Management Report:

Improvements Needed in SEC's Internal Controls and Accounting Procedures

GAO-12-424R: Published: Apr 13, 2012. Publicly Released: Apr 13, 2012.

Additional Materials:

Contact:

James R. Dalkin
(202) 512-3000
dalkinj@gao.gov

 

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

In our audit of SEC’s fiscal years 2011 and 2010 financial statements, we identified four significant deficiencies in internal control as of September 30, 2011. These significant internal control deficiencies represent continuing deficiencies concerning controls over (1) information systems, (2) financial reporting and accounting processes, (3) budgetary resources, and (4) registrant deposits and filing fees. These significant control deficiencies may adversely affect the accuracy and completeness of information used and reported by SEC’s management. We are making a total of 10 new recommendations to address these continuing significant internal control deficiencies.

We also identified other internal control issues that although not considered material weaknesses or significant control deficiencies, nonetheless warrant SEC management’s attention. These issues concern SEC’s controls over:

  • payroll monitoring,
  • implementation of post-judgment interest accounting procedures,
  • accounting for disgorgement and penalty transactions, and
  • the government purchase card program.

We are making a total of 9 new recommendations related to these other internal control deficiencies.

We are also providing summary information on the status of SEC’s actions to address the recommendations from our prior audits as of the conclusion of our fiscal year 2011 audit. By the end of our fiscal year 2011 audit, we found that SEC took action to fully address 38 of the 66 recommendations from our prior audits, subsequent to our March 29, 2011, management report.

Lastly, we found that SEC took action to address and resolve all four weaknesses in information systems controls that we identified in public and “Limited Official Use Only” reports issued in 2008 through 2009 that were reported as open at the time of our March 29, 2011, management report.

Why GAO Did This Study

On November 15, 2011, we issued our opinion on the U.S. Securities and Exchange Commission’s (SEC) and its Investor Protection Fund’s (IPF) fiscal years 2011 and 2010 financial statements. We also issued our opinion on the effectiveness of SEC’s internal controls over financial reporting as of September 30, 2011, and our evaluation of SEC’s compliance with selected provisions of laws and regulations during fiscal year 2011. In that report, we identified significant deficiencies in SEC’s internal control over financial reporting.

The purpose of this report is to (1) present new recommendations related to the significant deficiencies we identified in our November 2011 report; (2) communicate less significant internal control issues we identified during our fiscal year 2011 audit of SEC’s internal controls and accounting procedures, along with our related recommended corrective actions; and (3) summarize information on the status of the recommendations reported as open in our March 29, 2011, management report.

What GAO Recommends

We are making a total of 19 new recommendations related to internal control deficiencies.

For more information, contact Jim Dalkin at (202) 512-3133 or dalkinj@gao.gov or Greg Wilshusen at (202) 512-6244 or wilshuseng@gao.gov .

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2012, we reported that the Securities and Exchange Commission (SEC) did not develop or maintain baseline configurations of security settings or associated guides for configuring several of its systems and devices. We recommended that SEC establish configuration baselines and related guidance for securing systems and monitoring system configuration baseline implementation. In fiscal year 2013, we verified that SEC, in response to our recommendation, used the United States Government Configuration Baseline for desktop configurations and Center for Internet Security settings for its servers. As a result, SEC is better able to ensure that its systems are securely configured in accordance with federal and SEC policies.

    Recommendation: To address the deficiencies in internal control over information security, the Chairman of the Securities and Exchange Commission (SEC), should direct the Chief Operating Officer (COO) and Chief Information Officer (CIO) to establish configuration baselines and related guidance for securing systems and monitoring system configuration baseline implementation.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: In fiscal year 2012, we reported that the Securities and Exchange Commission (SEC) did not document security requirements for its EDGAR/Fee Momentum subsystem in its security plan for EDGAR. We recommended that SEC enhance the EDGAR security plan to document security requirements for the EDGAR/Fee Momentum subsystem. In fiscal year 2013, we verified that SEC, in response to our recommendation, added the Fee subsystem to the EDGAR system security plan. As a result, SEC is better able to effectively secure the EDGAR/Fee Momentum subsystem.

