This is the accessible text file for GAO report number GAO-13-274R 
entitled 'Management Report: Improvements Needed in SEC's Internal 
Controls and Accounting Procedures' which was released on April 5, 
2013. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-13-274R: 

United States Government Accountability Office: 
Washington, DC 20548: 

April 4, 2013: 

The Honorable Elisse B. Walter: 
Chairman: 
U.S. Securities and Exchange Commission: 

Subject: Management Report: Improvements Needed in SEC's Internal 
Controls and Accounting Procedures: 

Dear Ms. Walter: 

On November 15, 2012, we issued our report containing our opinion on 
the U.S. Securities and Exchange Commission's (SEC) and its Investor 
Protection Fund's (IPF)[Footnote 1] fiscal years 2012 and 2011 
financial statements.[Footnote 2] Our November 2012 report also 
included (1) our opinion on the effectiveness of SEC's internal 
control over financial reporting as of September 30, 2012, and our 
evaluation of SEC's compliance with selected provisions of laws and 
regulations during fiscal year 2012,[Footnote 3] and (2) the two 
significant deficiencies[Footnote 4] we identified in SEC's internal 
control over financial reporting on its budgetary resources and 
property and equipment. 

The purpose of this report is to (1) present additional information 
regarding the significant deficiencies we identified in our November 
2012 report on the results of our SEC financial audit,[Footnote 5] 
along with related new recommendations; (2) communicate other less 
significant control deficiencies we identified in SEC's internal 
controls during our fiscal year 2012 audit along with our related 
recommended corrective actions; and (3) provide an overview of the 
status of our prior recommendations reported as new or open in our 
April 13, 2012, SEC management report.[Footnote 6] 

Results in Brief: 

Our audit of SEC's fiscal years 2012 and 2011 financial statements 
identified two areas of deficiency in SEC's internal control as of 
September 30, 2012, that we determined represented significant 
deficiencies. Specifically, as briefly discussed in our November 2012 
audit report,[Footnote 7] we determined that the aggregation of both 
continuing and new deficiencies in SEC's financial reporting controls 
over (1) budgetary resources and (2) property and equipment 
transactions each constituted significant deficiencies as of September 
30, 2012. These significant control deficiencies may adversely affect 
the accuracy and completeness of information used and reported by 
SEC's management. We are making a total of nine new recommendations to 
address these significant internal control deficiencies. 

In addition to the two significant deficiencies, our fiscal year 2012 
financial audit identified other deficiencies in SEC's internal 
control over financial reporting that while we did not consider them 
to be material weaknesses or significant deficiencies, nonetheless 
warrant SEC management's attention. We are making a total of nine 
recommendations to address these deficiencies in SEC's controls over 
financial reporting related to: 

* review and monitoring of disgorgement and penalty transactions, 
[Footnote 8] 

* supervisory review and monitoring procedures over manual journal 
entries, 

* the accounts payable accrual methodology, and, 

* information security. 

Further, our follow-up on the status of internal control 
recommendations we made in our prior audits found that SEC took action 
to fully address 25 of our 47 prior years' recommendations.[Footnote 
9] Enclosure I provides summary information on the status of SEC's 
actions to address the recommendations reported as open from our prior 
audits as of the conclusion of our fiscal year 2012 audit. 

In commenting on a draft of this report, SEC acknowledged that the 
report contained helpful recommendations. Further, SEC stated that 
continued improvement in the agency's internal control structure, 
particularly in the two significant deficiency areas, budgetary 
resources and property and equipment transactions, is a top priority, 
and cited a number of related remediating efforts under way. SEC's 
written comments are reprinted in enclosure II. 

Scope and Methodology: 

As part of our audit of SEC's fiscal years 2012 and 2011 financial 
statements, we evaluated SEC's internal control over financial 
reporting and tested its compliance with selected provisions of laws 
and regulations. We designed our audit procedures to test relevant 
controls over financial reporting, including those designed to provide 
reasonable assurance that transactions are properly recorded, 
processed, and summarized to permit the preparation of financial 
statements in conformity with U.S. generally accepted accounting 
principles (GAAP), and that assets are safeguarded against loss from 
unauthorized acquisition, use, or disposition. As part of our audit, 
we considered and evaluated the work performed and conclusions reached 
by SEC management in its internal control assessment.[Footnote 10] A 
full discussion of our scope and methodology is included in our 
November 2012 report on our audit of SEC's fiscal years 2012 and 2011 
financial statements.[Footnote 11] 

We conducted our audit of SEC's fiscal years 2012 and 2011 financial 
statements in accordance with U.S. generally accepted government 
auditing standards. We believe our audit provided a reasonable basis 
for our conclusions in this report. 

Significant Deficiency over Budgetary Resources: 

As part of its strategy intended to address previously reported 
significant internal control deficiencies over financial accounting 
and reporting, in April 2012, SEC migrated its core financial system 
operations to a shared service provider. However, its financial system 
operations' migration did not address many control deficiencies that 
we have identified and reported in previous years. For example, these 
efforts did not address previously identified deficiencies in SEC's 
general ledger capabilities for recording obligations and deobligation 
transactions. Further, we identified new control deficiencies during 
our fiscal year 2012 audit related to SEC's monitoring controls over 
the service provider's core financial system operations, including 
those related to budgetary accounting and reporting 
activities.[Footnote 12] We concluded that in the aggregate, these 
continuing and new control deficiencies in (1) monitoring and 
reviewing recorded downward adjustment transactions[Footnote 13] and 
(2) reconciling subsidiary ledger and related general ledger accounts 
for unobligated budget authority constituted a significant deficiency 
in SEC's controls over financial reporting on budgetary resources. 
[Footnote 14] These deficiencies resulted in misstatements in SEC's 
accounting records, which, while sufficiently addressed such that they 
did not materially affect SEC's fiscal year 2012 financial statements, 
could affect the reliability of information reported in future 
Statements of Budgetary Resources (SBR). 

Recording of Downward Adjustment Transactions: 

During our fiscal year 2012 audit, we found continuing internal 
control deficiencies regarding SEC's recording of its downward 
adjustment transactions. Further, SEC did not establish required 
control procedures for monitoring its service provider's capability 
for recording downward adjustment transactions to SEC's prior year 
obligations before the migration of its core financial systems to its 
service provider. As a result, SEC did not detect, prior to the 
migration, that the service provider's financial system could not 
properly and timely record downward adjustments. Specifically, SEC's 
service provider's financial system did not have the capability to 
record downward adjustment transactions to SEC's prior year obligated 
balances as these occurred, and in accordance with Department of the 
Treasury (Treasury) and Office of Management and Budget (OMB) 
accounting guidance for federal agencies.[Footnote 15] Federal 
accounting guidance provides that (1) the deobligations of prior year 
obligations are to be separately accounted for as downward adjustments 
to an entity's prior year obligated balances and (2) they are to be 
reported in the SBR as recoveries from prior year obligations. 
Instead, the service provider's accounting system incorrectly 
accounted for all deobligation transactions as a direct reduction of 
SEC's obligation balance. This resulted in misstatements of balances 
reported in SEC's SBR for recoveries of prior year unpaid obligations 
and obligations incurred, which were not corrected until SEC developed 
a compensating practice for adjusting and correcting erroneous 
deobligation transactions recorded by its service provider in 
September 2012. 

As of the conclusion of our audit, SEC had not documented its monthly 
compensating control practices for monitoring the validity and 
accuracy of its service provider's recording of downward adjustment 
transactions to prior year obligations to ensure that any errors are 
timely detected and corrected through SEC adjusting entries. We also 
found that SEC's undocumented compensating control practices did not 
require obtaining and retaining proper documentation supporting 
certain downward adjustment transactions. For example, our test of 45 
randomly selected transactions found an instance in which a downward 
adjustment transaction was recorded without proper supporting 
documentation. In response to our inquiry regarding SEC's lack of a 
requirement for documenting recorded downward adjustments, SEC 
management issued a directive on September 12, 2012, that required 
responsible SEC personnel to prepare and maintain documentation for 
downward adjustment transactions. Further, because SEC had not yet 
established documented compensating monitoring controls for fiscal 
year 2012, these controls were not considered as part of SEC's annual 
risk assessment process[Footnote 16] during fiscal year 2012. 

