This is the accessible text file for GAO report number GAO-06-239 entitled 'Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Years 2005 and 2004' which was released on November 17, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, U.S. Securities and Exchange Commission: November 2005: Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Years 2005 and 2004: GAO-06-239: GAO Highlights: Highlights of GAO-06-239, a report to Chairman of the Securities and Exchange Commission: Why GAO Did This Study: Established in 1934 to enforce the securities laws and protect investors, the Securities and Exchange Commission (SEC) plays an important role in maintaining the integrity of the U.S. securities markets. Pursuant to the Accountability of Tax Dollars Act of 2002, the SEC is required to prepare and submit to Congress and the Office of Management and Budget audited financial statements. GAO agreed, under its audit authority, to perform the audit of SEC’s financial statements. GAO’s audit was done to determine whether, in all material respects, (1) SEC’s fiscal year 2005 financial statements were reliable and (2) SEC’s management maintained effective internal control over financial reporting and compliance with laws and regulations. We also tested SEC’s compliance with certain laws and regulations. What GAO Found: In GAO’s opinion, SEC’s fiscal year 2005 financial statements were fairly presented in all material respects. A notable achievement during fiscal year 2005 was SEC’s acceleration of its financial reporting and issuance of its audited financial statements by November 15, 2005. However, because of continued material internal control weaknesses in the areas of preparing financial statements and related disclosures, recording and reporting disgorgements and penalties, and information security, in GAO’s opinion, SEC did not maintain effective internal control over financial reporting as of September 30, 2005. Recommendations for corrective actions will be included in a separate report. SEC did maintain in all material respects effective internal control over compliance with laws and regulations we tested as of September 30, 2005, and GAO did not find reportable instances of noncompliance with laws and regulations it tested. For the preparation of its financial statements, SEC has drafted some policies and procedures, improved communication among SEC divisions, and improved subsidiary ledgers that support financial statement amounts. However, SEC’s financial reporting process continues to be largely manual and difficult to follow. The link between the financial statements and the detailed account balances was not supported by an adequate audit trail; support for certain balances was not readily available; and policies for financial reporting were still incomplete. SEC’s Office of Financial Management does not have sufficient staff with expertise in financial reporting, resulting in too many responsibilities vested with too few people, causing problems with segregation of duties, achieving quality assurance reviews, and being able to effectively manage the workload. In the area of disgorgements and penalties, SEC has undertaken a comprehensive review of related financial data and has identified many inaccuracies which it is in the process of correcting. Contributing to SEC’s control weakness in this area are limitations in SEC’s database used to track disgorgement-and penalty-related activity. The database is not designed to facilitate accounting and financial reporting causing SEC to perform extensive, manual procedures to account for this activity. During our fiscal year 2005 audit, we continued to find inaccuracies in the data that were similar to what we found during the fiscal year 2004 audit. SEC has taken steps to strengthen its information security by increasing staffing, certifying and accrediting applications, and establishing a backup data center. However, most of the weaknesses identified in our fiscal year 2004 audit persisted, and we identified additional weaknesses, including several important aspects of access control. Key to SEC’s weakness in information security control is that it has not fully implemented a comprehensive program for security management. Such a program is fundamental to protecting the integrity, confidentiality, and availability of SEC’s sensitive data. www.gao.gov/cgi-bin/getrpt?GAO-06-239. To view the full product, including the scope and methodology, click on the link above. For more information, contact Jeanette Franzel at (202) 512-9471 or franzelj@gao.gov. [End of section] Contents: Letter: Auditor's Report: Opinion on Financial Statements: Opinion on Internal Control: Material Weaknesses: Compliance with Laws and Regulations: Consistency of Other Information: Objectives, Scope, and Methodology: SEC Comments and Our Evaluation: Management Discussion Analysis: Financial Statements: Balance Sheets: Statements of Net Cost: Statements of Net Position: Statements of Budgetary Resources: Statements of Financing: Statements of Custodial Activity: Notes to the Financial Statements: Required Supplemental Information: Appendix: Appendix I: Comments from the Securities and Exchange Commission: Letter November 15, 2005: The Honorable Christopher Cox: Chairman: U.S. Securities and Exchange Commission: Dear Mr. Cox: This report presents our opinion on whether the financial statements of the Securities and Exchange Commission (SEC) are presented fairly for the fiscal years ended September 30, 2005, and 2004. This report also presents (1) our opinion on the effectiveness of SEC's internal control over financial reporting and compliance as of September 30, 2005, including weaknesses in financial reporting controls detected during our 2005 audit; and (2) the results of our tests of SEC's compliance with selected laws and regulations during 2005. The Accountability of Tax Dollars Act of 2002 requires that SEC prepare and submit to Congress and the Office of Management and Budget (OMB) audited financial statements. GAO agreed, under its audit authority, to perform the audit of SEC's financial statements. GAO conducted this audit in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. This is the second year that SEC has prepared a complete set of financial statements for audit. A notable achievement during fiscal year 2005 was SEC's acceleration of its financial reporting. SEC was able to prepare financial statements that were fairly stated in all material respects for fiscal year 2005 by November 15, 2005, in accordance with OMB timeframes. This due date was met through the tremendous dedication of time and effort from SEC management and staff. We are sending copies of this report to the Chairman and Ranking Minority Members of the Senate Committee on Banking, Housing, and Urban Affairs; the Senate Committee on Homeland Security and Governmental Affairs; the House Committee on Financial Services; and the House Committee on Government Reform. We are also sending copies to the Secretary of the Treasury, the Director of the Office of Management and Budget, and other interested parties. In addition, this report will be available at no charge on the GAO Web site at http://www.gao.gov. This report was prepared under the direction of Jeanette M. Franzel, Director, Financial Management and Assurance, who can be reached at (202) 512-9471 or franzelj@gao.gov. If I can be of further assistance, please call me at (202) 512-5500. Sincerely yours, Signed by: David M. Walker: Comptroller General of the United States: Auditor's Report To the Chairman of the United States Securities and Exchange Commission: In our audits of the United States Securities and Exchange Commission (SEC) for fiscal years 2005 and 2004, we found: * the financial statements as of and for the fiscal years ended September 30, 2005, and 2004, including the accompanying notes, are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles; * SEC did not have effective internal control over financial reporting (including safeguarding of assets), but had effective control over compliance with laws and regulations we tested that could have a direct and material effect on the financial statements as of September 30, 2005; and: * no reportable noncompliance with laws and regulations we tested. The following sections discuss in more detail (1) these conclusions as well as our conclusions on Management's Discussion and Analysis and other supplementary information and (2) the objectives, scope, and methodology of our audit. Opinion on Financial Statements: The SEC's balance sheets as of September 30, 2005, and 2004, and its related statements of net cost, changes in net position, budgetary resources, financing, and custodial activity, with accompanying notes for the fiscal years then ended, are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles. However, misstatements may nevertheless occur in other financial information reported by SEC as a result of the internal control weaknesses described in this report. Opinion on Internal Control: This is the second year that SEC has prepared a complete set of financial statements for audit. Despite the specific issues with internal control explained below, SEC was able to prepare financial statements that were fairly stated in all material respects for fiscal years 2005 and 2004. A notable achievement during fiscal year 2005 was SEC's acceleration of its financial reporting. SEC was able to issue financial statements that were fairly stated in all material respects for fiscal year 2005 by November 15, 2005, in accordance with OMB timeframes. This due date was met through the tremendous dedication of time and effort from SEC management and staff. The acceleration did serve to highlight the difficulties in SEC's financial reporting process and the accounting and reporting for disgorgements that we identified in our fiscal year 2004 audit. In addition, SEC continues to have weaknesses in its information security controls. Because of the material weaknesses in internal control discussed below, in our opinion, SEC did not maintain effective internal control over financial reporting (including safeguarding of assets) as of September 30, 2005, and thus did not provide reasonable assurance that losses and misstatements material in relation to the financial statements would be prevented or detected on a timely basis. However, SEC maintained in all material respects effective internal control over compliance with laws and regulations as of September 30, 2005, that provided reasonable assurance that noncompliance with laws and regulations that are direct and material in relation to the financial statements would be prevented or detected on a timely basis.