Management Report:

Improvements Needed in SEC's Internal Controls and Accounting Procedures

GAO-11-348R: Published: Mar 29, 2011. Publicly Released: Mar 29, 2011.

Additional Materials:

Contact:

James R. Dalkin
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

On November 15, 2010, we issued our opinion on the U. S. Securities and Exchange Commission's (SEC) fiscal years 2010 and 2009 financial statements. We also issued our opinion on the effectiveness of SEC's internal controls over financial reporting as of September 30, 2010, and our evaluation of SEC's compliance with selected provisions of laws and regulations during fiscal year 2010. In that report we identified material weaknesses in SEC's controls. The purpose of this report is to present (1) more detailed information and our recommendations related to the material weaknesses we reported and discussed in our opinion report; (2) less significant internal control issues we identified during our fiscal year 2010 audit of SEC's internal controls and accounting procedures, along with our related recommended corrective actions; (3) summary information on the status of the recommendations reported as open in our March 31, 2010, management report, and (4) the status of the security weaknesses in information systems controls at SEC that we identified in public and "Limited Official Use Only" reports issued in 2005 through 2009, that were unresolved at the time of our March 31, 2010, management report.

As part of our audit of SEC's fiscal years 2010 and 2009 financial statements, we identified two material weaknesses in internal control as of September 30, 2010. These material weaknesses concern SEC's (1) information systems controls and (2) controls over financial reporting and accounting processes. The material weakness we identified over information systems, including continuing deficiencies reported in prior audits, spanned both SEC's general support system and all key SEC financial reporting applications. The material weakness in financial reporting and accounting processes we identified encompassed deficiencies in five areas of SEC's operations and related reporting: (1) financial reporting process, (2) budgetary resources, (3) registrant deposits, (4) disgorgement and penalties, and (5) required supplementary information. These material weaknesses may adversely affect the accuracy and completeness of information used and reported by SEC's management. We are making a total of 30 new recommendations to address these material weaknesses. We also identified other internal control issues that, although not considered material weaknesses or significant control deficiencies, warrant SEC management's consideration. These issues concern: (1) proper and timely approvals of disbursements, (2) review of service providers' auditor reports, and (3) controls over travel transaction documentation. We are making a total of 3 new recommendations related to these less significant control deficiencies. We are also providing summary information on the status of SEC's actions to address the recommendations from our prior audits as of the conclusion of our fiscal year 2010 audit. Specifically, as summarized in enclosure I, by the end of our fiscal year 2010 audit, we found SEC took action to fully address 17 of the 50 recommendations from our prior audits that were open at the time of our March 31, 2010, management report. Lastly, we are providing summary information on the status of SEC's actions to address previously reported information system security weaknesses. Specifically, as of the end of fiscal year 2010, we found SEC took action to address 18 of the 22 security weaknesses in information systems controls that were open at the time of our March 31, 2010, management report. In providing written comments on a draft of this report, the SEC Chairman stated that remediation of the agency's two material weaknesses is a top priority for SEC. The Chairman stated that SEC is taking a number of steps to address the material weaknesses this fiscal year; however, putting SEC's internal controls on a solid footing over the long term primarily requires significant investment in SEC's financial systems. The Chairman also stated that the centerpiece of SEC's remediation strategy is to migrate its core financial system and transaction processing to a Federal Shared Service Provider. SEC also provided technical comments which we incorporated as appropriate. We will evaluate SEC's actions, strategies, and plans as part of our fiscal year 2011 audit.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: In addition to completing actions that address the outstanding previously reported information system security-related weaknesses, the Chairman of the SEC should direct the Chief Operating Officer (COO) and Chief Information Officer (CIO) to establish a mechanism to ensure current procedures for implementing all elements of an entitywide information security program for GSS are followed, consistent with Federal Information Security Management Act (FISMA) requirements and National Institute of Standards and Technology (NIST) guidance.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: Accomplishment reports GAO-12-1502A and GAO-12-1503A pending completion.

    Recommendation: In addition to completing actions that address the outstanding previously reported information system security-related weaknesses, the Chairman of the SEC should direct the COO and CIO to establish a mechanism to ensure current procedures to ensure timely follow up on outstanding general support system (GSS) Plan of Action and Milestones (POA&M) items are followed, consistent with SEC policy.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: Accomplishment report GAO-12-1504A pending completion.

    Recommendation: In addition to completing actions that address the outstanding previously reported information system security-related weaknesses, the Chairman of the SEC should direct the COO and CIO to establish a mechanism to ensure current procedures for audit logging and audit log monitoring activities are followed for all financial systems.

    Agency Affected: United States Securities and Exchange Commission

  4. Status: Closed - Implemented

    Comments: Accomplishment report GAO-12-1505A pending completion.

    Recommendation: The Chairman of the SEC should direct the COO and CIO to establish a mechanism to ensure current procedures to periodically review the information system access and roles of all SEC personnel for suitability and compliance with authorized security forms are followed, consistent with SEC policy.

    Agency Affected: United States Securities and Exchange Commission

  5. Status: Closed - Implemented

    Comments: Accomplishment report GAO-12-1506A pending completion.

    Recommendation: The Chairman of the SEC should direct the COO and CIO to perform and document a business impact analysis (BIA) for the GSS in accordance with SEC policy.

    Agency Affected: United States Securities and Exchange Commission

  6. Status: Closed - Implemented

    Comments: Accomplishment report GAO-12-1507A pending completion.

    Recommendation: The Chairman of the SEC should direct the COO and CIO to conduct an analysis of the cost and benefits of relocating the Alternate Data Center (ADC) to a different geographical area in comparison with the cost of recreating data if a major disaster compromised data at both primary Operations Center (OPC) and ADC locations.

    Agency Affected: United States Securities and Exchange Commission

  7. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and Chief Financial Officer (CFO) to augment policies and procedures to ensure the completeness of the "GL Summary file" used to prepare monthly trial balance reports, including procedures for identifying and notifying management and key users of any errors or omissions detected in the report.

    Agency Affected: United States Securities and Exchange Commission

  8. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment existing control procedures over the "GL Summary file" by requiring documented approval by SEC management before making the file available to key users to calculate manual adjustments.

    Agency Affected: United States Securities and Exchange Commission

  9. Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that the SEC's procedures over the preparation of its monthly accounts payable accrual entry did not provide for identification of all instances in which goods or services were received and accepted but not yet paid prior to month-end. Consequently, SEC did not accurately and completely capture all of the appropriate accounts payable activity during a month, resulting in an understatement of SEC's monthly accounts payable. According to SEC's accounts payable policy, and in accordance with Statement of Federal Financial Accounting Standards (SFFAS) No. 5, an accounts payable accruals should established when a good or service has been received but not yet paid. In its June 2010 accrual estimate, SEC's accrual process did not consider nearly $3 million in unpaid invoices for which the related goods or services were received and accepted. In each case, the invoices were entered into the general ledger system for tracking purposes, but were erroneously excluded from the data extracts used to calculate the accounts payable liability. These errors were not identified through SEC's spreadsheet control checks. Further, the resulting understatements were not detected by the supervisory review and approval of the entries that posted to the general ledger. As a result, SEC staff prepared accounts payable entries that did not completely capture appropriate payables on a monthly basis. In March 2011, we recommended that SEC augment procedures over the preparation of the monthly accounts payable accrual entry to provide for identifying all instances in which a good or service was received and accepted but not yet been paid prior to month-end. In response to our recommendation, effective March 31, 2011, SEC management issued amended procedures in its Office of Financial Management's Reference Guide Chapter 02-01, Accounts Payable: Accounts Payable Accrual Process. That chapter describes the monthly accrual process to be followed for accounts payable and addressed the essential points of our recommendation that SEC's process needed to identify all instances in which a good or service has been received and accepted but has not yet been paid prior to month-end. Our year-end audit procedures on accounts payable showed that SEC's accrual process captured significant payables as of September 30, 2011. As a result of SEC's revised procedures, if fully and consistently followed, SEC management should have significantly improved assurance of the accuracy and completeness of the accounts payable balances reported in its financial statements.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement procedures over the preparation of the monthly accounts payable accrual calculation and entry to provide assurance that all organization codes are included in the calculation.

    Agency Affected: United States Securities and Exchange Commission

  10. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment procedures over the preparation of the monthly accounts payable accrual entry to provide for identification of all instances in which a good or service has been received and accepted but has not yet been paid prior to month-end.

    Agency Affected: United States Securities and Exchange Commission

  11. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment policies and procedures concerning SEC's monthly review and recalculation of securities transaction fee assessments to include procedures to ensure that the appropriate fee rate is used in the calculation of accounts receivable.

    Agency Affected: United States Securities and Exchange Commission

  12. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment policies and procedures concerning supervisory review of key spreadsheets used for financial disclosures to provide assurance that calculations within the spreadsheets are accurate.

    Agency Affected: United States Securities and Exchange Commission

  13. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement policies and procedures to record investment activity in the general ledger using investment purchase and withdrawal requests submitted to Bureau of Public Debt (BPD).

    Agency Affected: United States Securities and Exchange Commission

  14. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement policies and procedures to reconcile investment balances reported by BPD to SEC records of investment purchase and withdrawal transactions processed during the reporting period.

    Agency Affected: United States Securities and Exchange Commission

  15. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement policies and procedures to reconcile SEC's calculated interest receivable to interest receivable amounts reported by BPD.

    Agency Affected: United States Securities and Exchange Commission

  16. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to augment existing control procedures over the processing of journal vouchers (JV) transactions to provide assurance that JVs processed into the general ledger reflect transactions approved by management. Such procedures should provide for accurate JV transaction posting at the account, fund, organization, and budget object class level.

    Agency Affected: United States Securities and Exchange Commission

  17. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes we reaffirm our open recommendation from our prior audits related to the development of useful reports within SEC's general ledger system. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement reconciliation, validation, and analytical procedures to ensure the reliability of the "Open Obligations Review Reports" used by the various SEC divisions and offices in their review of unliquidated obligations.

    Agency Affected: United States Securities and Exchange Commission

  18. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To help address the deficiency in control over the recording of miscellaneous purchase order documents (MO), we reaffirm the recommendation from our prior audit to require an approved purchase requisition before certifying fund availability. In addition, the Chairman of the SEC should direct the COO and CFO to augment existing policies and procedures for recording obligations to include, at a minimum: (a) back-up procedures for the recording of obligations in the event that responsible employees are unable to perform their assigned duties; and (b) controls designed to ensure that SEC offices submit obligating documents to OFM for processing as obligations are incurred.

    Agency Affected: United States Securities and Exchange Commission

  19. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: To help address the deficiency in control over the recording of MOs, we reaffirm the recommendation from our prior audit to require an approved purchase requisition before certifying fund availability. In addition, the Chairman of the SEC should direct the COO and CFO to augment guidance in SEC's Unliquidated Obligation Review Process to provide, at a minimum: (a) clarifying and communicating the responsibilities for recording deobligations; and (b) clarifying when to deobligate unliquidated obligations with no recent activity for financial reporting purposes and for contract close-out purposes for completed contracts to be consistent with applicable federal financial reporting guidance and OMB Circular No. A-11, "Preparation, Submission, and Execution of the Budget."

    Agency Affected: United States Securities and Exchange Commission

  20. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: To help address the deficiency in control over the recording of MOs, we reaffirm the recommendation from our prior audit to require an approved purchase requisition before certifying fund availability. In addition, the Chairman of the SEC should direct the COO and CFO to develop and implement documented control procedures to ensure liquidation and/or deobligation of remaining travel obligations after the completion of the travel.

    Agency Affected: United States Securities and Exchange Commission

  21. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to implement procedures to prepare and post correcting budgetary transactions prior to the close of the monthly accounting period until such time that SEC is able to correct configuration limitations of its general ledger system.

    Agency Affected: United States Securities and Exchange Commission

  22. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to augment existing policies and procedures to provide for supporting documentation for MOs consistent with applicable guidance provided in OMB Circular No. A-11.

    Agency Affected: United States Securities and Exchange Commission

  23. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to augment current procedures to require that Enforcement's reviews of disgorgement and penalty data in the case-management system be completed prior to closing the accounting period.

    Agency Affected: United States Securities and Exchange Commission

  24. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to develop and implement policies and procedures to identify and post receivable transactions for court orders initiating the transfer of monies to the SEC after a distribution has occurred in accordance with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

  25. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to develop and implement policies and procedures to calculate and accrue for post-judgment interest amounts collectible prior to closing the accounting period in accordance with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

  26. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to develop and implement procedures to provide for footnote disclosures concerning post-judgment interest amounts accrued on uncollectible accounts receivable in accordance with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

  27. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to establish and implement procedures for recording all check collections in the general ledger in the same fiscal period they are received in accordance with generally accepted accounting principles.

    Agency Affected: United States Securities and Exchange Commission

  28. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, to revise existing posting configurations to account for amounts disbursed from SEC's Deposit Suspense Liability accounts in accordance with the U.S. Standard General Ledger (USSGL).

    Agency Affected: United States Securities and Exchange Commission

  29. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: The Chairman of the SEC should direct the COO and CFO, in coordination with the Director of Enforcement as applicable, until posting configurations for amounts disbursed from SEC's Deposit Suspense Liability accounts are corrected, to establish and implement interim procedures to evaluate balances residing in SEC's Deposit Suspense Liability accounts and adjust related accounts for amounts that have already been disbursed prior to the close of each accounting period.

    Agency Affected: United States Securities and Exchange Commission

  30. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to augment procedures concerning SEC's review of its financial statements to specify review steps necessary to ensure that all applicable financial statements, related notes, and required supplementary information required under OMB Circular No. A-136 are presented.

    Agency Affected: United States Securities and Exchange Commission

  31. Status: Closed - Implemented

    Comments: In our fiscal year 2010 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC had no mechanism to monitor compliance with the documentation requirements for invoice approval under its internal Administrative Regulation, SECR 10-15. Such documentation is necessary to ensure proper, consistent approval of invoices by Contracting Officer's Technical Representatives (COTR) or Inspection and Acceptance Officials (IAO) and to ensure consistent retention of their appointment letters. Our fiscal year 2010 audit found that invoices were not always approved by a properly designated COTR or IAO in accordance with SEC regulations. Specifically, during our testing of non-payroll disbursements through June 30, 2010, we noted that 37 of 67 disbursements tested were not supported by an invoice approved by a COTR/ IAO or other designated person. Of these items, 22 disbursements were approved by individuals who were not contracting officers and were without approved appointment letters to support their designation as the COTR or IAO for the contract to which the disbursement was associated. Further, 15 disbursements-all lease payments-were approved by either a Project Manager (PM) or non-Contracting Officer (CO). Although SEC officials told us that lease payments could be approved by a PM or non-CO, SEC did not provide any documentation authorizing them to approve these invoices as of June 30, 2010. Additionally, we noted one other disbursement that was approved by an individual prior to the date that individual was appointed as the COTR for that contract. Although SECR 10-15 established responsibilities for COTRs and IAOs, including the documentation and tracking of invoices from the time of receipt until the payment is issued, such procedures were not consistently implemented in fiscal year 2010. Consequently, until such controls were operating as intended, SEC was likely to continue to be in violation of its own internal regulations and Office of Management and Budget (OMB) guidance. In March 2011, we recommended that SEC establish a mechanism to monitor compliance with the invoice documentation requirements under SEC regulations to ensure proper, consistent approval of invoices by COTRs, IAOs, and other designated persons and retention of their appointment letters, if applicable. In response to our recommendation, during fiscal year 2011, SEC's Office of Financial Management (OFM) introduced a workflow process for invoices. One purpose of this workflow process was to ensure proper invoice approval by timely routing invoices to the proper approver. Our testing of non-payroll expenditures during our fiscal year 2011 financial audit did not identify any instances in which invoices were not properly approved. As a result of these actions, SEC management has significantly improved its invoice approval process, resulting in consistent and proper approvals by COTRs and IAOs.

    Recommendation: We reaffirm our prior recommendation that SEC investigate the causes of late payments and develop and implement any necessary corrective action. The Chairman should direct the COO and CFO to establish a mechanism to monitor compliance with the documentation requirements under SEC regulations to ensure proper, consistent approval of invoices by Contracting Officer's Technical Representatives (COTR), Inspection and Acceptance Officials (IAO), and other designated persons and retention of their appointment letters, if applicable.

    Agency Affected: United States Securities and Exchange Commission

  32. Status: Closed - Implemented

    Comments: Accomplishment report pending completion.

    Recommendation: We reaffirm our prior recommendation that SEC establish procedures to comprehensively identify and assess risk related to SEC's payroll-related activities, including risk associated with user controls identified by its payroll service provider in SAS No. 70 reports. The Chairman should direct the COO and CFO also to establish and implement procedures requiring review of the payroll service provider SAS No. 70 report to include consideration of whether compensating controls are needed to address any open exceptions in the report that affect SEC's payroll processing.

    Agency Affected: United States Securities and Exchange Commission

  33. Status: Open

    Comments: We will review during our FY2012 audit.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop and implement policies and procedures detailing the steps and documentation required to effectively control and monitor travel expenses paid through the central billing account, including steps required to ensure documented receipt of refunds or credits for travel/tickets that were previously paid for by SEC but subsequently canceled.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Nov 20, 2014

Nov 17, 2014

Nov 12, 2014

Nov 10, 2014

Nov 7, 2014

Nov 6, 2014

Sep 22, 2014

Looking for more? Browse all our products here