Standards for Internal Control in the Federal Government[Footnote 17] 
provides that transactions should be promptly recorded to maintain 
their relevance and value to management in controlling operations and 
making decisions. In addition, it states that internal control should 
be clearly documented in management directives, administrative 
policies, or operating manuals. Without procedures that are fully 
documented and tested as part of the risk assessment process, SEC 
management is not assured that procedures are designed and operating 
effectively and SEC is at increased risk of misstating downward 
adjustments and related activities in its SBR. 

Recommendations for Executive Action: 

To address the deficiencies in internal control over the financial 
reporting related to budgetary resources, we recommend that the 
Chairman direct the Chief Operating Officer (COO) and Chief Financial 
Officer (CFO) to take the following specific actions: 

1. Finalize procedures requiring monitoring of SEC's service 
provider's accounting and reporting on budgetary resources to include 
required steps and documentation requirements for monthly review of 
the propriety and accuracy of downward adjustment transactions to 
identify and process any necessary adjusting entries. 

2. As part of the annual risk assessment process, include required 
steps for assessing SEC's monitoring controls to identify, document, 
and record any downward adjustment transactions to SEC's prior year 
obligations in the general ledger. 

Reconciling General Ledger Unobligated Balances to Subsidiary Records: 

During our fiscal year 2012 audit, we found that SEC's budget 
execution module (subsidiary ledger) for apportioned but unobligated 
balances differed from the related general ledger account balance. 
Specifically, we found that while SEC's subsidiary ledger reflected 
the correct amount for apportioned budget authority available for 
obligation, the related general ledger account balance incorrectly 
included erroneous manual journal adjustments to SEC's apportioned but 
unobligated balance. As a result, available unobligated balance 
reported in SEC's SBR at June 30, 2012, which is prepared from its 
general ledger, was understated by over $42 million. These errors were 
not detected because SEC did not require routine, such as monthly 
reconciliation of its budget execution module and the related general 
ledger account balances. 

Standards for Internal Control in the Federal Government provides that 
internal control activities include a wide range of diverse control 
activities that management should establish, such as approvals, 
reconciliations, authorizations, and verifications, to ensure that all 
transactions are completely and accurately recorded. Without such 
reconciliation controls, SEC is at increased risk that its SBR may be 
misstated. 

Recommendation for Executive Action: 

To address the deficiency in internal control over accounting and 
financial reporting for apportioned but unobligated balances, we 
recommend that the Chairman direct the COO and CFO to take the 
following specific action: 

3. Develop and implement control procedures to monthly reconcile the 
budget execution module (subsidiary ledger) to the related general 
ledger account balances for SEC's apportioned but unobligated balances. 

Significant Deficiency over Accounting for Property and Equipment: 

Our fiscal year 2012 audit identified continuing and new deficiencies 
related to SEC's controls over recording its property and equipment 
transactions in the general ledger. 

New deficiencies identified in fiscal year 2012 related to SEC's 
controls over (1) monitoring property and equipment transactions 
processed by its shared service provider and (2) physical inventory 
counts for its capitalized assets, to ensure that all capitalized 
assets were counted and that the results of the physical count were 
properly reflected in its financial statements. We concluded that 
taken together, these continuing and new deficiencies in SEC's 
accounting controls over property and equipment represented a 
significant deficiency. While these deficiencies did not materially 
affect SEC's fiscal year 2012 reporting on its property and equipment, 
until these deficiencies are corrected, SEC remains at risk of 
misstatements in its property and equipment reporting and possible 
theft or misuse of its assets. 

Recording of Property and Equipment Transactions: 

Our audit of SEC's fiscal year 2012 financial statements found that 
SEC did not have effective controls to consistently ensure timely and 
accurate recording of its property and equipment transactions. For 
example, we found the following: 

* SEC did not have procedures in place to ensure that assets were 
properly and timely capitalized in the year received. As a result, we 
found that SEC did not capitalize over $5 million in equipment 
received and placed into service in fiscal year 2011 until fiscal year 
2012. Further, once these assets were capitalized in fiscal year 2012, 
SEC did not consider the effect of this misstatement in its analysis 
for evaluating the effect of prior year misstatements in the current 
year financial statements until after we notified SEC of the omission. 
The lack of control procedures to ensure that assets are properly 
capitalized increased SEC's risk that its property and equipment 
balances may be misstated. Further, ineffective procedures over 
adjustments that affect prior periods increased SEC's risk of not 
appropriately considering whether the cumulative effect of all 
property transaction misstatements identified in the current year 
would require revision to prior year or current year financial 
statements. 

* SEC did not have procedures requiring the assessment of new asset 
acquisition costs against established capitalization criteria, 
including validating the propriety of the budget object classification 
(BOC) code that was associated with the obligation at the time it was 
recorded, prior to recording the asset entry. Specifically, under 
SEC's procedures, the acquisition costs assigned to an asset depend on 
the linkage between invoiced costs and the related obligation for 
purchases of capital assets, as identified by the obligation's BOC. As 
we have reported in the past, correct BOCs were not always entered at 
the time of obligation.[Footnote 18] Therefore, when goods and 
services were received, it was necessary for SEC to examine supporting 
documentation to determine if the BOCs used at the time the 
obligations were initially recorded were accurate and make 
adjustments, as needed, to the applicable BOCs. During our 2012 audit, 
we found that the capitalized value of several assets included 
noncapitalizable costs, such as maintenance and service costs, which 
were inappropriately recorded to capitalizable BOCs at the time of 
obligation. SEC corrected these errors with manual adjustments in 
fiscal year 2012. However, the ongoing deficiencies related to the 
recording of its obligation documents for property and equipment 
acquisitions and the lack of control procedures to ensure that 
acquisition costs are appropriate place SEC at increased risk that its 
future property and equipment balances may be misstated. 

Standards for Internal Control in the Federal Government provides that 
management should establish specific control activities to ensure that 
all transactions are completely and accurately recorded. 

Recommendations for Executive Action: 

To address the deficiencies we identified in the recording of property 
and equipment transactions, we recommend that the Chairman direct the 
COO and CFO to take the following specific actions: 

4. Develop and implement control procedures to review all property and 
equipment acquisition transactions to ensure that they are properly 
accounted for in the year-end financial statements. 

5. Augment current procedures to require considering whether the 
cumulative effect of all misstatements of property transactions 
identified in the current year would require revision to prior year or 
current year financial statements. 

6. Develop and implement control procedures to require the review of 
underlying invoices and obligation documents at the time of 
capitalization to ensure that recorded asset acquisition costs 
represent capitalizable costs. 

Monitoring of Property and Equipment Transactions: 

Our audit of SEC's fiscal year 2012 financial statements found that 
SEC did not develop monitoring procedures over property and equipment 
transactions recorded by its service provider at the time of its 
transition to the service provider's general ledger system. SEC 
implemented some of these controls before year-end; however, we 
continued to find deficiencies in the operating effectiveness of SEC's 
monitoring procedures for capitalized transactions in the fourth 
quarter. Specifically, see the following: 

* We identified numerous discrepancies between the acquisition and 
disposal transactions recorded in the financial reporting system 
maintained by the service provider and those included in the manual 
spreadsheet SEC used to monitor property and equipment transactions 
sent to its service provider for processing. These discrepancies 
occurred because SEC's manual spreadsheet was incomplete. 
Specifically, the spreadsheet, which was maintained by SEC's Office of 
Information Technology's Asset Management Branch, only included 
transactions that were submitted to the service provider for 
processing by that branch, but excluded transactions submitted by 
other SEC offices. As a result, other property and equipment 
transactions recorded by SEC's service provider, such as acquisitions 
or disposals of software or leasehold improvements, were not being 
effectively monitored. Ineffective SEC monitoring controls over 
property and equipment transactions processed by its service provider 
placed SEC at increased risk that its property and equipment balances 
may be misstated in the financial statements. 