[Footnote 1] Material Weaknesses: As a result of our fiscal year 2005 audit, we concluded that SEC continues to face the following key issues that we reported as part of our audit of SEC's fiscal year 2004 financial statements, which represent material weaknesses in internal controls: * weaknesses in controls over the financial reporting process, resulting in SEC not being able to prepare reliable and timely financial statements without extensive and time-consuming manual procedures; * weaknesses in controls over recording and reporting of disgorgement[Footnote 2] and penalty[Footnote 3] activity pertaining to those who violate securities laws, resulting in increased risk of incomplete or inaccurate disgorgement and penalty data; and: * weaknesses in information security controls, resulting in increased risk of unauthorized individuals being allowed to access, alter, or abuse proprietary SEC programs and electronic data and assets. We have reported on these material weaknesses in our prior audit and have provided SEC recommendations to address these issues.[Footnote 4] SEC has made some progress in resolving these matters; however, these matters remain as material weaknesses as of September 30, 2005. These material weaknesses were considered in determining the nature, timing, and extent of audit tests applied in our audits of SEC's fiscal year 2005 and 2004 financial statements, and our opinion on internal control does not affect our financial audit opinion on the financial statements. The details surrounding these weaknesses are being reported separately to SEC management, along with recommendations for corrective actions. Less significant matters involving SEC's system of internal controls and its operations will also be reported to SEC separately. Financial Statement Preparation Process: In response to the findings of our fiscal year 2004 audit, SEC has taken some steps to address control weaknesses over preparing financial statements and related disclosures. For example, in August 2005, SEC drafted some policies and procedures for its financial statement preparation process. SEC also established a process to improve communication among other SEC divisions whose work impacts the financial statements, and SEC has improved its ability to produce subsidiary ledgers that support financial statement amounts. At the same time, SEC's financial reporting process continues to be manually intensive and time consuming, with numerous ad hoc procedures. For certain financial statement line items and disclosures, the detailed support for the balances and underlying transactions was not readily available, was difficult to retrieve, and did not easily facilitate an audit trail. In addition, SEC is still lacking policies and procedures for recording many of its activities, such as its process for determining disgorgement and penalty amounts receivable, for recording investment activity, and for reconciling certain account balances such as the fiduciary liability. Many policies and procedures that do exist are still in draft, are complicated and not easy to follow, or in some cases are outdated or not comprehensive. In addition, SEC still does not have an easy-to-follow process for compiling financial statement amounts to enable a cross-walk from the financial statements to the general ledger and supporting subsidiary schedules. Furthermore, certain balances on the financial statements do not readily agree to supporting detail. SEC's Office of Financial Management, the office charged with SEC's financial reporting and financial management, does not have sufficient staff with expertise in financial reporting. As a result, too many responsibilities have been vested with too few people, causing problems such as inadequate segregation of duties, inadequate quality assurance reviews, and difficulties managing the financial reporting workload. Because of these issues, SEC needed to dedicate considerable time and resources from its operating divisions to assist its Office of Financial Management in reconciling the financial statement amounts to its supporting general ledger balances and other supporting detail. SEC's financial reporting process can be strengthened by increased interaction with and input from the program operations' offices responsible for key financial data needed for financial reporting. Controls over the financial statement preparation process should be designed to provide reasonable assurance regarding the reliability of the balances and disclosures reported in the financial statements and related notes in conformity with generally accepted accounting principles, including the maintenance of detailed support that accurately and fairly reflects the transactions making up the balances in the financial statements and disclosures. GAO's Standards for Internal Control in the Federal Government[Footnote 5] provide an overall framework for establishing and maintaining internal control, including a