's spreadsheet control checks. Further, the resulting understatements were not detected by the supervisory review and approval of the entries that posted to the general ledger. As a result, SEC staff prepared accounts payable entries that did not completely capture appropriate payables on a monthly basis. In March 2011, we recommended that SEC augment procedures over the preparation of the monthly accounts payable accrual entry to provide for identifying all instances in which a good or service was received and accepted but not yet paid prior to month-end. In response to our recommendation, effective March 31, 2011, SEC management issued amended procedures in its Office of Financial Management's Reference Guide Chapter 02-01, Accounts Payable: Accounts Payable Accrual Process. That chapter describes the monthly accrual process to be followed for accounts payable and addressed the essential points of our recommendation that SEC's process needed to identify all instances in which a good or service has been received and accepted but has not yet been paid prior to month-end. Our year-end audit procedures on accounts payable showed that SEC's accrual process captured significant payables as of September 30, 2011. As a result of SEC's revised procedures, if fully and consistently followed, SEC management should have significantly improved assurance of the accuracy and completeness of the accounts payable balances reported in its financial statements.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement procedures over the preparation of the monthly accounts payable accrual calculation and entry to provide assurance that all organization codes are included in the calculation.

    Agency Affected: United States Securities and Exchange Commission

  10. Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that the SEC's procedures over the preparation of its monthly accounts payable accrual entry did not provide for identification of all instances in which goods or services were received and accepted but not yet paid prior to month-end. Consequently, SEC did not accurately and completely capture all of the appropriate accounts payable activity during a month, resulting in an understatement of SEC's monthly accounts payable. According to SEC's accounts payable policy, and in accordance with Statement of Federal Financial Accounting Standards (SFFAS) No. 5, an accounts payable accruals should established when a good or service has been received but not yet paid. In its June 2010 accrual estimate, SEC's accrual process did not consider nearly $3 million in unpaid invoices for which the related goods or services were received and accepted. In each case, the invoices were entered into the general ledger system for tracking purposes, but were erroneously excluded from the data extracts used to calculate the accounts payable liability. These errors were not identified through SEC's spreadsheet control checks. Further, the resulting understatements were not detected by the supervisory review and approval of the entries that posted to the general ledger. As a result, SEC staff prepared accounts payable entries that did not completely capture appropriate payables on a monthly basis. In March 2011, we recommended that SEC augment procedures over the preparation of the monthly accounts payable accrual entry to provide for identifying all instances in which a good or service was received and accepted but not yet been paid prior to month-end. In response to our recommendation, effective March 31, 2011, SEC management issued amended procedures in its Office of Financial Management's Reference Guide Chapter 02-01, Accounts Payable: Accounts Payable Accrual Process. That chapter describes the monthly accrual process to be followed for accounts payable and addressed the essential points of our recommendation that SEC's process needed to identify all instances in which a good or service has been received and accepted but has not yet been paid prior to month-end. Our year-end audit procedures on accounts payable showed that SEC's accrual process captured significant payables as of September 30, 2011. As a result of SEC's revised procedures, if fully and consistently followed, SEC management should have significantly improved assurance of the accuracy and completeness of the accounts payable balances reported in its financial statements.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment procedures over the preparation of the monthly accounts payable accrual entry to provide for identification of all instances in which a good or service has been received and accepted but has not yet been paid prior to month-end.

    Agency Affected: United States Securities and Exchange Commission

  11. Status: Closed - Implemented

    Comments: In our fiscal year 2010 financial statement audit of the Securities and Exchange Commission, GAO found that SEC management's monthly review of its manual accounts receivable calculations related to its securities transaction revenue did not identify that SEC staff were using the wrong fee rate in the calculations for April, May, and June. Specifically, GAO noted that management's review was designed to ensure that the Section 31 fee rate calculations were accurate but did not provide for assessing the propriety of data (e.g., fee rate) used in the calculation. As a result, SEC's initial calculation of its securities transaction revenue receivable balance as of June 30, 2010 was understated by $54 million. GAO recommended that SEC augment policies and procedures concerning SEC's monthly review and recalculation of securities transaction fee assessments to include procedures to ensure that the appropriate fee rate is used in the calculation of accounts receivable. In response to our recommendation, in fiscal year 2011, SEC's Treasury Operations Branch implemented a four step review process to validate the fee rate used in the monthly Section 31 calculation. As a result of these control enhancements SEC has improved the accuracy of the monthly Section 31 calculation including the calculation of accounts receivable reported in the financial statements.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment policies and procedures concerning SEC's monthly review and recalculation of securities transaction fee assessments to include procedures to ensure that the appropriate fee rate is used in the calculation of accounts receivable.