* SEC did not have documented procedures for monitoring the 
calculation and recording of depreciation and related transactions in 
the general ledger by its service provider. SEC began developing 
monitoring procedures in September 2012. However, these procedures 
were not fully documented during fiscal year 2012. The lack of 
documented procedures for monitoring the service provider's 
calculation and recording of depreciation and related transactions in 
the general ledger placed SEC at increased risk that any errors in the 
recording of depreciation and related transactions may not be timely 
detected and corrected. 

Standards for Internal Control in the Federal Government provides that 
management should establish specific control activities, including 
monitoring controls, to ensure that all transactions are completely 
and accurately recorded. 

Recommendations for Executive Action: 

To address the deficiencies we identified in the monitoring of 
property and equipment transactions, we recommend that the Chairman 
direct the COO and CFO to take the following specific actions: 

7. Augment SEC's service provider monitoring spreadsheet to include 
all property and equipment acquisition and disposal transactions from 
all SEC offices. 

8. Finalize procedures documenting the required steps to be followed 
for monitoring the service provider's calculation and recording of 
property and equipment, depreciation, and related transactions in the 
general ledger. 

Procedures for Annual Property and Equipment Physical Inventory Count: 

SEC's procedures for conducting its annual physical inventory count 
did not include specific steps to be followed to ensure that all 
capitalized assets were counted and that the results of the physical 
count were properly reflected in SEC's financial statements. 
Specifically, through our review of SEC's fiscal year 2012 physical 
inventory count, we found that SEC's procedures did not require the 
following: 

* Reconciling the property and equipment report used for the inventory 
count to the related general ledger balance; therefore, there was no 
assurance that all capitalized property and equipment assets were 
included in the count. 

* Reconciling the responses received from all divisions and offices to 
the items included in the property and equipment report used for the 
inventory count; therefore, there was no assurance that all 
capitalized property and equipment assets included in the report were 
counted. 

* Assessing the extent of any financial statement impact as a result 
of any missing, obsolete, surplused, or additional capitalizable 
assets identified during the count; therefore, there was no assurance 
that the results of the physical count were timely and properly 
reflected in SEC's financial statements. 

Statement of Federal Financial Accounting Standards (SFFAS) 6, 
Accounting for Property, Plant, and Equipment, sets the accounting 
requirements for federally owned property, plant, and equipment. A 
federal agency's compliance with these requirements depends on 
complete and accurate records of the cost and disposition of the 
capital assets for which a federal agency is responsible. Further, 
Standards for Internal Control in the Federal Government states that 
management should establish specific control activities to ensure that 
all transactions are completely and accurately recorded. The lack of 
controls for ensuring the completeness of the inventory count and 
resulting entries during fiscal year 2012 placed SEC at increased risk 
of (1) inaccurately reporting its capitalizable assets and misstating 
certain of its financial statements and (2) loss from theft or misuse 
due to lack of effective inventory controls. 

Recommendation for Executive Action: 

To address the deficiencies we identified in SEC's procedures for 
conducting its annual property and equipment physical inventory count, 
we recommend that the Chairman direct the COO and CFO to take the 
following specific action: 

9. Revise control procedures for conducting the annual physical 
inventory count of property and equipment to include specific steps 
required to: 

* reconcile capitalized property and equipment to be counted with 
related general ledger balances, 

* reconcile division and office responses to the items listed in the 
property and equipment report used for the physical count, and: 

* assess and appropriately reflect any financial statement impact of 
any issues identified during the physical count. 

Other Less Significant Deficiencies: 

In addition to the significant deficiencies in internal control over 
financial reporting related to SEC's budgetary resources and property 
and equipment, we identified other deficiencies in SEC's internal 
control that while not representing material weaknesses or significant 
deficiencies either individually or collectively, nonetheless warrant 
management's attention. These control deficiencies concerned (1) 
review and monitoring of disgorgement and penalty transactions, (2) 
supervisory review and monitoring procedures over manual journal 
entries, (3) accounts payable accrual methodology, and (4) information 
security. 

Recording, Review, and Monitoring of Disgorgement and Penalty 
Transactions: 

As part of its enforcement responsibilities, SEC issues orders and 
administers judgments imposing disgorgement and civil monetary 
penalties on violators of federal securities laws and requiring 
payment of related interest. SEC is responsible for the collection of 
disgorgement and penalties, and recognizes a receivable when an order 
directs payment to the SEC or Treasury.[Footnote 19] SEC is also party 
to court orders directing violators of federal securities laws to pay 
amounts assessed to a federal court or to a nonfederal receiver acting 
on behalf of harmed investors. These orders are not recognized as 
accounts receivable by SEC or reported in its financial statements 
because the debts are payable to, and collected by, another party. SEC 
distributes collected disgorgements and penalties to harmed investors 
in accordance with court orders and judgments. 

Our audit identified deficiencies in SEC's procedures for recording 
and reviewing disgorgement and penalty transactions, including (1) 
inadequate segregation of incompatible responsibilities and (2) 
ineffective review and monitoring of disgorgement and penalty 
transactions. 

Specifically, we found that SEC procedures did not prohibit an 
individual who could match electronic collections to corresponding 
existing accounts receivables from also reviewing and approving 
recorded collections.[Footnote 20] According to Standards for Internal 
Control in the Federal Government, key duties and responsibilities 
should be divided or segregated among different individuals to reduce 
the risk of error or fraud. This should include separating the 
responsibilities for authorizing, processing and recording, and 
reviewing transactions and handling any related assets. Inadequate 
segregation of responsibility for closely related duties of processing 
and reviewing transactions increases the risk that an individual could 
both create and conceal an error or irregularity in SEC's collections 
and accounts receivable balance. 

During our audit, we also found that SEC did not have effective review 
and monitoring procedures for disgorgement and penalty transactions. 
Specifically, see the following: 

* SEC did not require that reviews be performed to ensure that 
disbursements of disgorgement and penalty collections to harmed 
investors were made for the correct amounts and to the correct payees. 
SEC uses Treasury's electronic funds transfer system to process these 
disbursements, and SEC's review procedures over disbursements to 
harmed investors included a required review of summary disbursement 
data after the payments were processed by Treasury and recorded in 
SEC's general ledger by its service provider. However, SEC's review 
procedures did not include requiring verification that individual 
disbursements were made for the correct amounts and to the correct 
payees. 

* SEC did not have procedures requiring the timely review of 
disgorgement and penalty collections to determine whether they were 
owed to SEC or to another party. SEC may receive money related to 
court orders that direct payment be made to a federal court or 
nonfederal receiver, not to SEC or Treasury. In these cases, the 
collections should not be applied to an SEC accounts receivable, but 
are instead to be transferred to the Treasury general fund or to a 
court or receiver. Further, SEC may receive collections without 
accompanying documentation that clearly identifies to which court 
order or judgment the collection relates. Without procedures that 
require the review and analysis of all collections, SEC cannot 
determine whether collections should be applied to a corresponding 
debt or transferred to another entity or to Treasury. This increases 
the risk that SEC's receivable balance and its amount due to the U.S. 
Treasury and other courts and receivers will be misstated. 

SEC's monitoring procedures for accounts receivable transactions 
recorded in the general ledger did not require the review of all 
transactions affecting the balance of accounts receivables. While the 
procedures provided for daily review of original receivable 
transactions recorded in the general ledger, the procedures did not 
require review of all types of accounting entries that could affect 
the disgorgement and penalty accounts receivable balance, such as 
correcting entries. We found that SEC's accounts receivable balance 
was understated by over $1.8 million at September 30, 2012, as a 
result of an erroneous correcting accounting entry that was not 
included in SEC's review. 