discussion of control activities, management review, and documentation of processes and transactions. A financial statement preparation process with documented comprehensive policies and procedures, a clear audit trail between the financial statement balances and the detailed support, and quality assurance reviews, if properly designed and implemented, should provide SEC management with reasonable assurance that the balances presented in the financial statements and related disclosures are supported by SEC's underlying accounting records. We believe SEC can use the lessons learned from the fiscal year 2005 financial reporting and audit processes to further formalize and improve its process for developing and reviewing the figures needed to compile and prepare its year-end and interim financial statements. Disgorgements and Penalties: As part of its enforcement responsibilities, SEC issues and administers judgments ordering, among other things, disgorgements, civil monetary penalties, and interest against violators of federal securities laws. These transactions involve material amounts of collections, and the recording and reporting of fiduciary and custodial liability balances on the financial statements.[Footnote 6] As shown in SEC's Statement of Custodial Activity, SEC collected more than $1.6 billion from federal securities laws violators during fiscal year 2005. Of that total, approximately $302 million was distributed to harmed investors; $207 million was transferred to the Treasury; and approximately $1.1 billion is being held by the SEC for future distribution to harmed investors. In total, SEC held approximately $1.976 billion in such funds at September 30, 2005, for future distribution to harmed investors. These amounts are recorded in the fiduciary liability, investments, and fund balance with Treasury line items, with additional detail provided in note 18 to the financial statements. SEC also has recorded fines and penalties receivable of approximately $1.365 billion, of which it estimates that approximately $96 million will be collectible. These amounts are included in SEC's accounts receivable and custodial liabilities line items, with additional detail provided in note 6 to the financial statements. Since our fiscal year 2004 audit, SEC has undertaken a comprehensive review of the disgorgement and penalty financial data in its database, which includes data on over 12,000 parties in SEC enforcement issues. SEC's review uncovered a significant amount of financial data inaccuracies which it is still in the process of correcting. Our audit testing for fiscal year 2005 continued to find similar control weaknesses and data inaccuracies to the problems we noted during our audit of SEC's fiscal year 2004 financial statements. Contributing to SEC's control weaknesses in these areas is that the database SEC uses to record and report disgorgements and penalties data has limitations and is not designed to facilitate accounting for and financial reporting of the data. To compensate for limitations in the disgorgements and penalties database, SEC staff perform extensive manual procedures to compile quarterly subsidiary ledgers to update the accounting system for disgorgement-and penalty-related balances and activity (including cash receipts and disbursements). As we noted in our fiscal year 2004 audit, while SEC has a draft policy covering certain aspects of accounting for disgorgements and penalties, the policy is not comprehensive and does not include the process and controls for determining the amounts to be recorded for disgorgements and penalty activity and for reviewing the entries. In addition, SEC does not have a policy that includes formal procedures to provide assurance that the cash collections have been properly credited to the appropriate cases in the appropriate amounts in the related subsidiary records for investments and fund balance with Treasury. Furthermore, SEC's policies do not include formal procedures to provide assurance that cash disbursements are properly tracked in the related subsidiary ledgers that provide information on the status of each case. As we have again found during the fiscal year 2005 financial statement audit, not having comprehensive policies and controls increases the risk that disgorgement and penalty transactions will not be completely, accurately, and consistently recorded and reported. Although we were able to obtain sufficient audit support for SEC's estimated collectible amount of $96 million, we noted significant errors and misstatements in the recorded gross accounts receivable balance of $1.365 billion and the related allowance for loss of $1.269 billion. Specifically, we noted errors and/or inconsistent treatment in recording judgment and interest amounts, terminated debts, waivers, and recording of activity such as amounts paid by defendants. Contributing to these errors is the lack of a clear policy, communication, and coordination between the two key SEC units, both responsible for disgorgement and penalty activity, addressing the supporting documents needed to record the activity, as well as the lack of follow-up procedures to ensure that the activity is being recorded in a timely fashion and in the proper reporting period.