    Agency Affected: United States Securities and Exchange Commission

  12. Status: Closed - Implemented

    Comments: Our fiscal year 2010 audit of Securities and Exchange Commission's (SEC) financial statements found that several of SEC's key spreadsheets used for its financial disclosures contained errors, which were not detected by supervisory reviews. We recommended that SEC augment policies and procedures concerning supervisory review of key spreadsheets used for financial disclosures to provide assurance that calculations within the spreadsheets were accurate. In response to our recommendation, in fiscal year 2012, SEC developed procedures to ensure that financial data extracted from applications into spreadsheets remains accurate and reliable. As a result, SEC significantly reduced the risk of material misstatements in its financial statements associated with its use of spreadsheet queries for summarizing and recording the financial transactions in its financial records.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment policies and procedures concerning supervisory review of key spreadsheets used for financial disclosures to provide assurance that calculations within the spreadsheets are accurate.

    Agency Affected: United States Securities and Exchange Commission

  13. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission (SEC) collects and invests amounts received from disgorgement, civil monetary penalties, and interest against violators of federal securities laws on behalf of harmed investors in U.S. Treasury securities with the Bureau of Public Debt (BPD). In our fiscal year 2010 audit of the SEC's financial statements, we found that SEC did not utilize internal data when recording investment activity in the general ledger or reconcile the general ledger postings to the related purchase and withdrawal transactions submitted to BPD for processing. Consequently, SEC's monthly adjustment to record investment activity did not identify an investment withdrawal transaction that was erroneously processed by BPD as an investment purchase. These control deficiencies increased the risk of erroneous and/or fraudulent transactions being recorded in SEC's investment and cash balances. In March 2011, we recommended that SEC (i) develop and implement policies and procedures to record investment activity in the general ledger using investment purchase and withdrawal requests submitted to BPD and (ii) reconcile investment balances reported by BPD to SEC records of investment purchase and withdrawal transactions processed during the reporting period. In response to our recommendation, in fiscal year 2011, SEC began to record investment transactions in the general ledger on a daily basis and implemented verification procedures with BPD to ensure that BPD processes each investment transaction in accordance with the original request. Our testing of investment transactions during the 9 months ended June 30, 2011, found that this control was consistently documented and we did not identify any errors in transaction processing. As a result of these added controls, SEC has significantly reduced the risk of error in its investment and cash balances and related financial reporting.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement policies and procedures to record investment activity in the general ledger using investment purchase and withdrawal requests submitted to Bureau of Public Debt (BPD).

    Agency Affected: United States Securities and Exchange Commission

  14. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission (SEC) collects and invests amounts received from disgorgement, civil monetary penalties, and interest against violators of federal securities laws on behalf of harmed investors in U.S. Treasury securities with the Bureau of Public Debt (BPD). In our fiscal year 2010 audit of the SEC's financial statements, we found that SEC did not utilize internal data when recording investment activity in the general ledger or reconcile the general ledger postings to the related purchase and withdrawal transactions submitted to BPD for processing. Consequently, SEC's monthly adjustment to record investment activity did not identify an investment withdrawal transaction that was erroneously processed by BPD as an investment purchase. These control deficiencies increased the risk of erroneous and/or fraudulent transactions being recorded in SEC's investment and cash balances. In March 2011, we recommended that SEC (i) develop and implement policies and procedures to record investment activity in the general ledger using investment purchase and withdrawal requests submitted to BPD and (ii) reconcile investment balances reported by BPD to SEC records of investment purchase and withdrawal transactions processed during the reporting period. In response to our recommendation, in fiscal year 2011, SEC began to record investment transactions in the general ledger on a daily basis and implemented verification procedures with BPD to ensure that BPD processes each investment transaction in accordance with the original request. Our testing of investment transactions during the 9 months ended June 30, 2011, found that this control was consistently documented and we did not identify any errors in transaction processing. As a result of these added controls, SEC has significantly reduced the risk of error in its investment and cash balances and related financial reporting.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement policies and procedures to reconcile investment balances reported by BPD to SEC records of investment purchase and withdrawal transactions processed during the reporting period.