Standards of Internal Control in the Federal Government provides that 
transactions should be promptly recorded to maintain their relevance 
in controlling operations and making decisions and that controls 
should be in place to provide reasonable assurance that financial 
transactions are accurately recorded. Without establishing effective 
recording, reviewing, and monitoring procedures over disgorgement and 
penalty transactions, SEC is at increased risk that the transactions 
will not be properly recorded and reported or that any errors will not 
be detected and corrected timely. 

Recommendations for Executive Action: 

We recommend that the Chairman direct the COO and CFO to take the 
following specific actions: 

10. Revise existing collection procedures to provide for segregating 
incompatible responsibilities, including prohibiting an individual 
from both processing and reviewing electronic collections transactions. 

11. Revise existing procedures for review of disbursements 
transactions to include specifically required steps for verification 
of individual disbursements processed by Treasury to ensure that these 
disbursements were made for the correct amounts and to the correct 
payees. 

12. Develop and implement control procedures to include specific steps 
for the review, classification, and disposition of collections in 
order to properly apply collections to an SEC accounts receivable or 
transfer collections to either another entity or to Treasury. 

14. Revise existing procedures for the monitoring of accounts 
receivable transactions recorded in the general ledger to specifically 
require review of all types of accounting entries that could affect 
the accounts receivable balance, including correcting entries. 

Supervisory Review and Monitoring Procedures over Manual Journal 
Entries: 

During our fiscal year 2012 audit, we found that controls over SEC's 
supervisory review process for nonrecurring manual journal voucher 
adjustment entries (JV)[Footnote 21] were not operating effectively. 
Further, we found that SEC's monitoring procedures for reviewing JVs 
processed by its service provider were also not effective. 

SEC's procedures provide that all nonrecurring manual JVs must be 
reviewed by an SEC accountant to, among other things, confirm that the 
posting model used in the entry is complete and correct.[Footnote 22] 
Further, each manual JV must also be approved by the responsible SEC 
branch chief prior to submission of the JV adjustment forms to SEC's 
service provider for processing into SEC's general ledger. After 
processing, the preparer is required to compare the recorded JV to the 
manually approved JV form to ensure consistency. Based on the results 
of our testing of nonrecurring manual JV transactions recorded during 
the year, we determined that these review and monitoring control 
procedures were either not performed or, if performed, were not 
performed effectively. Specifically, our tests identified several 
instances in which SEC's controls for review of manual JVs did not 
prevent or timely detect and correct errors made by SEC personnel or 
SEC's service provider. For example: 

* SEC erroneously recorded a $141 million manual JV for deobligation 
of prior year obligations related to canceled lease obligations as a 
direct reduction to its obligated balance rather than accounting for 
these transactions as recoveries from the deobligation of prior year 
obligations, as required by GAAP. As a result, SEC's recoveries from 
prior year obligations were understated by this amount in its SBR at 
June 30, 2012. SEC identified and corrected this error during the 
fourth quarter of fiscal year 2012. 

* SEC erroneously understated its available unobligated balance 
reported in its SBR at June 30, 2012, by over $42 million, and its 
unobligated balance unavailable was overstated by the same 
amount.[Footnote 23] We found that these reporting errors resulted 
from three manual JVs that erroneously included a reduction to 
allotments rather than a reduction to unapportioned authority. We 
informed SEC of this error, which SEC corrected during the fourth 
quarter of fiscal year 2012. 

* SEC erroneously posted a manual JV to its Fund Balance with Treasury 
general ledger account, which resulted in a $2.4 million misstatement 
of SEC's Fund Balance with Treasury account at June 30, 2012. SEC 
corrected this error during the fourth quarter of fiscal year 2012. 

* In two instances, SEC's service provider did not record the manual 
JV transactions in the general ledger in accordance with the approved 
adjustment form. These errors resulted in misstatements in SEC's 
monthly financial statements and were not corrected until the 
subsequent fiscal month. 

Standards for Internal Control in the Federal Government provides that 
internal control activities include a wide range of diverse control 
activities that management should establish, such as approvals, 
reconciliations, authorizations, and verifications, to ensure that all 
transactions are completely and accurately recorded. Without effective 
review procedures over manual journal entries, SEC will continue to be 
at risk of misstatements in its financial statements. 

Recommendations for Executive Action: 

We recommend that the Chairman direct the COO and CFO to take the 
following specific actions: 

14. Establish a mechanism to ensure that existing supervisory review 
procedures over manual JV transactions are followed to ensure that all 
manual JVs are properly prepared and accurately and timely recorded. 
These procedures could include sending periodic reminders to JV 
reviewers emphasizing existing procedures and the importance of 
adhering to them. 

15. Establish a mechanism to ensure that procedures for reviewing JV's 
processed by SEC's service provider are followed to ensure that all 
manual JVs are recorded in the general ledger in accordance with the 
JV forms approved by SEC management. 

Accounts Payable Accrual Methodology: 

During our fiscal year 2012 audit, we found that SEC did not have 
controls to (1) appropriately assess the reasonableness of certain 
portions of its quarterly accrual for accounts payable amounts 
reported in its financial statements[Footnote 24] and (2) ensure that 
the accounts payable accrual process appropriately considered 
obligations that were primarily for purchases of capital assets. 

We found that SEC's quarterly assessment[Footnote 25] of the accounts 
payable accrual amounts it reported in its fiscal year 2012 financial 
statements was inadequate.[Footnote 26] Specifically, variances 
identified from SEC's quarterly assessment were not statistically 
projectable to the population of open obligations used for estimating 
the accrual amounts for certain accounts payable amounts reported in 
the financial statements. To assess the ongoing relevance of 
assumptions used in its accounts payable accrual methodology, SEC 
procedures require quarterly reviews of accounts payable amounts 
previously accrued against invoices received in subsequent periods. 
SEC's procedures involved performing this review for a random 
selection of individual accounts payable accruals. However, we found 
that as implemented, the random selection did not include monetary 
considerations; consequently, the results of SEC's review were not 
statistically projectable to the population of open obligations used 
for estimating the accrual amounts for certain accounts payable 
amounts reported in the financial statements. As a result, SEC did not 
have the relevant information needed to determine whether the 
variances derived from its review were, in aggregate, acceptable. 
Standards for Internal Control in the Federal Government states that 
activities need to be established to monitor performance measures and 
indicators. These controls could call for comparisons and assessments 
relating different sets of data to one another so that analyses of the 
relationships can be made and appropriate actions taken. Controls 
should also be in place to validate the propriety and integrity of 
these measures and indicators. Without appropriate procedures for 
validating ongoing relevance of its accounts payable accrual 
methodology, SEC is at increased risk that its accounts payable 
balance may be misstated. 

We also found that SEC did not have controls to ensure that its 
accounts payable accrual process appropriately excluded estimates 
derived from obligations that were primarily for purchases of capital 
assets. Specifically, we found that SEC's procedures for calculating 
its accounts payable accrual estimate considered all of its 
undelivered open obligations, but did not distinguish those 
obligations that were primarily for purchases of capital assets. As a 
result, SEC's third and fourth quarter financial statements were 
misstated for accounts payable accrual estimates that inappropriately 
estimated and recorded expenses for certain obligations that were 
primarily for purchases of capital assets.[Footnote 27] 

Standards for Internal Control in the Federal Government provides that 
internal control activities include a wide range of diverse control 
activities that management should establish, such as approvals, 
reconciliations, authorizations, and verifications, to ensure that all 
transactions are completely and accurately recorded. Without controls 
designed and implemented to ensure that its accounts payable accrual 
amount is properly calculated and recorded, SEC is at increased risk 
of inaccurately reporting these and related activities in its 
financial statements. 

Recommendations for Executive Action: 

We recommend that the Chairman direct the COO and CFO to take the 
following specific actions: 

16. Revise SEC's procedures for evaluating the ongoing reasonableness 
of its account payable accrual methodology to include steps to ensure 
that the results of reviews will be projectable to the population and 
any variances derived from its review, in aggregate, are acceptable 
for financial reporting purposes. 