[Footnote 7] In most cases, these errors were offsetting through the allowance for loss account; however, such errors raise concern about the controls over the reliability of the gross accounts receivable and related allowance amounts reported in note 6 to the financial statements. Establishing proper controls and policies and procedures over the recording of disgorgement and penalty activity and the related collections and adopting a new accounting system to capture the activity for financial reporting purposes are necessary to provide reasonable assurance that disgorgement and penalty transactions are recorded in a complete, accurate, and timely manner for management's use in decision making and tracking of operations, and to facilitate the preparation of financial statements and related disclosures. The process should also include maintaining supporting documentation that, in reasonable detail, supports the transactions that are recorded, and monitoring the data input, data modifications, and the related financial reporting process for reliability. Due to the importance of these activities to SEC's mission and the magnitude of the amounts, it is of critical importance that the internal control weaknesses in this area be addressed.[Footnote 8] Information Security: Effective information system controls are essential to providing reasonable assurance that financial information and financial assets are adequately safeguarded from inadvertent or deliberate misuse, fraudulent use, improper disclosure, or destruction. These controls are part of an entitywide computer security management program that includes access controls, system software, application development and change controls, segregation of duties, and service continuity controls. A comprehensive entitywide security management program must be established in order to ensure effective information security controls and to provide a systemic approach to identifying and addressing security weaknesses. An effective program would include issuing guidance and implementing procedures for assessing risks, establishing policies and related controls, raising awareness of prevailing risks and mitigating controls, evaluating the effectiveness of established controls, and using the results of management's evaluation to continuously improve controls. SEC relies extensively on computerized information systems to process, account for, and report on its financial activities and make payments. As part of the financial statement audit, we assessed the effectiveness of SEC's information system controls using GAO's Federal Information System Controls Audit Manual[Footnote 9] which contains guidance for reviewing information system controls that affect the integrity, confidentiality, and availability of computerized data. During fiscal year 2005, SEC took steps to strengthen its information security program by increasing security staffing, certifying and accrediting several major applications, and instituting a backup data center. At the same time, most of the information security controls weaknesses identified in our fiscal year 2004 SEC audit persisted[Footnote 10] and we identified additional weaknesses. Specifically, SEC had not consistently implemented effective electronic access controls, including user accounts and passwords, access rights and permissions, network security, or audit and monitoring of security- relevant events to limit and detect access to its critical financial and sensitive systems and information. As a result, SEC's financial assets are at risk of loss due to access control weaknesses. In addition, weaknesses in other information security controls, including physical security, segregation of computer functions, application change controls, and service continuity, further increase the risk to SEC's information systems, information, and financial assets. As a result, sensitive data--including payroll and financial transactions, personnel data, regulatory, and other mission-critical information-- remained at risk of unauthorized disclosure, modification, or loss. The details surrounding these weaknesses will be reported separately to SEC management, along with recommendations for corrective actions. A key reason for SEC's information security control weaknesses is that SEC has not fully implemented a comprehensive security management program. SEC has taken some actions to improve security management such as defining roles and responsibilities for its central security group. However, it still needs to take additional steps to fully implement all key elements of an information security management program. Such a program is critical to provide SEC with a solid foundation for resolving existing information security problems and continuously managing information security risks. Without effective management of its information security controls, SEC will not be able to provide reasonable assurance that financial information and financial assets are adequately safeguarded from misuse, fraud, improper disclosure, modification, or destruction. Compliance with Laws and Regulations: Our tests for compliance with selected provisions of laws and regulations disclosed no instances