    Agency Affected: United States Securities and Exchange Commission

  15. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission(SEC) collects disgorgement, civil monetary penalties, and interest from violators of federal securities laws. SEC may invest amounts of disgorgements and penalties collected on behalf of harmed investors in U.S. Treasury securities with the Bureau of Public Debt (BPD). In our fiscal year 2010 audit of the SEC's financial statements, we found that SEC was not properly using BPD reports in its calculation of interest receivable on investment balances. Consequently, SEC's interest receivable balances were misstated for a majority of the fiscal year. In March 2011, we recommended that SEC develop and implement policies and procedures to reconcile SEC's calculated interest receivable to interest receivable amounts reported by BPD. In response to our recommendation, in fiscal year 2011, SEC implemented an automated interface between BPD and SEC's general ledger system and established controls to compare the accrued interest receivable balances to its internal records. We performed substantive testing of SEC's investment balances, including interest receivable, as of June 30, 2011, and September 30, 2011. Our testing did not identify any differences between SEC and BPD's recorded values or errors in the amount SEC recorded. As a result, the risk that interest receivable transactions will not be completely, accurately, and consistently recorded and reported is significantly reduced.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement policies and procedures to reconcile SEC's calculated interest receivable to interest receivable amounts reported by BPD.

    Agency Affected: United States Securities and Exchange Commission

  16. Status: Closed - Implemented

    Comments: During our fiscal year 2010 financial statement audit, we found that the Security and Exchange Commission's (SEC) review procedures over journal vouchers (JV) transactions were not operating effectively. We recommended that SEC augment existing control procedures over the processing of JV transactions to provide assurance that JVs processed in the general ledger reflect transactions approved by management. In response to our recommendation, in fiscal year 2012, SEC developed and implemented monitoring controls to ensure that JVs were being recorded in the general ledger in accordance with the JV forms approved by management. These revised control procedures significantly improved SEC's controls for ensuring the accuracy of JV entries processed into its general ledger and reduced the risk of material misstatements in its financial statements.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment existing control procedures over the processing of journal vouchers (JV) transactions to provide assurance that JVs processed into the general ledger reflect transactions approved by management. Such procedures should provide for accurate JV transaction posting at the account, fund, organization, and budget object class level.

    Agency Affected: United States Securities and Exchange Commission

  17. Status: Closed - Implemented

    Comments: During our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's review process for unliquidated obligations did not identify inaccuracies in the Open Obligations Review Reports which are relied on to certify the accuracy of recorded SEC obligations. We recommended that SEC develop and implement reconciliation, validation, and analytical procedures to ensure the reliability of the Open Obligations Review Reports used by the various SEC divisions and offices in their review of open obligations. In response to our recommendation, in fiscal year 2013, SEC developed a centralized list of open obligations containing significant unliquidated contracts, purchase orders, interagency agreements, and miscellaneous obligating documents. This centralized list is used by various SEC divisions and offices to validate the open obligations. Further, SEC developed and implemented a process to periodically reconcile a report on open obligations from the centralized list to the amounts in the trial balance. As a result of SEC's revised procedures, SEC strengthened the reliability of open obligations reported in its financial statements.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement reconciliation, validation, and analytical procedures to ensure the reliability of the "Open Obligations Review Reports" used by the various SEC divisions and offices in their review of unliquidated obligations.

    Agency Affected: United States Securities and Exchange Commission

  18. Status: Open

    Comments: We will review during our FY2015 audit.

    Recommendation: To help address the deficiency in control over the recording of miscellaneous purchase order documents (MO), we reaffirm the recommendation from our prior audit to require an approved purchase requisition before certifying fund availability. In addition, the Chairman of the SEC should direct the COO and CFO to augment existing policies and procedures for recording obligations to include, at a minimum: (a) back-up procedures for the recording of obligations in the event that responsible employees are unable to perform their assigned duties; and (b) controls designed to ensure that SEC offices submit obligating documents to OFM for processing as obligations are incurred.

    Agency Affected: United States Securities and Exchange Commission

  19. Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have adequate controls for timely recording of budgetary transactions. Specifically, our review found that 7 of the 10 deobligation transactions we selected for testing were approved for deobligation during SEC's April 30, 2010 unliquidated obligations review process but were not deobligated as of June 30, 2010. Similarly, our sample of recorded downward adjustment transactions found two instances in which the downward adjustment to a purchase contract was not recorded in the same accounting period in which it was approved for deobligation. As a result of these delays in recording of deobligations, ending obligations reported in SEC's statement of budgetary resources at September 30, 2010, were overstated by about $6.4 million. In March 2011, we recommended that SEC augment its guidance related to its unliquidated obligation review process to, at a minimum: (a) clarify and communicate the responsibilities for recording deobligations and (b) clarify when to deobligate unliquidated obligations with no recent activity for financial reporting purposes and for contract close-out purposes for completed contracts to be consistent with applicable federal financial reporting guidance and OMB Circular No. A-11, Preparation, Submission, and Execution of the Budget. In response to our recommendation, in fiscal year 2011, SEC enhanced its guidance over the unliquidated obligations review process to clarify that the offices responsible for recording downward adjustments in the general ledger system establish monitoring and oversight procedures over the open obligation review, and identified the Office of Financial Management as responsible for monitoring the progress of contract closeouts. These added monitoring procedures significantly reduced the risk of unrecorded deobligation transactions thereby helping to ensure the ongoing validity of obligated balances reported on SEC's statement of budgetary resources.

    Recommendation: To help address the deficiency in control over the recording of MOs, we reaffirm the recommendation from our prior audit to require an approved purchase requisition before certifying fund availability. In addition, the Chairman of the SEC should direct the COO and CFO to augment guidance in SEC's Unliquidated Obligation Review Process to provide, at a minimum: (a) clarifying and communicating the responsibilities for recording deobligations; and (b) clarifying when to deobligate unliquidated obligations with no recent activity for financial reporting purposes and for contract close-out purposes for completed contracts to be consistent with applicable federal financial reporting guidance and OMB Circular No. A-11, "Preparation, Submission, and Execution of the Budget."

    Agency Affected: United States Securities and Exchange Commission

  20. Status: Closed - Implemented

    Comments: During our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that twenty travel obligations we tested did not have their voucher submitted within the five business days allotted by Federal Travel Regulation (FTR). Our testing found that between 4 to 16 months had elapsed from the time travel was completed until the deobligations were recorded in the general ledger. Further, our testing of unliquidated obligations at June 30, 2010, found that six of the eight travel obligations we reviewed were not liquidated upon completion of the travel. We recommended that SEC develop and implement documented control procedures to ensure liquidation and/or deobligation of remaining travel obligations after the completion of the travel. In response to our recommendation, in March 2011, SEC documented control procedures to track outstanding travel vouchers. Also, in fiscal year 2014, SEC demonstrated that they run a process on a monthly basis to deobligate residual travel obligations within three months of the month of obligation, and that travel obligations still outstanding were less than $60,000 as of September 30, 2014. Therefore, we concluded that SEC developed and implemented documented procedures to liquidate travel obligations after the completion of travel. As a result, SEC's control procedures help ensure that any excess budget authority is made available to meet SEC's other operational needs.

    Recommendation: To help address the deficiency in control over the recording of MOs, we reaffirm the recommendation from our prior audit to require an approved purchase requisition before certifying fund availability. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement documented control procedures to ensure liquidation and/or deobligation of remaining travel obligations after the completion of the travel.

    Agency Affected: United States Securities and Exchange Commission

  21. Status: Closed - Implemented

    Comments: During our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we continued to find incorrect posting configurations in SEC's general ledger system related to the proper accounting of adjustments to previously recorded obligations such as downward-adjustments. These resulted in significant misstatements in SEC's interim statements of budgetary resources until these errors were corrected. We recommended that, until SEC is able to correct the posting configuration errors in its general ledger system, SEC should implement procedures to prepare and post correcting budgetary transactions prior to the close of each monthly accounting period. In response to our recommendation, in fiscal year 2013, SEC developed and implemented procedures for monitoring its financial service provider's accounting for SEC's downward adjustments. These procedures include the use of a database for recalculating downward adjustments to obligations incurred in prior fiscal years, additional manual procedures to evaluate the reasonableness of the downward adjustments calculated by the service provider, and posting any necessary correcting budgetary transactions. As a result, SEC significantly reduced the risk of misstatements in the financial statements related to adjustments to recorded obligations.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to implement procedures to prepare and post correcting budgetary transactions prior to the close of the monthly accounting period until such time that SEC is able to correct configuration limitations of its general ledger system.

    Agency Affected: United States Securities and Exchange Commission

  22. Status: Closed - Implemented

    Comments: Our fiscal year 2010 financial statement audit of the Securities and Exchange Commission (SEC) found that SEC's obligations were not always supported by documentation evidencing approval by an authorized individual. GAO recommended that SEC augment existing policies and procedures to provide for supporting documentation for miscellaneous obligating documents (MOs) consistent with applicable guidance provided in OMB Circular No. A-11. In response to our recommendation, in fiscal year 2012, SEC revised its Reference Guide Budget Formulation and Execution: Miscellaneous Obligating Documents, to specifically require supporting documentation for MOs consistent with applicable guidance provided in OMB Circular No. A-11. As a result, SEC significantly improved its controls for ensuring that MO transactions are clearly documented, properly supported, and represent valid obligations.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to augment existing policies and procedures to provide for supporting documentation for MOs consistent with applicable guidance provided in OMB Circular No. A-11.

    Agency Affected: United States Securities and Exchange Commission

  23. Status: Closed - Implemented

    Comments: In our fiscal year 2010 financial statement audit of the Securities and Exchange Commission (SEC), GAO noted that SEC's procedures for entering disgorgement and penalty accounts receivable transactions into its general ledger system did not provide effective controls over the accuracy of financial data. We recommended that SEC augment current procedures to require that reviews of disgorgement and penalty data entered in the case-management system be completed prior to the close of the relevant accounting period. In response to our recommendation, in fiscal year 2012, SEC replaced its old case management system with the implementation of ImageNow, a document management and workflow system that SEC uses to process financial data related to disgorgement and penalties. With the implementation of ImageNow, SEC's processing and recording of disgorgements and penalties transactions was streamlined and the reviews and approvals required for the processing of these transactions are now timely performed and documented in the system. As a result, SEC significantly improved controls over the accuracy of disgorgement and penalty receivable balances and decreased the risk of material misstatement in its financial statements.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to augment current procedures to require that Enforcement's reviews of disgorgement and penalty data in the case-management system be completed prior to closing the accounting period.

    Agency Affected: United States Securities and Exchange Commission

  24. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission (SEC) is to recognize a receivable for disgorgement, civil monetary penalties, and interest from violators of federal securities laws when designated in an order or a final judgment to collect the assessed disgorgement, penalties, and interest. SEC is also party to court orders directing violators of federal securities laws to pay amounts assessed to a federal court or to a nonfederal receiver acting on behalf of harmed investors. SEC is to recognize a receivable when a court order provides for transfer of monies from a court to SEC. In our fiscal year 2010 audit of the SEC's financial statements, we found that SEC's procedures did not require posting a receivable transaction into the case management system or general ledger when a court order initiates the transfer of monies from a federal court or nonfederal receiver to the SEC. The lack of established procedures specifying steps required to account for transfer orders increased the risk that SEC's receivable balances could be understated. For example, we identified a $58 million transfer order that was erroneously omitted from SEC's disgorgement receivable balances as of March 31, 2010. In March 2011, we recommended that SEC develop and implement policies and procedures to identify and post receivable transactions in accordance with generally accepted accounting principles for court orders initiating the transfer of monies to the SEC after a distribution has occurred. In response to our recommendation, in fiscal year 2011, SEC's Office of Financial Management implemented a procedure to periodically monitor court activity on lawsuits in which SEC is a party to ensure the recorded receivable balances include any balances associated with transfer orders. In the fourth quarter of 2011, SEC successfully identified and accrued for transfer orders though this process. As a result of these added procedures, the risk that disgorgement and penalty transactions will not be completely or timely recorded and reported is significantly reduced.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to develop and implement policies and procedures to identify and post receivable transactions for court orders initiating the transfer of monies to the SEC after a distribution has occurred in accordance with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

  25. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission (SEC) issues orders and administers judgments ordering, among other things, disgorgement, civil monetary penalties, and interest against violators of federal securities laws. Further, under 28 U.S.C. 1961, SEC is to accrue post-judgment interest on federal money judgments entered in a civil suit in federal court. Unless otherwise provided, post-judgment interest also accrues on SEC orders requiring the payment of disgorgement or penalties that the commission issues in administrative proceedings. In our fiscal year 2010 audit of SEC's financial statements, we found that SEC did not have procedures requiring periodic calculation and accrual of amounts of post-judgment interest collectible. As a result, SEC's accounts receivable balance as of September 30, 2010, was understated for post-judgment interest and the related footnote disclosures were omitted from the financial statements. In March 2011, we recommended that SEC develop and implement policies and procedures to (i) calculate and accrue for post-judgment interest amounts collectible prior to closing the accounting period in accordance with generally accepted accounting principles (GAAP); and (ii) provide for footnote disclosures concerning post-judgment interest amounts accrued on uncollectible accounts receivable in accordance with GAAP. In response to our recommendations, in fiscal year 2011, SEC implemented procedures to periodically calculate and accrue for post-judgment interested receivable on disgorgement and penalty receivables. Our review of SEC's accrual in the fourth quarter of fiscal year 2011 did not identify any significant omissions in its calculations, and the total amount of post-judgment interest accrued on uncollectible accounts receivable was disclosed in its year end financial statements in accordance with GAAP. As implemented, these procedures significantly increased the accuracy of SEC's reported receivable balances.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to develop and implement policies and procedures to calculate and accrue for post-judgment interest amounts collectible prior to closing the accounting period in accordance with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

  26. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission (SEC) issues orders and administers judgments ordering, among other things, disgorgement, civil monetary penalties, and interest against violators of federal securities laws. Further, under 28 U.S.C. 1961, SEC is to accrue post-judgment interest on federal money judgments entered in a civil suit in federal court. Unless otherwise provided, post-judgment interest also accrues on SEC orders requiring the payment of disgorgement or penalties that the commission issues in administrative proceedings. In our fiscal year 2010 audit of SEC's financial statements, we found that SEC did not have procedures requiring periodic calculation and accrual of amounts of post-judgment interest collectible. As a result, SEC's accounts receivable balance as of September 30, 2010, was understated for post-judgment interest and the related footnote disclosures were omitted from the financial statements. In March 2011, we recommended that SEC develop and implement policies and procedures to (i) calculate and accrue for post-judgment interest amounts collectible prior to closing the accounting period in accordance with generally accepted accounting principles (GAAP); and (ii) provide for footnote disclosures concerning post-judgment interest amounts accrued on uncollectible accounts receivable in accordance with GAAP. In response to our recommendations, in fiscal year 2011, SEC implemented procedures to periodically calculate and accrue for post-judgment interested receivable on disgorgement and penalty receivables . Our review of SEC's accrual in the fourth quarter of fiscal year 2011 did not identify any significant omissions in its calculations, and the total amount of post-judgment interest accrued on uncollectible accounts receivable was disclosed in its year end financial statements in accordance with GAAP. As implemented, these procedures significantly increased the accuracy of SEC's reported receivable balances.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to develop and implement procedures to provide for footnote disclosures concerning post-judgment interest amounts accrued on uncollectible accounts receivable in accordance with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

  27. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission (SEC) issues orders and administers judgments ordering, among other things, disgorgement, civil monetary penalties, and interest against violators of federal securities laws. In accordance with generally accepted accounting principles, SEC is to recognize a receivable when it is designated in an order or a final judgment to collect the assessed disgorgement, penalties, and interest and reduce the receivable by the dollar amount of checks collected. In our fiscal year 2010 audit of the SEC's financial statements, we found that SEC did not have effective procedures to ensure proper cutoff of its collection on disgorgement and penalties receivable. Our year-end review identified year-end checks totaling about $2.8 million that were received at or close to year-end but not recorded in the general ledger until fiscal year 2011. These instances resulted in misstatements and miscalculations of SEC's allowance for loss. In March 2011, we recommended that SEC establish and implement procedures for recording all check collections in the general ledger in the same fiscal period they are received. In response to our recommendation, in fiscal year 2011, SEC implemented procedures to accrue for check collections received at the end of a fiscal period as deposits in transit. Our review of SEC's check receipts during fiscal year 2011 did not find any exceptions indicative of untimely recording of check collections. As a result, the risk that check collections will not be completely or timely recorded and reported is significantly reduced.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to establish and implement procedures for recording all check collections in the general ledger in the same fiscal period they are received in accordance with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

  28. Status: Closed - Implemented

    Comments: Our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements found that SEC's posting model for recording disgorgement and penalty amounts disbursed from SEC's Deposit Suspense Liability Non Fed account in its General Ledger was not in compliance with the US Standard General Ledger (USSGL). We recommended that SEC revise existing posting configurations to account for amounts disbursed from SEC's Deposit Suspense Liability accounts in accordance with the USSGL. In response to our recommendation, in fiscal year 2012, SEC revised existing posting configurations to account for amounts disbursed from SEC's Deposit Suspense Liability accounts in accordance with the USSGL. As a result, SEC decreased the risk that disgorgement and penalty transactions will not be completely, accurately, timely, and consistently recorded and reported.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to revise existing posting configurations to account for amounts disbursed from SEC's Deposit Suspense Liability accounts in accordance with the U.S. Standard General Ledger (USSGL).

    Agency Affected: United States Securities and Exchange Commission

  29. Status: Closed - Implemented

    Comments: The Securities and Exchange Commission's (SEC) Liability for Disgorgement and Penalties line item is made up of two general ledger accounts (GLAC): (1)2990, Other Liabilities without Related Budgetary Obligations, and (2)GLAC 2400, Deposit Suspense Liability- Non Fed, which represents cash, accounts receivables, and investment balances that are pending distribution to harmed investors or to the general fund of the U.S. Treasury. SEC uses GLAC 2400 to temporarily account for disgorgement and penalty transactions that are awaiting disposition or reclassification, such as cash receipts for which SEC has not recorded a related receivable. As of September 30, 2010, SEC reported balances for GLAC 2400 of $123 million. In our fiscal year 2010 audit of SEC's financial statements, we found that the GLAC 2400 balance included approximately $102 million of amounts that had already been transferred to Treasury by year-end and therefore was significantly overstated. As a result, management was unable to readily identify the amount of disgorgement and penalty collections pending disposition or reclassification. In March 2011, we recommended that SEC evaluate balances residing in SEC's Deposit Suspense Liability accounts and adjust related accounts for amounts that have already been disbursed prior to the close of each accounting period. In response to our recommendation, in fiscal year 2011, SEC posted adjusting entries to correct for the cumulative error in its Deposit Suspense Liability accounts and established a control mechanism to periodically review and adjust balances in GLAC 2400 for amounts that had already been disbursed. Our testing in fiscal year 2011 identified that this control mechanism effectively identified and adjusted disbursed amounts from the liability balances. As a result of these efforts, SEC has significantly reduced the risk of overstatement of its Deposit Suspense Liability balances and SEC management should have more accurate information on disgorgement and penalty collections that are awaiting disposition or reclassification.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, until posting configurations for amounts disbursed from SEC's Deposit Suspense Liability accounts are corrected, to establish and implement interim procedures to evaluate balances residing in SEC's Deposit Suspense Liability accounts and adjust related accounts for amounts that have already been disbursed prior to the close of each accounting period.

    Agency Affected: United States Securities and Exchange Commission

  30. Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC management's review of the draft annual financial statements did not detect the omission of key required supplementary information (RSI). Specifically, SEC omitted $452 million in disaggregated budgetary information for one of its major budget accounts presented in the draft statement of budgetary resources. Consequently, SEC's draft financial statements were not in compliance with OMB Circular A-136 and generally accepted accounting principles (GAAP). In March 2011, we recommended that SEC augment procedures concerning SEC's review of its financial statements to specify review steps necessary to ensure that all applicable financial statements, related notes, and required supplementary information required under OMB Circular No. A-136 and GAAP are presented. In response to our recommendation, in fiscal year 2011, SEC revised its procedures for reviewing its financial statements to include steps for assessing financial information against federal government accounting and reporting requirements. Our review of SEC's yearend financial statements found that SEC's appropriately presented disaggregated its budgetary information for each of its major funds and presented this information in the RSI section of its financial statements. Our review of SEC's yearend financial statements in fiscal year 2011 did not identify any other omissions of RSI. As a result, SEC has reduced the risk that its financial statements will not include all required RSI in compliance with GAAP and OMB Circular No. A-136.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to augment procedures concerning SEC's review of its financial statements to specify review steps necessary to ensure that all applicable financial statements, related notes, and required supplementary information required under OMB Circular No. A-136 are presented.

    Agency Affected: United States Securities and Exchange Commission

  31. Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC had no mechanism to monitor compliance with the documentation requirements for invoice approval under its internal Administrative Regulation, SECR 10-15. Such documentation is necessary to ensure proper, consistent approval of invoices by Contracting Officer's Technical Representatives (COTR) or Inspection and Acceptance Officials (IAO) and to ensure consistent retention of their appointment letters. Our fiscal year 2010 audit found that invoices were not always approved by a properly designated COTR or IAO in accordance with SEC regulations. Specifically, during our testing of non-payroll disbursements through June 30, 2010, we noted that 37 of 67 disbursements tested were not supported by an invoice approved by a COTR/ IAO or other designated person. Of these items, 22 disbursements were approved by individuals who were not contracting officers and were without approved appointment letters to support their designation as the COTR or IAO for the contract to which the disbursement was associated. Further, 15 disbursements-all lease payments-were approved by either a Project Manager (PM) or non-Contracting Officer (CO). Although SEC officials told us that lease payments could be approved by a PM or non-CO, SEC did not provide any documentation authorizing them to approve these invoices as of June 30, 2010. Additionally, we noted one other disbursement that was approved by an individual prior to the date that individual was appointed as the COTR for that contract. Although SECR 10-15 established responsibilities for COTRs and IAOs, including the documentation and tracking of invoices from the time of receipt until the payment is issued, such procedures were not consistently implemented in fiscal year 2010. Consequently, until such controls were operating as intended, SEC was likely to continue to be in violation of its own internal regulations and Office of Management and Budget (OMB) guidance. In March 2011, we recommended that SEC establish a mechanism to monitor compliance with the invoice documentation requirements under SEC regulations to ensure proper, consistent approval of invoices by COTRs, IAOs, and other designated persons and retention of their appointment letters, if applicable. In response to our recommendation, during fiscal year 2011, SEC's Office of Financial Management (OFM) introduced a workflow process for invoices. One purpose of this workflow process was to ensure proper invoice approval by timely routing invoices to the proper approver. Our testing of non-payroll expenditures during our fiscal year 2011 financial audit did not identify any instances in which invoices were not properly approved. As a result of these actions, SEC management has significantly improved its invoice approval process, resulting in consistent and proper approvals by COTRs and IAOs.

    Recommendation: We reaffirm our prior recommendation that SEC investigate the causes of late payments and develop and implement any necessary corrective action. The Chairman should direct the COO and CFO to establish a mechanism to monitor compliance with the documentation requirements under SEC regulations to ensure proper, consistent approval of invoices by Contracting Officer's Technical Representatives (COTR), Inspection and Acceptance Officials (IAO), and other designated persons and retention of their appointment letters, if applicable.

    Agency Affected: United States Securities and Exchange Commission

  32. Status: Closed - Implemented

    Comments: In our fiscal year 2009 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC lacked procedures to comprehensively identify and assess risk related to SEC's payroll-related control activities, including risk associated with user controls identified by its payroll service provider in Statement on Auditing Standards (SAS) 70 reports. Based on our review of SEC's risk assessment of internal controls over financial reporting, we found that management did not develop an understanding of its complete financial reporting control environment sufficient to identify all relevant risks and effectively plan and test controls. For example, a significant portion of SEC's payroll processing relies on the Department of the Interior's National Business Center (NBC), a payroll service provider. As such, SEC places significant reliance on reports generated by NBC to determine whether its payroll disbursements were complete, valid, accurate, and timely. Specifically, in processing payroll disbursements, SEC management relies on exception reports generated by NBC as a basis for adjusting internal payroll records. Despite such reliance, management's risk assessment of payroll controls did not initially consider SEC's internal control environment related to NBC's processing of its payroll. The service provider's SAS 70 report, related to its payroll servicing operations listed user controls that should be in place at SEC, as a user organization, in order for SEC to rely on the specified internal controls at NBC. As a result of weaknesses in SEC's risk assessment and control oversight monitoring process, SEC did not consider the complete financial reporting control environment for the areas evaluated and management did not identify all risks, effectively implement monitoring controls in high-risk areas, or test many of the key controls that drive operations. Moreover, SEC did not document its evaluation of the design of the key controls that were identified as part of the risk assessment process. In March 2010, we recommended that SEC establish procedures to comprehensively identify and assess risk related to SEC's payroll-related control activities, including risk associated with user controls identified by its payroll service provider in SAS 70 reports. In response to our recommendation, during fiscal year 2011, SEC management established and implemented a formal process to review the payroll service provider's SAS 70 report. In October 2011, SEC management issued a formal report of its review of the SAS 70 report and evaluated SEC's key controls in the context of that report. As a result of these actions, SEC management has significantly reduced the risk that management will not properly consider their complete financial reporting control environment for payroll-related control activities.

    Recommendation: We reaffirm our prior recommendation that SEC establish procedures to comprehensively identify and assess risk related to SEC's payroll-related activities, including risk associated with user controls identified by its payroll service provider in SAS No. 70 reports. The Chairman should direct the COO and CFO also to establish and implement procedures requiring review of the payroll service provider SAS No. 70 report to include consideration of whether compensating controls are needed to address any open exceptions in the report that affect SEC's payroll processing.

    Agency Affected: United States Securities and Exchange Commission

  33. Status: Open

    Comments: We will review during our FY2015 audit.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop and implement policies and procedures detailing the steps and documentation required to effectively control and monitor travel expenses paid through the central billing account, including steps required to ensure documented receipt of refunds or credits for travel/tickets that were previously paid for by SEC but subsequently canceled.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Jul 30, 2015

Jul 16, 2015

Jul 15, 2015

Jul 10, 2015

Jul 9, 2015

Jul 7, 2015

Jun 30, 2015

Jun 25, 2015

Jun 24, 2015

Jun 17, 2015

Looking for more? Browse all our products here