17. Revise the accounts payable accrual methodology to specify 
required steps for properly considering obligation amounts for 
capitalized assets. 

Information Security: 

Information security is a critical consideration for any organization 
that depends on information systems and computer networks to carry out 
its mission or business and is especially important for government 
agencies, where maintaining the public's trust is essential. Without 
proper safeguards, systems are vulnerable to individuals and groups 
with malicious intent who can intrude and use their access to obtain 
or manipulate sensitive information, commit fraud, disrupt operations, 
or launch attacks against other computer systems and networks. 

To support its financial operations and store the sensitive 
information it collects, SEC relies extensively on computerized 
systems interconnected by local-and wide-area networks. For example, 
to process and track financial transactions, such as filing fees paid 
by corporations or disgorgements and penalties from enforcement 
activities, SEC relies on several enterprise database applications, 
including (1) EDGAR, which performs the automated collection, 
validation, indexing, acceptance, and forwarding of submissions by 
companies and others that are required to file certain information 
with SEC, and (2) EDGAR/Fee Momentum, a subsystem of EDGAR that 
maintains accounting information pertaining to fees received from 
registrants. In addition, SEC relies on a general support system 
[Footnote 28] network that allows users to communicate with the 
database applications. 

At the conclusion of our fiscal year 2011 audit, we reported a 
significant deficiency in SEC's information security. SEC's strategy 
for addressing its significant internal control deficiencies in 
financial reporting included migrating its core financial system to an 
external service provider. At the conclusion of our fiscal year 2012 
audit, we determined that SEC had successfully managed the migration 
of financial data to an external service provider, implemented certain 
security management procedures for its financial systems, and 
remediated 18 of 21 information security control weaknesses identified 
in previous audits that remained open as of our separate April 13, 
2012, report to SEC. However, despite this progress, we identified new 
weaknesses in information security controls that while not considered 
material weaknesses or significant deficiencies individually or 
collectively, nonetheless warrant SEC management's attention. 

The new weaknesses in information security controls we identified in 
fiscal year 2012 relate to (1) inadequate access controls over 
financial systems operated by SEC and resources concerning user 
identification and authentication, authorization, and audit and 
monitoring and (2) inconsistent deployment of patches, which could 
jeopardize the data integrity and confidentiality of SEC's financial 
information. These new weaknesses did not affect SEC's core financial 
management system, which, as previously discussed, was migrated to an 
external service provider in fiscal year 2012. 

A basic management objective for any organization is the protection of 
its information systems and critical data from unauthorized access. To 
accomplish this objective, organizations are to design and implement 
controls to prevent, limit, and detect access to resources. These 
controls include identification and authentication, user 
authorization, and audit and logging of system activities. A computer 
system needs to be able to identify and authenticate each user to 
establish effective accountability for activities on the system. In 
this regard, SEC information security policies require establishment 
of access controls over its information systems and critical data to 
prevent unauthorized access. Further, SEC policy requires that each 
user or process be assigned only those privileges or functions needed 
to perform authorized tasks. However, our fiscal year 2012 audit found 
that SEC's controls did not always protect its information systems and 
critical data from unauthorized access, specifically with respect to 
SEC's general support and other financial systems operated by SEC. For 
example, SEC controls were not fully effective in preventing one 
remote host from establishing connections to servers without requiring 
a log-in and password. SEC's controls were also not fully effective in 
establishing strong passwords for access to several network 
infrastructure devices. In addition, SEC did not disable network 
accounts of several separated employees and contractors, and an 
employee had access to a key financial application without 
authorization. Although SEC had designed controls and procedures 
consistent with its policy, these were not consistently implemented, 
which hindered the effective operation of these controls. 

In addition, to establish individual accountability, monitor 
compliance with security policies, and investigate security 
violations, organizations need to determine what, when, and by whom 
specific actions have been taken on a system. Organizations accomplish 
this by implementing system or security software that provides an 
audit trail--a log of system activity--that they can use to determine 
the source of a transaction or attempted transaction and to monitor 
users' activities. However, our fiscal year 2012 audit found that 
SEC's controls did not enable auditing and monitoring of security-
relevant events on one server that supported a financial application. 
These control deficiencies increased the risk that individuals may 
gain unauthorized access to SEC resources and may jeopardize the data 
integrity and confidentiality of SEC's financial data. SEC had 
designed controls and procedures relative to auditing and monitoring; 
however, these were not consistently implemented, which hindered the 
effective operation of these controls. 

Patch management, a component of configuration management, is an 
important element in mitigating the risks associated with software 
vulnerabilities. When a software vulnerability is discovered, the 
software vendor may develop and distribute a patch, or work-around, to 
mitigate the vulnerability. Without the patch, an attacker may be able 
to exploit a software vulnerability to read, modify, or delete 
sensitive information; disrupt operations; or launch attacks against 
systems at another organization. SEC policy requires remediation 
efforts, such as patching, to be implemented within 7 days or less for 
those vulnerabilities deemed to be high risk or critical. However, our 
fiscal year 2012 audit found that SEC did not consistently deploy high-
risk patches on financial application servers, which rendered them 
susceptible to remote and denial-of-service attacks.[Footnote 29] SEC 
had designed controls and procedures consistent with its policy; 
however, these were not consistently implemented, which hindered the 
effective operation of these controls. Failing to apply high-risk 
patches increases the risk of exposing SEC's systems to 
vulnerabilities that could be exploited. 

Recommendations for Executive Action: 

We recommend that the Chairman direct the COO and Chief Information 
Officer to take the following specific action: 

18. Augment control procedures over SEC's information security to 
include specific steps for: 

* configuring SEC's remote host and network infrastructure devices to 
require the use of strong passwords; 

* disabling access of all contractors and employees to SEC's networks 
or financial applications upon separation from SEC; 

* monitoring compliance with information security policies, such as by 
enabling audit and monitoring of software on servers that support 
financial applications; and: 

* mitigating software vulnerabilities, for example, by requiring 
installation (or deployment) of high-risk patches, consistent with SEC 
policy. 

Overview of the Status of Prior Audit Recommendations: 

During our audit of SEC's fiscal year 2012 financial statements, we 
found that SEC took action to address many of the recommendations from 
our prior audits. Specifically, as summarized in enclosure I, SEC took 
action to fully address 25 of the 47 recommendations reported as open 
in our April 13, 2012, management report on the results of our fiscal 
year 2011 audit.[Footnote 30] The 22 previously reported 
recommendations that remained open as of the end of our fiscal year 
2012 financial statement audit relate to financial statement 
preparation and reporting, accounting for budgetary resources, 
disgorgement and penalties and investments, nonpayroll disbursement 
and accrual transactions, and property and equipment. 

Agency Comments and Our Evaluation: 

In her March 25, 2013, written comments on a draft of this report, the 
SEC Chairman acknowledged that the report contained helpful 
recommendations to strengthen SEC's internal control over financial 
reporting. Further, the Chairman stated that SEC is committed to 
investing the time and resources to put its internal controls over 
financial reporting on a strong, sustainable path, and that continued 
improvement in the agency's internal control structure, particularly 
in the two significant deficiency areas, budgetary resources and 
property and equipment transactions, is a top priority. The Chairman 
also cited a number of efforts under way directed at remediating SEC's 
remaining deficiencies. We will evaluate SEC's actions, strategies, 
and plans for addressing these deficiencies as part of our fiscal year 
2013 audit. SEC's written comments are reprinted in enclosure II. 

This report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C. § 720 to submit a written statement on 
actions taken on the recommendations to the Senate Committee on 
Homeland Security and Governmental Affairs and the House Committee on 
Oversight and Government Reform not later than 60 days from the date 
of this report. A written statement also must be sent to the House and 
Senate Committees on Appropriations with your agency's first request 
for appropriations made more than 60 days after the date of this 
report. 