of noncompliance that would be reportable under U.S. generally accepted government auditing standards or OMB audit guidance. However, the objective of our audit was not to provide an opinion on overall compliance with laws and regulations. Accordingly, we do not express such an opinion. Consistency of Other Information: SEC's Management Discussion and Analysis, required supplementary information, and other accompanying information contain a wide range of data, some of which are not directly related to the financial statements. We did not audit and do not express an opinion on this information. However, we compared this information for consistency with the financial statements and discussed the methods of measurement and presentation with SEC officials. Based on this limited work, we found no material inconsistencies with the financial statements or nonconformance with OMB guidance. Objectives, Scope, and Methodology: SEC management is responsible for (1) preparing the financial statements in conformity with U.S. generally accepted accounting principles; (2) establishing, maintaining, and assessing internal control to provide reasonable assurance that the broad control objectives of the Federal Managers' Financial Integrity Act (FMFIA) are met; and (3) complying with applicable laws and regulations. We are responsible for obtaining reasonable assurance about whether (1) the financial statements are presented fairly, in all material respects, in conformity with U.S. generally accepted accounting principles; and (2) management maintained effective internal control that provides reasonable, but not absolute, assurance the following objectives are met. * Financial reporting: Transactions are properly recorded, processed, and summarized to permit the timely and reliable preparation of financial statements in conformity with U.S. generally accepted accounting principles, and assets are safeguarded against loss from unauthorized acquisition, use, or disposition. * Compliance with laws and regulations: Transactions are executed in accordance with (1) laws governing the use of budgetary authority, (2) other laws and regulations that could have a direct and material effect on the financial statements, and (3) any other laws, regulations, or governmentwide policies identified by OMB audit guidance. We are also responsible for (1) testing compliance with selected provisions of laws and regulations that could have a direct and material effect on the financial statements and for which OMB audit guidance requires testing and (2) performing limited procedures with respect to certain other information appearing in SEC's Performance and Accountability Report. In order to fulfill these responsibilities, we: * examined, on a test basis, evidence supporting the amounts and disclosures in the financial statements; * assessed the accounting principles used and significant estimates made by SEC management; * evaluated the overall presentation of the financial statements; * obtained an understanding of internal control related to financial reporting (including safeguarding of assets) and compliance with laws and regulations (including execution of transactions in accordance with budget authority); * obtained an understanding of the recording, processing, and summarizing of performance measures as reported in Management's Discussion and Analysis; * tested relevant internal controls over financial reporting and compliance with laws and regulations, and evaluated the design and operating effectiveness of internal control; * considered SEC's process for evaluating and reporting on internal control and financial management systems under the FMFIA; and: * tested compliance with selected provisions of the following laws and their related regulations: * the Securities Exchange Act of 1934, as amended; * the Securities Act of 1933, as amended; * the Antideficiency Act; * laws governing the pay and allowance system for SEC employees; and: * the Prompt Payment Act. We did not evaluate all internal controls relevant to operating objectives as broadly defined by the FMFIA, such as those controls relevant to preparing statistical reports and ensuring efficient operations. We limited our internal control testing to controls over financial reporting and compliance. Because of inherent limitations in internal control, misstatements due to error or fraud, losses, or noncompliance may nevertheless occur and not be detected. We also caution that projecting our evaluation to future periods is subject to the risk that controls may become inadequate because of changes in conditions or that the degree of compliance with controls may deteriorate. We did not test compliance with all laws and regulations applicable to SEC. We limited our tests of compliance to those required by OMB audit guidance and other laws and regulations that had a direct and material effect on, or that we deemed applicable to, SEC's financial statements for the fiscal year ended September 30, 2005. We caution that noncompliance may occur and not be detected by these tests and that such testing may not be sufficient for other purposes. We performed our work in accordance with U.S. generally accepted government auditing standards