    Recommendation: To address the deficiencies in internal control over information security, the Chairman of the SEC, should direct the COO and CIO to enhance the EDGAR security plan to document security requirements for the EDGAR/Fee Momentum subsystem.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: In fiscal year 2012, we reported that the Securities and Exchange Commission (SEC) did not develop a comprehensive vulnerability management scanning strategy. We recommended that SEC develop and implement a comprehensive vulnerability management strategy that includes routine scanning of SEC's systems and evaluation of such scanning to provide for any needed corrective actions. In fiscal year 2013, we verified that SEC, in response to our recommendation, scanned its systems and evaluated the scanning report monthly to provide basis for corrective actions. As a result, SEC reduced the risk of not being able to detect vulnerabilities that could jeopardize the security of its systems.

    Recommendation: To address the deficiencies in internal control over information security, the Chairman of the SEC, should direct the COO and CIO to develop and implement a comprehensive vulnerability management strategy that includes routine scanning of SEC's systems and evaluation of such scanning to provide for any needed corrective actions.

    Agency Affected: United States Securities and Exchange Commission

  4. Status: Closed - Implemented

    Comments: Our fiscal year 2011 audit of SEC's financial statements found that SEC did not consider financial reporting controls relative to its shared service provider's processing of its cash collections, payroll, and investment operations. We recommended that as part of its risk assessment process, SEC include steps for reviewing the internal control reports from all service organizations (SSAE No. 16 reports) key to SEC's financial reporting control environment in time to allow appropriate actions to be taken before the end of the fiscal year to address any identified deficiencies in the design and operating effectiveness of service organization or user entity controls. In response to our recommendation, during fiscal year 2012, SEC developed and implemented policies and procedures for reviewing service organization auditor reports. These added procedures significantly improved SEC's understanding of its complete financial reporting environment and its ability to mitigate deficiencies in security controls that could affect SEC data.

    Recommendation: To address the deficiencies in internal control over review of service auditors' reports, the Chairman of the SEC should direct the COO and Chief Financial Officer (CFO) to, as part of the risk assessment process, include steps for reviewing the Statement on Standards for Attestation Engagements (SSAE) No. 16 reports from all service organizations key to SEC's financial reporting control environment in time to allow appropriate actions to be taken before the end of the fiscal year to address any identified deficiencies in the design and operating effectiveness of service organization or user entity controls.

    Agency Affected: United States Securities and Exchange Commission

  5. Status: Closed - Implemented

    Comments: In fiscal year 2014, SEC implemented updated processes and controls for allocating costs to programs for the preparation of the Statement of Net Cost, and a procedure to compare the sum of all allocated costs to the total actual costs of the various organizations.

    Recommendation: To address the deficiencies in internal control over the financial reporting and accounting processes, the Chairman of the SEC should direct the COO and CFO to document and implement quality assurance procedures over the preparation of the statement of net cost, including a procedure to compare the sum of all allocated costs to the total actual costs of the various organizations to ensure that all such costs are properly and fully allocated.

    Agency Affected: United States Securities and Exchange Commission

  6. Status: Closed - Implemented

    Comments: During our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's process for recording obligations did not ensure accurate and complete recording of obligation data in the general ledger system. Although supervisory review was performed by the contracting officer (CO) in the contract management system, SEC's procedures for recording obligations in its financial records did not require supervisory review of the obligation transaction and related contract data prior to recording them in the general ledger. We also found that SEC's process for recording obligations did not ensure timely recording of obligations in the general ledger system. We recommended that SEC strengthen its procedures for supervisory review to include required steps for ensuring (1) the accuracy and completeness of obligation transaction and contract information prior to recording the obligation in the general ledger and (2) timely recording of obligation transactions in the general ledger. Subsequent to our recommendations, SEC migrated to a new general ledger system in fiscal year 2012. As a result, data entered into the contract management system is directly interfaced to the general ledger on a timely basis. SEC also updated its procedures in fiscal year 2013 to require that only approved contracting officers release contracting data into the contract management system. Further, SEC procedures require a monthly manual reconciliation of the data in the contract management system to the general ledger. As a result of these new processes, SEC improved control procedures for ensuring accurate, complete, and timely processing of obligation data in the general ledger system and reduced the risk of material misstatements for the related amounts reported in its financial statements.

    Recommendation: To address the deficiencies in internal control over the accounting and reporting of budgetary resources, the Chairman of the SEC should direct the COO and CFO to enhance current procedures for supervisory review to include required steps for ensuring (a) the accuracy and completeness of the obligation transaction and contract information prior to recording the obligation in the general ledger records and (b) timely recording of obligation transactions in the general ledger.

    Agency Affected: United States Securities and Exchange Commission

  7. Status: Closed - Implemented

    Comments: During our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that more than 50 percent of SEC's obligation records we tested did not have obligation information necessary to adequately track the ongoing validity of contract obligations, such as the end of the period of performance (POP), recorded in the general ledger. POP information was not always recorded because SEC's general ledger system did not require this information to be entered as part of the process for recording an obligation transaction in the general ledger. Without reliable POP information, SEC could not use its financial system effectively to timely review contract obligations for ongoing validity. We recommended that SEC implement general ledger system controls to ensure that all applicable information (such as POP) is recorded in the financial system and can be associated with its obligation record. Subsequent to our recommendation, in fiscal year 2012 SEC migrated to a new general ledger system that directly interfaces with SEC's contract management system; thereby allowing staff to retrieve on-demand contract information, such as POP. As a result, SEC reduced the risk of material misstatement related to the validity of recorded open obligations reported in its financial statements.

    Recommendation: To address the deficiencies in internal control over the accounting and reporting of budgetary resources, the Chairman of the SEC should direct the COO and CFO to implement system controls to ensure that all applicable information (such as period of performance, POP) is recorded in the financial system and can be associated with its obligation record.

    Agency Affected: United States Securities and Exchange Commission

  8. Status: Closed - Implemented

    Comments: During our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's process for recording obligations did not ensure accurate and complete recording of obligation data in the general ledger system. Specifically, we found that SEC staff entered contract data into the contract management system and separately entered obligation data into the financial management system. We recommended that SEC implement system controls to provide for the review and approval of all obligation transactions and all related contract information by appropriate officials prior to posting the information in the general ledger. Subsequent to our recommendation, SEC migrated to a new financial management system that interfaces with data released from SEC's contract management system. In addition, as of May 2013, SEC implemented a key application control that allows only approved contracting officers to obligate contract data in the contract management system. As a result of these actions, SEC has reduced the risk of material misstatement due to inaccurate or incomplete obligation data in its general ledger.

    Recommendation: To address the deficiencies in internal control over the accounting and reporting of budgetary resources, the Chairman of the SEC should direct the COO and CFO to implement system controls to provide for the review and approval of all obligation transactions and all related contract information by appropriate officials prior to posting the information in the general ledger records.

    Agency Affected: United States Securities and Exchange Commission

  9. Status: Closed - Implemented

    Comments: In July 2012, SEC revised agency regulation SECR 14-1, which now states that only warranted contracting officers and authorized officials may obligate the Commission to pay for goods and services. Further, in March 2014, the Chair of the SEC signed the agency's "Designation of Personnel to Perform Other Functions" which delineated circumstances in which appropriate personnel other than a CO can obligate funds.

    Recommendation: To address the deficiencies in internal control over the accounting and reporting of budgetary resources, the Chairman of the SEC should direct the COO and CFO to revise agency regulation SEC's Regulation (SECR) 14-1 to clearly delineate circumstances under which authority for obligating agency budgetary resources can be delegated to appropriate personnel other than the contracting officer (CO), compare current SOPs and business process procedures documents (BPPs) with SECR 14-1, and make any necessary conforming changes.

    Agency Affected: United States Securities and Exchange Commission

  10. Status: Closed - Implemented

    Comments: During our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC did not have key controls in place for timely review of the validity of open obligations to help ensure timely recording of any necessary downward adjustments of prior year obligations and the closeout of contracts with open obligations that are no longer valid. We recommended that SEC develop and implement procedures for ongoing monitoring of the validity of open obligations and timely closeout of any open obligations that are no longer valid. These should include (1) quarterly review of open obligations for ongoing validity based on end of period of performance (POP) or contract completion dates and (2) reconciling SEC's records of contract activity and balances with its key vendors at least annually. In response to our recommendation, in fiscal year 2013, SEC updated its procedures to require a quarterly review of open obligations by SEC's Office of Financial Management. This review includes using POP to determine ongoing validity. As a result, SEC reduced the risk of material misstatement related to the validity of recorded open obligations reported in its financial statements.

    Recommendation: 10.To address the deficiencies in internal control over the accounting for obligation activity, the Chairman of the SEC should direct the COO and CFO to develop and implement procedures for ongoing monitoring of open obligations for validity and timely closeout of any open obligations that are no longer valid. These should include (a) quarterly review of open obligations for ongoing validity based on end of POP or contract completion dates and (b) reconciling SEC's records of contract activity and balances with its key vendors at least annually.

    Agency Affected: United States Securities and Exchange Commission

  11. Status: Closed - Implemented

    Comments: In fiscal year 2012, in our review of a sample of payroll expenditures, we noted that all alternate certifiers were the same organizational level or higher. We, therefore, concluded that SEC performed a review of roles within SEC's time and attendance system to ensure that all supervisors or managers designated as certifiers have an alternate responsible for reviewing the accuracy of time cards in their absence.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to perform a review of roles within SEC's time and attendance system to ensure that all supervisors or managers designated as certifiers have an alternate responsible for reviewing the accuracy of time cards in their absence.

    Agency Affected: United States Securities and Exchange Commission

  12. Status: Closed - Implemented

    Comments: During our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that certain payroll controls intended to prevent or detect improper payroll disbursements were not operating as intended throughout the fiscal year. We recommended that SEC develop and implement monitoring procedures to ensure that responsible management officials submit the personnel on board listings within the 30-day SEC policy requirement. In response to our recommendation, during fiscal year 2012, SEC updated its time and attendance policies and procedures to clarify preventive control procedures which would ensure that only active employees were receiving compensation. As a result of the control procedures implemented, SEC significantly reduced the risk of improper payroll payments.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop and implement monitoring procedures to ensure that responsible management officials submit personnel on board listings (POL) within the 30-day SEC policy requirement.

    Agency Affected: United States Securities and Exchange Commission

  13. Status: Open

    Comments: We will review during our FY2015 audit.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop procedures to provide for documented evidence of a certifying official's approval of leave and compensatory time before recording such transactions in the time and attendance system.

    Agency Affected: United States Securities and Exchange Commission

  14. Status: Closed - Implemented

    Comments: During our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that certain time and attendance sheets were recorded and submitted by timekeepers on behalf of another employee but lacked the documentation required by SEC. We recommended that SEC develop and implement monitoring procedures to ensure that all time and attendance sheets recorded and submitted on behalf of another employee are supported by documented input from either the employee or the employee's certifier and include a valid reason for why a designated timekeeper is submitting a time and attendance sheet on behalf of another employee. In response, during fiscal year 2012, SEC revised its time and attendance policies and procedures to clarify monitoring requirements in line with our recommendation. As a result, SEC improved its controls over time and attendance sheets recorded and submitted on behalf of another employee.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop and implement monitoring procedures to ensure that all time and attendance sheets recorded and submitted on behalf of another employee are supported by documented input from either the employee or the employee's certifier and include a valid reason for why a designated timekeeper is submitting a time and attendance sheet on behalf of another employee.

    Agency Affected: United States Securities and Exchange Commission

  15. Status: Closed - Implemented

    Comments: During our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC's procedures for accruing monthly post-judgment interest amounts on outstanding disgorgement and penalty receivables and the related liability balances were not operating as intended. We recommended that SEC develop an oversight mechanism to ensure that disgorgement and penalty collections are processed and reported in accordance with existing SEC policies and procedures. In response to our recommendation, in fiscal year 2012, SEC revised its accounting procedures to properly record overpayments, revised its collections policy to standardize the recording for all types of collection transactions and developed monitoring procedures over the recording of collections by its service provider in the financial system. As a result, SEC significantly improved control procedures for ensuring compliance with existing SEC policies and procedures for the recording of its disgorgement and penalty collections and reduced the risk of material misstatements for the related amounts reported in its financial statements.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to develop an oversight mechanism to ensure that disgorgement and penalty collections are processed and reported in accordance with existing SEC policies and procedures.

    Agency Affected: United States Securities and Exchange Commission

  16. Status: Closed - Implemented

    Comments: During our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements, we found that SEC incorrectly accounted for and reported certain post-judgment interest (interest that accrues automatically on federal money judgments entered in a civil suit; such interest may be compounded) due to errors in SEC's general ledger posting configurations. Specifically, compounded post-judgment interest was not accounted for in accordance with SEC's policy. We recommended that SEC revise existing posting configurations to account for liability balances related to compounded post-judgment interest amounts in accordance with SEC policy. In response to our recommendation, SEC revised the general ledger posting configurations for the liability balances in April 2012, when SEC transitioned its accounting and reporting processes to its service provider's financial reporting system. Our tests during our fiscal year 2013 audit found that such interest is now being accounted for and reported properly. As a result, SEC has reduced the risk of misstatements in the reporting of post-judgment interest in its financial statements.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to revise existing posting configurations to account for liability balances related to compounded post-judgment interest amounts in accordance with SEC policy.

    Agency Affected: United States Securities and Exchange Commission

  17. Status: Closed - Implemented

    Comments: Our fiscal year 2011 financial statement audit of the Securities and Exchange Commission (SEC) found that SEC was incorrectly accounting for disgorgement and penalty collections that were payable to other federal entities but were remitted to SEC. We recommended that SEC revise existing procedures to properly account for amounts collected on behalf of other federal entities as intragovernmental liabilities. In response to our recommendation, in fiscal year 2012, SEC revised its policy and business process guidance over collections to standardize the accounting for its different types of collections in its financial system. As a result, SEC significantly improved its control procedures for ensuring the accounting and reporting of these transactions is in accordance with GAAP, thereby reducing the risk of material misstatements in its financial statements.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to revise existing procedures to account for amounts collected on behalf of other federal entities as intragovernmental liabilities.

    Agency Affected: United States Securities and Exchange Commission

  18. Status: Closed - Implemented

    Comments: During our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements, we identified one instance in which the receipt of checks remitted to an SEC field office was not timely communicated to SEC's Office of Financial Management (OFM) or deposited in accordance with SEC policy and Miscellaneous Receipt Statute. Specifically, the check was not forwarded to OFM for deposit until 9 months after the check issue date and days before the check expiration date. We recommended that SEC augment existing policies and procedures for check collections to include specific required steps for handling amounts remitted to SEC field offices to ensure compliance with the Miscellaneous Receipts Statute and related Treasury regulation. In response to our recommendation, in fiscal year 2013, SEC established policies to require that check collections remitted to the field offices be delivered to SEC's service provider for processing within one business day of check receipt. Further, the field offices are required to notify the service provider and OFM by email of checks received, and mail the checks-along with any supporting documentation using overnight delivery services-to the service provider. As a result of these new procedures, SEC improved control procedures for ensuring that check collections remitted to the field offices will be promptly communicated and deposited, and reduced the risk of material misstatements for the related amounts reported in its financial statements.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to augment existing policies and procedures for check collections to include specific required steps for handling amounts remitted to SEC field offices to ensure compliance with the Miscellaneous Receipts Statute and related Treasury regulation.

    Agency Affected: United States Securities and Exchange Commission

  19. Status: Closed - Implemented

    Comments: Our fiscal year 2011 audit of the Securities and Exchange Commission's (SEC) financial statements found that SEC did not fully implement effective controls over its purchase card accounts. We recommended that SEC establish an oversight monitoring mechanism to ensure that periodic reviews of cardholder and Approving Official accounts are performed in accordance with Appendix B of Office of Management and Budget's (OMB) Circular No. A-123. In response to our recommendation, in fiscal year 2012, SEC developed and implemented monitoring controls over its purchase card program. As a result, SEC significantly improved its oversight controls over its government purchase card program and thereby decreased the risk of fraud, waste, and error in its operations.

    Recommendation: The Chairman of the SEC should direct the COO and CFO to establish an oversight monitoring mechanism to ensure that periodic reviews of cardholder and approving officials (AO) accounts are being performed in accordance with Appendix B of OMB Circular No. A-123.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Jul 30, 2015

Jul 16, 2015

Jul 15, 2015

Jul 10, 2015

Jul 9, 2015

Jul 7, 2015

Jun 30, 2015

Jun 25, 2015

Jun 24, 2015

Jun 17, 2015

Looking for more? Browse all our products here