This report is intended for use by SEC management. We are sending 
copies of this report to the Chairmen and Ranking Members of the 
Senate Committee on Banking, Housing, and Urban Affairs; the Senate 
Committee on Homeland Security and Governmental Affairs; the House 
Committee on Financial Services; and the House Committee on Oversight 
and Government Reform. We are also sending copies to the Secretary of 
the Treasury, the Director of the Office of Management and Budget, and 
other interested parties. In addition, this report is available at no 
charge on the GAO website at [hyperlink, http://www.gao.gov]. 

We acknowledge and appreciate the cooperation and assistance provided 
by SEC management and staff during our audit of SEC's fiscal years 
2012 and 2011 financial statements. If you have any questions about 
this report or need assistance in addressing these issues, please 
contact James R. Dalkin at (202) 512-3133 or dalkinj@gao.gov or 
Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this report. GAO staff members who 
made key contributions to this report are listed in enclosure III. 

Sincerely yours, 

Signed by: 

James R. Dalkin: 
Director, Financial Management and Assurance: 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

Enclosures - 3: 

[End of section] 

Enclosure I: Status of Recommendations from Prior Audits Reported as 
Open in GAO's 2011 Management Report: 

Audit area: Information system security controls. 

1. Establish and implement appropriate controls to mitigate any 
additional risks that were identified as a result of SEC's 
reevaluation of existing automated information system security 
controls in light of the risks identified in SEC's October 2009 
certification and accreditation procedures for the general ledger 
system and supporting processes; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

2. Establish configuration baselines and related guidance for securing 
systems and monitoring system configuration baseline implementation; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

3. Enhance the EDGAR security plan to document security requirements 
for the EDGAR/Fee Momentum subsystem; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

4. Develop and implement a comprehensive vulnerability management 
strategy that includes routine scanning of SEC's systems and 
evaluation of such scanning to provide for any needed corrective 
actions; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

Audit area: Budgetary resources. 

5. Reconfigure the general ledger system to produce reports necessary 
to both prepare the financial statements and support managing 
operations, such as a consolidated trial balance report and 
undelivered order aging report, respectively, on an ongoing basis; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

6. Correct general ledger system configurations to properly account 
for upward and downward adjustments of prior years' undelivered orders 
in accordance with the U.S. Standard General Ledger; 
Year initially reported: 2008; 
Status of corrective action: In progress. 

7. Establish and implement controls to ensure that SEC staff adheres 
to existing policies and procedures to prevent violations of the 
recording statute; 
2008; 
Status of corrective action: Completed. 

8. Develop and implement reconciliation, validation, and analytical 
procedures to ensure the reliability of the Open Obligations Review 
Reports used by the various SEC divisions and offices in their review 
of unliquidated obligations; 
Year initially reported: 2011; 
Status of corrective action: In progress. 

9. Augment existing policies and procedures for recording obligations 
to include, at a minimum, (a) backup procedures for the recording of 
obligations in the event that responsible employees are unable to 
perform their assigned duties and (b) controls designed to ensure that 
SEC offices submit obligating documents to OFM for processing as 
obligations are incurred; 
Year initially reported: 2011; 
Status of corrective action: In progress. 

10. Develop and implement documented control procedures to ensure 
liquidation and/or deobligation of remaining travel obligations after 
the completion of the travel; 
Year initially reported: 2011; 
Status of corrective action: In progress. 

11. Until such time that SEC is able to correct configuration 
limitations of its general ledger system, implement procedures to 
prepare and post correcting budgetary transactions prior to the close 
of the monthly accounting period; 
Year initially reported: 2011; 
Status of corrective action: In progress. 

12. Augment existing policies and procedures to provide for supporting 
documentation for MOs consistent with applicable guidance provided in 
OMB Circular No. A-11; 
Year initially reported: 2011; 
Status of corrective action: Completed. 

13. Develop and implement policies and procedures detailing the steps 
and documentation required to effectively control and monitor travel 
expenses paid through the central billing account (CBA), including 
steps required to ensure documented receipt of refunds or credits for 
travel/tickets that were previously paid for by SEC but subsequently 
canceled; 
Year initially reported: 2011; 
Status of corrective action: In progress. 

14. Enhance current procedures for supervisory review to include 
required steps for ensuring (a) the accuracy and completeness of the 
obligation transaction and contract information prior to recording the 
obligation in the general ledger records and (b) timely recording of 
obligation transactions in the general ledger; 
Year initially reported: 2012; 
Status of corrective action: In progress. 

15. Implement system controls to ensure that all applicable 
information (such as POP) is recorded in the financial system and can 
be associated with its obligation record; 
Year initially reported: 2012; 
Status of corrective action: In progress. 

16. Implement system controls to provide for the review and approval 
of all obligation transactions and all related contract information by 
appropriate officials prior to posting the information in the general 
ledger records; 
Year initially reported: 2012; 
Status of corrective action: In progress. 

17. Revise agency regulation SECR 14-1 to clearly delineate 
circumstances under which authority for obligating agency budgetary 
resources can be delegated to appropriate personnel other than the CO, 
compare current SOPs and BPPs with SECR 14-1, and make any necessary 
conforming changes; 
Year initially reported: 2012; 
Status of corrective action: In progress. 

18. Develop and implement procedures for ongoing monitoring of open 
obligations for validity and timely closeout of any open obligations 
that are no longer valid. These should include (a) quarterly review of 
open obligations for ongoing validity based on end of POP or contract 
completion dates and (b) reconciling SEC's records of contract 
activity and balances with its key vendors, at least annually; 
Year initially reported: 2012; 
Status of corrective action: In progress. 

Audit area: Disgorgements and penalties and investments. 

19. Develop and implement an automated solution that will eliminate 
the manual process of reentering disgorgement and penalties data from 
Phoenix into the general ledger system accounts receivable module; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

20. Reconfigure the disgorgements and penalty accounts receivable 
module to enable production of an accounts receivable aging report; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

21. Augment current procedures to require that Enforcement's reviews 
of disgorgement and penalty data in the case-management system be 
completed prior to closing the accounting period; 
Year initially reported: 2011; 
Status of corrective action: Completed. 

22. Develop an oversight mechanism to ensure that disgorgement and 
penalty collections are processed and reported in accordance with 
existing SEC policies and procedures; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

23. Revise existing posting configurations to account for liability 
balances related to compounded postjudgment interest amounts in 
accordance with SEC policy; 
Year initially reported: 2012; 
Status of corrective action: In progress. 

24. Revise existing procedures to account for amounts collected on 
behalf of other federal entities as intragovernmental liabilities; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

25. Augment existing policies and procedures for check collections to 
include specific required steps for handling amounts remitted to SEC 
field offices to ensure compliance with the Miscellaneous Receipts 
Statute and related Treasury regulation; 
Year initially reported: 2012; 
Status of corrective action: In progress. 

26. Develop and implement an automated subledger that interfaces with 
the general ledger for investment and disgorgement and penalty 
liability transaction activity; 
Year initially reported: 2010; 
Status of corrective action: In progress. 

27. Revise existing posting configurations to account for amounts 
disbursed from SEC's Deposit Suspense Liability accounts in accordance 
with the USSGL; 
Year initially reported: 2011; 
Status of corrective action: Completed. 

Audit area: Filing fees. 

28. Allocate sufficient resources to fully resolve current 
registrations' deposits liability balances in accordance with SEC 
policy and with federal regulations; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

Audit area: Financial reporting. 

29. Establish and implement procedures for performing a comprehensive 
review of all posting configurations and recurring correcting journal 
entries to identify and address any additional departures from 
Treasury's prescribed posting models; 
Year initially reported: 2010; 
Status of corrective action: In progress. 

30. Review current usage of Social Security numbers as a personal 
identifier for federal employees in agency systems and programs and 
establish and implement alternative procedures to eliminate any such 
usage; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

31. Develop and implement a standardized financial statement closing 
schedule with cutoff dates for key month-end accounting transactions 
that should be completed prior to the closing of an accounting period; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

32. Develop and implement a process for reliably preparing accurate 
pro forma financial statements and updating the notes that accompany 
financial statements prior to year-end, preferably with the third 
quarter reporting; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

33. Modify existing policy and procedures to require all employees to 
report labor hours using preset activity and project codes within the 
time and attendance system and establish and implement applicable 
controls to ensure compliance; 
Year initially reported: 2010; 
Status of corrective action: In progress. 

34. Revise and implement procedures over the preparation of the 
statement of net cost to utilize actual data reported by employees on 
their biweekly time and attendance reports; 
Year initially reported: 2010; 
Status of corrective action: In progress. 

35. Augment policies and procedures concerning supervisory review of 
key spreadsheets used for financial disclosures to provide assurance 
that calculations within the spreadsheets are accurate; 
Year initially reported: 2011; 
Status of corrective action: Completed. 

36. Augment existing control procedures over the processing of JV 
transactions to provide assurance that JVs processed into the general 
ledger reflect transactions approved by management. Such procedures 
should provide for accurate JV transaction posting at the account, 
fund, organization, and budget object class levels; 
Year initially reported: 2011; 
Status of corrective action: Completed. 

37. Document and implement quality assurance procedures over the 
preparation of the statement of net cost, including a procedure to 
compare the sum of all allocated costs to the total actual costs of 
the various organizations to ensure that all such costs are properly 
and fully allocated; 
Year initially reported: 2012; 
Status of corrective action: In progress. 

Audit area: Nonpayroll expenses. 

38. Develop and implement control and verification procedures to 
ensure all of SEC's contingency and intragovernmental liability 
transactions comply with SEC's Accounts Payable Accrual As-Is Process 
documentation; 
Year initially reported: 2010; 
Status of corrective action: Completed. 

39. Develop or update and implement policies and procedures for 
reconciling any SEC intragovernmental expense and payable amounts 
reported by GSA to internal SEC data records prior to recording an 
accrual in SEC's general ledger for financial statement reporting; 
Year initially reported: 2010; 
Status of corrective action: In progress. 

40. Develop and implement procedures to provide for appropriately 
documented COTR review of all vendor invoices prior to payment in 
compliance with SEC regulation; 
Year initially reported: 2010; 
Status of corrective action: In progress. 

41. Establish an oversight monitoring mechanism to ensure that 
periodic reviews of cardholder and AO accounts are being performed in 
accordance with Appendix B of OMB Circular No. A-123; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

Audit area: Payroll. 

42. As part of the risk assessment process, include steps for 
reviewing the SSAE No. 16 reports from all service organizations key 
to SEC's financial reporting control environment in time to allow 
appropriate actions to be taken before the end of the fiscal year to 
address any identified deficiencies in the design and operating 
effectiveness of service organization or user entity controls; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

43. Perform a review of roles within SEC's time and attendance system 
to ensure that all supervisors or managers designated as certifiers 
have an alternate responsible for reviewing the accuracy of time cards 
in their absence; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

44. Develop and implement monitoring procedures to ensure that 
responsible management officials submit POL within the 30-day SEC 
policy requirement; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

45. Develop procedures to provide for documented evidence of a 
certifying official's approval of leave and compensatory time before 
recording such transactions in the time and attendance system; 
Year initially reported: 2012; 
Status of corrective action: In progress. 

46. Develop and implement monitoring procedures to ensure that all 
time and attendance sheets recorded and submitted on behalf of another 
employee are supported by documented input from either the employee or 
the employee's certifier and include a valid reason for why a 
designated timekeeper is submitting a time and attendance sheet on 
behalf of another employee; 
Year initially reported: 2012; 
Status of corrective action: Completed. 

Audit area: Property and equipment. 

47. Establish and implement procedures to properly record property and 
equipment receipt transactions using capitalizable project and budget 
object class codes within the general ledger system; 
Year initially reported: 2010; 
Status of corrective action: In progress. 

Source: GAO analysis of SEC data. 

[End of table] 

[End of section] 

Enclosure II: Comments from the U.S. Securities and Exchange 
Commission: 

United States Securities and Exchange Commission: 
The Chairman: 
Washington, D.C. 20549: 
        
March 25, 2013: 

Mr. James R. Dalkin: 
Director: 
Financial Management and Assurance: 
United States Government Accountability Office: 
441 G Street, N.W.
Washington, DC 20548: 
Dear Mr. Dalkin: 

Thank you for the opportunity to respond to the draft report entitled 
Management Report: Improvements Needed in SEC's Internal Controls and 
Accounting Procedures (GAO-13-274R). The report contains a number of 
helpful recommendations to strengthen the SEC's internal controls over 
financial reporting. 

I am extremely pleased that the GAO found the SEC again had no 
material weaknesses in its financial controls audit for FY 2012. I am 
delighted that the SEC was able to maintain the effectiveness of its 
internal controls while successfully completing its transition to a 
Federal Shared Service Provider (FSSP) model, engaging with the 
Department of Transportation's Enterprise Service Center (ESC). As 
your draft report noted, our internal control structure continues to 
warrant additional improvements, particularly in the two significant 
deficiency areas of budgetary resources and property and equipment 
transactions. Continued improvement in these areas is a top priority 
of the SEC. 

While we have made significant strides in the SEC's multi-year path 
towards a strong, sustainable internal control posture, the agency 
will continue to dedicate its energy towards remediating our remaining 
deficiencies. These efforts include: 

* Strengthening our process for de-obligating funds from completed 
contracts, and ensuring we incorporate appropriate accounting 
adjustments for these amounts; 

* Improving controls over the review of property transactions and 
formalizing the process for conducting the physical inventory of 
property and equipment; 

* Further enhancing the policies and procedures around accounting for
disgorgement, post-judgment interest, and penalty transactions; 

* Enhancing controls around the review and monitoring of manual 
journal entries; and; 

* Augmenting control procedures over SEC's information security. 

The SEC is committed to investing the time and resources to put its 
internal controls over financial reporting on a strong, sustainable 
path. I look forward to continuing to work with you in the coming 
months as this effort unfolds. 

If you have any questions, please do not hesitate to contact Kenneth 
A. Johnson. the SEC's Chief Financial Officer, at (202) 551-4306. 

Sincerely, 

Signed by: 

Elisse B. Walter: 
Chairman: 

[End of section] 

Enclosure III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

James R. Dalkin, (202) 512-3133 or dalkinj@gao.gov: 

Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the contacts named above, the following individuals 
made key contributions to this report: Kristen A. Kociolek (Lead 
Assistant Director), Michael W. Gilmore, Meafelia P. Gusukuma, Eric 
Holbrook, Duc Ngo, David E. Ramirez, Rebecca Riklin, and Henry I. 
Sutanto. 

[End of section] 

Footnotes: 

[1] IPF was established in 2010 to fund the activities of SEC's 
whistleblower award program and the SEC Office of Inspector General's 
suggestion program for SEC employees. Dodd-Frank Wall Street Reform 
and Consumer Protection Act, Pub. L. No. 111-203, § 922(a), 124 Stat. 
1376, 1844 (2010) (codified at 15 U.S.C. § 78u-6(g)(2)). IPF is a 
separate fund within SEC and its financial statements present a 
segment of SEC financial activity. Accordingly, IPF's financial 
transactions are also included in SEC's financial statements. However, 
the significant deficiencies discussed in our audit report [hyperlink, 
http://www.gao.gov/products/GAO-13-122R] pertain to SEC's financial 
reporting but not that of IPF because of the nature of IPF's financial 
transactions during fiscal year 2012. 

[2] GAO, Financial Audit: Securities and Exchange Commission Fiscal 
Years 2012 and 2011 Financial Statements, [hyperlink, 
http://www.gao.gov/products/GAO-13-122R] (Washington, D.C.: Nov. 15, 
2012). 

[3] [hyperlink, http://www.gao.gov/products/GAO-13-122R]. 

[4] A significant deficiency is a deficiency, or a combination of 
deficiencies, in internal control that is less severe than a material 
weakness, yet important enough to merit attention by those charged 
with governance. In contrast, a material weakness is a deficiency, or 
combination of deficiencies, in internal control such that there is a 
reasonable possibility that a material misstatement of the entity's 
financial statements will not be prevented or detected and corrected 
on a timely basis. A control deficiency exists when the design or 
operation of a control does not allow management or employees in the 
normal course of performing their assigned functions to prevent or 
detect and correct misstatements on a timely basis. 

[5] See enclosure I for the list of open recommendations relating to 
continuing control deficiencies that contributed to the significant 
deficiencies over financial reporting discussed in our audit opinion 
report, [hyperlink, http://www.gao.gov/products/GAO-13-122R]. 

[6] GAO, Management Report: Improvements Needed in SEC's Internal 
Controls and Accounting Procedures, [hyperlink, 
http://www.gao.gov/products/GAO-12-424R] (Washington, D.C.: Apr. 13, 
2012). 

[7] [hyperlink, http://www.gao.gov/products/GAO-13-122R]. 

[8] A disgorgement is the repayment of illegally gained profits (or 
avoided losses) for distribution to harmed investors whenever 
feasible. A penalty is a monetary payment from a violator of 
securities law that SEC obtains pursuant to statutory authority. A 
penalty is fundamentally a punitive measure, although penalties 
occasionally can be used to compensate harmed investors. 

[9] [hyperlink, http://www.gao.gov/products/GAO-12-424R]. 

[10] Office of Management and Budget Circular No. A-123, Management's 
Responsibility for Internal Control, defines management's 
responsibility for internal control in federal agencies and 
establishes requirements for documenting, testing, and making an 
assessment on the effectiveness of internal controls. 

[11] [hyperlink, http://www.gao.gov/products/GAO-13-122R]. 

[12] The role of the service provider includes recording transactions 
in SEC's core financial system; however, SEC management is responsible 
for reviewing, approving, and monitoring the recorded transactions. 
The service provider's Standards for Attestation Engagements No. 16 
report listed several user controls that should be in place at SEC, as 
a user organization, in order for SEC to rely on the specified 
internal controls of the service provider. One such control provided 
that in order for the customer entity to have effective control over 
its accounting transactions, user entities need to establish controls 
that monitor, review, and approve all transactions processed by the 
service provider to ensure that their financial reporting is complete, 
accurate, and timely. 

[13] Downward adjustments are deobligations of obligations recorded in 
prior budget fiscal years. Deobligation refers to an agency's 
cancellation or downward adjustment of previously incurred 
obligations. Deobligated funds may be reobligated within the period of 
availability of the appropriation. For example, annual appropriated 
funds may be reobligated in the fiscal year in which the funds were 
appropriated, while multiyear or no-year appropriated funds may be 
reobligated in the same or subsequent fiscal years. 

[14] [hyperlink, http://www.gao.gov/products/GAO-13-122R]. 

[15] Treasury's guidance requires federal agencies to account for 
downward adjustments to prior year obligations as recoveries from 
previously recorded obligations, which provide budgetary resources to 
the agency. Recoveries of prior year obligations are also tracked by 
OMB relative to its role in monitoring the execution of the Budget of 
the United States Government. OMB requires recording of these 
transactions when there is documentary evidence that the price is 
reduced. 

[16] This is the process by which SEC (1) evaluates financial 
reporting assertions and the risk of material misstatements and (2) 
defines control objectives and develops related control activities to 
manage the risk of misstatement. SEC's Internal Control Policy states 
that its risk assessment process requires an evaluation of the 
financial reporting assertions that are applicable to significant 
financial statement line items and related general ledger accounts. 
SEC then defines risks of material misstatement that are relevant to 
the assertion. Finally, SEC defines control objectives and develops 
related control activities that are necessary to fulfill the assertion 
and mitigate the potential for misstatement. SEC re-performs its risk 
assessment process annually and as needed to address changes to its 
internal and external environments. 

[17] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: November 1999). 

[18] GAO, Financial Audit: Securities and Exchange Commission's 
Financial Statements for Fiscal Years 2009 and 2008, [hyperlink, 
http://www.gao.gov/products/GAO-10-250] (Washington, D.C.: Nov. 16, 
2009). 

[19] SEC records an intragovernmental accounts receivable and an equal 
amount for offsetting intragovernmental custodial liability if an 
order or a final judgment directs SEC to transfer amounts collected to 
the Treasury general fund. 

[20] SEC collects disgorgement, penalties, and interest through 
checks, wires, the government-wide Pay.gov website, and intra-agency 
fund transfers. SEC has procedures that require the segregation of 
duties for collections received by check, but lacked procedures 
requiring segregation of duties for electronic collections and those 
received through wires, the Pay.gov website, and intra-agency fund 
transfers. 

[21] Nonrecurring manual JVs are adjustments to general ledger 
balances outside of SEC's automated transaction process, such as 
accruals or corrections of errors. 

[22] Treasury's U.S. Standard General Ledger, a supplement to the 
Treasury Financial Manual, provides a uniform Chart of Accounts and 
technical guidance to be used in standardizing federal agency 
accounting. The guidance, among other things, includes (1) uniform 
chart of accounts and the related general ledger account definitions 
and (2) a list of account transactions for accounting for financial 
events occurring throughout the federal government and the related 
basic standard posting logic (also a posting model). 

[23] See "Reconciling General Ledger Balances to Subsidiary Records" 
in the "Significant Deficiency over Budgetary Resources" section of 
this report. 

[24] SFFAS No. 1, Accounting for Selected Assets and Liabilities, 
provides that when an entity accepts title to goods, whether the goods 
are delivered or in transit, the entity should recognize a liability 
for the unpaid amount of the goods. If invoices for those goods are 
not available when financial statements are prepared, the amounts owed 
should be estimated. According to Statement of Federal Financial 
Accounting Concepts No. 1, Objectives of Federal Financial Reporting, 
"reliability [of financial information] does not imply precision or 
certainty," but "reliability is affected by the degree of estimation 
in the measurement process and by uncertainties inherent in what is 
being measured." Thus, an amount reported in the financial statements 
may be "fairly stated" but still imprecise. 

[25] This quarterly assessment involves comparing randomly selected 
obligation amounts SEC included in its accounts payable accrual as 
having been delivered for financial reporting purposes, following its 
estimation methodology, against actual deliveries. 

[26] SEC Regulation 10-15 provides that contracting officer's 
representatives (COR) are responsible for ensuring that supplies are 
delivered, services are performed, or both according to the provisions 
of the contract. CORs are to document and maintain records that 
sufficiently describe all actions. SEC's methodology for estimating 
the delivered portions of its undelivered obligations does not involve 
review of individual obligations amounting to less than $1 million by 
the responsible COR. At June 30, 2012, approximately $16 million of 
the accounts payable balance reported in SEC's financial statements 
was not verified for accuracy by a COR. 

[27] SFFAS No. 6, Accounting for Property, Plant, and Equipment, 
provides that property, plant, and equipment (PP&E) shall be 
recognized when title passes to the acquiring entity or when the PP&E 
is delivered to the entity or to an agent of the entity and that 
acquisition cost of general PP&E shall be recognized as an asset and 
expensed over its useful life. 

[28] General support system refers to the integrated client-server 
system composed of local-and wide-area networks that is organized into 
distinct subsystems based along SEC's organizational and functional 
lines. The general support system provides services to internal and 
external customers who use them for their business applications. It 
also provides the necessary security services to support these 
applications. 

[29] Denial of service is the prevention of authorized access to 
resources or the delaying of time-critical operations. 

[30] [hyperlink, http://www.gao.gov/products/GAO-12-424R]. 

[End of document]