and OMB audit guidance. SEC Comments and Our Evaluation: In commenting on a draft of this report, the SEC Chairman was pleased to receive an unqualified opinion on SEC's financial statements. The Chairman also acknowledged the material weaknesses in internal control and stated that resolving the weaknesses will be his highest operational priority. The Chairman stated that SEC plans to address the internal control weakness concerning the preparation of financial statements by fully documenting and integrating into agency operations the disciplined procedures and policies needed to complete accurate and timely financial statements. In addition, SEC established a formal financial management review committee to provide advice and to regularly review the agency's financial operations and policies. SEC plans to address the internal control weaknesses related to disgorgements and penalties through the replacement of the financial system it uses to track disgorgement and penalty data. In addition, SEC plans to strengthen controls over the processes for tracking the investment and distribution of funds to harmed investors. To address the internal control weaknesses concerning information technology security that were identified in fiscal year 2004, SEC plans to complete action plans that were put in place following our fiscal year 2004 audit, including finalization of policies and operating procedures and procedures underlying the overall security management program. SEC also plans to begin defining actions and milestones for resolving additional weaknesses identified during this year's audit. The complete text of SEC's response is included in appendix I. David M. Walker: Comptroller General of the United States: November 10, 2005: [End of section] Management Discussion Analysis: [See PDF for image] [End of figure] [End of section] Financial Statements: [See PDF for image] [End of figure] [End of section] Balance Sheets: [See PDF for image] [End of figure] [End of section] Statements of Net Cost: [See PDF for image] [End of figure] [End of section] Statements of Net Position: [See PDF for image] [End of figure] [End of section] Statements of Budgetary Resources: [See PDF for image] [End of figure] [End of section] Statements of Financing: [See PDF for image] [End of figure] [End of section] Statements of Custodial Activity: [See PDF for image] [End of figure] [End of section] Notes to the Financial Statements: [See PDF for image] [End of figure] [End of section] Required Supplemental Information: [See PDF for image] [End of figure] [End of section] Appendixes: Appendix I: Comments from the Securities and Exchange Commission: Comments from the Securities and Exchange Commission: OFFICE OF THE CHAIRMAN: UNITED STATES SECURITIES AND EXCHANGE COMMISSION: WASHINGTON, D.C. 20549: November 14, 2005: The Honorable David M. Walker: Comptroller General of the United States: Government Accountability Office: 441 G Street, N.W.: Washington, D.C. 20548: Dear Mr. Walker: Thank you for the opportunity to respond to the draft report of the Government Accountability Office (GAO) entitled "Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Years 2005 and 2004". 1 would like to personally acknowledge and commend the efforts and dedication by you and the GAO staff in working with the Securities and Exchange Commission (SEC) to meet the November 15 deadline for reporting our audited financial statements. I am pleased that the audit found that the statements and notes are presented fairly, in all material respects, and in conformity with U.S. generally accepted accounting principles for federal government agencies, and that it found no instances of reportable noncompliance with laws and regulations tested. The opinion on internal controls cites three material weaknesses in the same areas where GAO found controls to be inadequate in the audit of the fiscal 2004 financial statements. As you know from our meetings on this subject, since my arrival at the SEC in August 20051 have made resolution of these weaknesses my highest operational priority as Chairman. I have redoubled the efforts of the agency and our staff to this end. We intend to remediate all three material weaknesses before the end of fiscal 2006. We will resolve the control weaknesses in the system for preparing financial statements and related disclosures by fully documenting and integrating into agency operations the disciplined procedures and policies needed to complete accurate and timely financial statements. As you know, I have directed accounting and financial experts on the professional staff of the Office of the Chief Accountant to assist the Office of Financial Management with the development of these measures. Additionally, we have established a Financial Management Review Committee to provide advice and to regularly review the agency's financial operations and policies. This committee will also help ensure SEC compliance with the requirements of OMB Circular-A 123 on Management's Responsibility for Internal Control. With respect to identified weaknesses in controls over information technology security, the audit confirmed many of the findings reported previously through the SEC's Federal Managers' Financial Integrity Act (FMFIA) and audit programs: The draft audit report specifically cites electronic access controls over sensitive financial data. The SEC intends, with respect to weaknesses in this area, to complete implementation of the plans that were put in place following last year's information security audit. We intend to finalize policies and operating procedures to better manage access to computer systems, and to control the types of changes that are introduced into the information technology environment. In addition, we will continue to define the detailed procedures underlying our overall security management program, to ensure that the agency is effectively identifying, assessing, and mitigating sources of information security risk on a continuous basis. As indicated in the comments on last year's audit, we anticipate that all weaknesses identified at that point will be resolved by June 2006. We will also be defining plans of action and milestones for resolving any additional specific weaknesses emerging from this year's audit. The final material weakness, related to documentation and reporting of disgorgement and penalties, also confirms findings reported previously through the SEC's FMFIA program. During fiscal 2005, the SEC completed a comprehensive review of disgorgement and penalty financial data aimed at correcting any erroneous data. Nonetheless, as the draft audit report properly recognizes, there are continuing problems. A key to resolving this material weakness is the replacement of the financial system in which the data are stored, and our plans call for completion of the new system during the current fiscal year. The SEC will also move aggressively to strengthen controls over the processes for tracking the investment and distribution of funds to harmed investors. We anticipate that strengthened internal controls and replacement of the program's financial management information system will be adequate to resolve this material weakness in fiscal 2006. As Chairman, I am committed to enhancing the SEC's financial and operational effectiveness. It is my firm belief that the SEC must lead by example when it comes to compliance with the internal controls requirements of the private and federal sectors. I appreciate your support of those efforts, and look forward to continuing our productive dialogue on the issues addressed in the fiscal 2005 audit. If you have any questions relating to our response, please contact Margaret Carpenter, Chief Financial Officer, at (202) 551-7854: Sincerely, Signed by: Christopher Cox: Chairman: [End of section] (194502): FOOTNOTES [1] Our opinion on internal control is based on criteria established under 31 U.S.C. § 3512 (c), (d), commonly referred to as the Federal Managers' Financial Integrity Act (FMFIA) and the Office of Management and Budget (OMB) Circular A-123, revised June 21, 1995, Management Accountability and Control. [2] A disgorgement is the repayment of illegally gained profits (or avoided losses) that the SEC distributes to harmed investors whenever feasible. [3] A penalty is a monetary payment from a violator of securities laws that SEC obtains pursuant to statutory authority. A penalty is fundamentally a punitive measure, although penalties occasionally can be used to compensate harmed investors. [4] GAO, Information Security: Securities and Exchange Commission Needs to Address Weak Controls over Financial and Sensitive Data, GAO-05-262 (Washington, D.C.: Mar. 23, 2005); Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Year 2004, GAO-05- 244 (Washington, D.C.: May 26, 2005); and Material Internal Control Issues Reported in SEC's Fiscal Year 2004 Financial Statement Audit Report, GAO-05-691R (Washington, D.C.: July 27, 2005). [5] GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). [6] Fiduciary activities represent the moneys collected from federal securities law violators and maintained by SEC to be distributed to harmed investors. Custodial activities represent the moneys collected by SEC from violators of federal securities laws that are returned to the Treasury, as nonfederal individuals or entities do not have an ownership interest in these revenues. [7] This finding is similar to a finding noted in a recent GAO review of SEC penalties. See GAO, SEC and CFTC Penalties: Continued Progress Made in Collection Efforts, but Greater SEC Management Attention is Needed, GAO-05-670 (Washington, D.C.: Aug. 31, 2005). [8] Material weaknesses and system nonconformance issues concerning data integrity and financial reporting for disgorgements and penalties have been reported in SEC's FMFIA reports since fiscal year 2002. [9] GAO, Federal Information System Controls Audit Manual, Volume I-- Financial Statements Audits, GAO/AIMD-12.19.6 (Washington, D.C.: January 1999). [10] Based on our review of SEC's information system general controls for fiscal year 2004, we made 58 recommendations. SEC implemented 9 of the recommendations as of the completion of our review. See GAO, Information Security: Securities and Exchange Commission Needs to Address Weak Controls Over Financial and Sensitive Data, GAO-05-262 (Washington, D.C.: March 23, 2005). GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: