GAO-06-239, Financial Audit: Securities and Exchange Commission's Financial Statements for Fiscal Years 2005 and 2004


This is the accessible text file for GAO report number GAO-06-239 
entitled 'Financial Audit: Securities and Exchange Commission's 
Financial Statements for Fiscal Years 2005 and 2004' which was released 
on November 17, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairman, U.S. Securities and Exchange Commission: 

November 2005: 

Financial Audit: 

Securities and Exchange Commission's Financial Statements for Fiscal 
Years 2005 and 2004: 

GAO-06-239: 

GAO Highlights: 

Highlights of GAO-06-239, a report to Chairman of the Securities and 
Exchange Commission: 

Why GAO Did This Study: 

Established in 1934 to enforce the securities laws and protect 
investors, the Securities and Exchange Commission (SEC) plays an 
important role in maintaining the integrity of the U.S. securities 
markets. 

Pursuant to the Accountability of Tax Dollars Act of 2002, the SEC is 
required to prepare and submit to Congress and the Office of Management 
and Budget audited financial statements. GAO agreed, under its audit 
authority, to perform the audit of SEC’s financial statements. GAO’s 
audit was done to determine whether, in all material respects, (1) 
SEC’s fiscal year 2005 financial statements were reliable and (2) 
SEC’s management maintained effective internal control over financial 
reporting and compliance with laws and regulations. We also tested 
SEC’s compliance with certain laws and regulations. 

What GAO Found: 

In GAO’s opinion, SEC’s fiscal year 2005 financial statements were 
fairly presented in all material respects. A notable achievement during 
fiscal year 2005 was SEC’s acceleration of its financial reporting and 
issuance of its audited financial statements by November 15, 2005. 
However, because of continued material internal control weaknesses in 
the areas of preparing financial statements and related disclosures, 
recording and reporting disgorgements and penalties, and information 
security, in GAO’s opinion, SEC did not maintain effective internal 
control over financial reporting as of September 30, 2005. 
Recommendations for corrective actions will be included in a separate 
report. SEC did maintain in all material respects effective internal 
control over compliance with laws and regulations we tested as of 
September 30, 2005, and GAO did not find reportable instances of 
noncompliance with laws and regulations it tested. 

For the preparation of its financial statements, SEC has drafted some 
policies and procedures, improved communication among SEC divisions, 
and improved subsidiary ledgers that support financial statement 
amounts. However, SEC’s financial reporting process continues to be 
largely manual and difficult to follow. The link between the financial 
statements and the detailed account balances was not supported by an 
adequate audit trail; support for certain balances was not readily 
available; and policies for financial reporting were still incomplete. 
SEC’s Office of Financial Management does not have sufficient staff 
with expertise in financial reporting, resulting in too many 
responsibilities vested with too few people, causing problems with 
segregation of duties, achieving quality assurance reviews, and being 
able to effectively manage the workload. 

In the area of disgorgements and penalties, SEC has undertaken a 
comprehensive review of related financial data and has identified many 
inaccuracies which it is in the process of correcting. Contributing to 
SEC’s control weakness in this area are limitations in SEC’s database 
used to track disgorgement-and penalty-related activity. The database 
is not designed to facilitate accounting and financial reporting 
causing SEC to perform extensive, manual procedures to account for this 
activity. During our fiscal year 2005 audit, we continued to find 
inaccuracies in the data that were similar to what we found during the 
fiscal year 2004 audit. 

SEC has taken steps to strengthen its information security by 
increasing staffing, certifying and accrediting applications, and 
establishing a backup data center. However, most of the weaknesses 
identified in our fiscal year 2004 audit persisted, and we identified 
additional weaknesses, including several important aspects of access 
control. Key to SEC’s weakness in information security control is that 
it has not fully implemented a comprehensive program for security 
management. Such a program is fundamental to protecting the integrity, 
confidentiality, and availability of SEC’s sensitive data. 

www.gao.gov/cgi-bin/getrpt?GAO-06-239. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Jeanette Franzel at (202) 
512-9471 or franzelj@gao.gov. 

[End of section] 

Contents: 

Letter: 

Auditor's Report: 

Opinion on Financial Statements: 

Opinion on Internal Control: 

Material Weaknesses: 

Compliance with Laws and Regulations: 

Consistency of Other Information: 

Objectives, Scope, and Methodology: 

SEC Comments and Our Evaluation: 

Management Discussion Analysis: 

Financial Statements: 

Balance Sheets: 

Statements of Net Cost: 

Statements of Net Position: 

Statements of Budgetary Resources: 

Statements of Financing: 

Statements of Custodial Activity: 

Notes to the Financial Statements: 

Required Supplemental Information: 

Appendix: 

Appendix I: Comments from the Securities and Exchange Commission: 

Letter November 15, 2005: 

The Honorable Christopher Cox: 
Chairman: 
U.S. Securities and Exchange Commission: 

Dear Mr. Cox: 

This report presents our opinion on whether the financial statements of 
the Securities and Exchange Commission (SEC) are presented fairly for 
the fiscal years ended September 30, 2005, and 2004. This report also 
presents (1) our opinion on the effectiveness of SEC's internal control 
over financial reporting and compliance as of September 30, 2005, 
including weaknesses in financial reporting controls detected during 
our 2005 audit; and (2) the results of our tests of SEC's compliance 
with selected laws and regulations during 2005. 

The Accountability of Tax Dollars Act of 2002 requires that SEC prepare 
and submit to Congress and the Office of Management and Budget (OMB) 
audited financial statements. GAO agreed, under its audit authority, to 
perform the audit of SEC's financial statements. GAO conducted this 
audit in accordance with U.S. generally accepted government auditing 
standards and OMB audit guidance. This is the second year that SEC has 
prepared a complete set of financial statements for audit. A notable 
achievement during fiscal year 2005 was SEC's acceleration of its 
financial reporting. SEC was able to prepare financial statements that 
were fairly stated in all material respects for fiscal year 2005 by 
November 15, 2005, in accordance with OMB timeframes. This due date was 
met through the tremendous dedication of time and effort from SEC 
management and staff. 

We are sending copies of this report to the Chairman and Ranking 
Minority Members of the Senate Committee on Banking, Housing, and Urban 
Affairs; the Senate Committee on Homeland Security and Governmental 
Affairs; the House Committee on Financial Services; and the House 
Committee on Government Reform. We are also sending copies to the 
Secretary of the Treasury, the Director of the Office of Management and 
Budget, and other interested parties. In addition, this report will be 
available at no charge on the GAO Web site at http://www.gao.gov. 

This report was prepared under the direction of Jeanette M. Franzel, 
Director, Financial Management and Assurance, who can be reached at 
(202) 512-9471 or franzelj@gao.gov. If I can be of further assistance, 
please call me at (202) 512-5500. 

Sincerely yours, 

Signed by: 

David M. Walker: 
Comptroller General of the United States: 

Auditor's Report To the Chairman of the United States Securities and 
Exchange Commission: 

In our audits of the United States Securities and Exchange Commission 
(SEC) for fiscal years 2005 and 2004, we found: 

* the financial statements as of and for the fiscal years ended 
September 30, 2005, and 2004, including the accompanying notes, are 
presented fairly, in all material respects, in conformity with U.S. 
generally accepted accounting principles; 

* SEC did not have effective internal control over financial reporting 
(including safeguarding of assets), but had effective control over 
compliance with laws and regulations we tested that could have a direct 
and material effect on the financial statements as of September 30, 
2005; and: 

* no reportable noncompliance with laws and regulations we tested. 

The following sections discuss in more detail (1) these conclusions as 
well as our conclusions on Management's Discussion and Analysis and 
other supplementary information and (2) the objectives, scope, and 
methodology of our audit. 

Opinion on Financial Statements: 

The SEC's balance sheets as of September 30, 2005, and 2004, and its 
related statements of net cost, changes in net position, budgetary 
resources, financing, and custodial activity, with accompanying notes 
for the fiscal years then ended, are presented fairly, in all material 
respects, in conformity with U.S. generally accepted accounting 
principles. 

However, misstatements may nevertheless occur in other financial 
information reported by SEC as a result of the internal control 
weaknesses described in this report. 

Opinion on Internal Control: 

This is the second year that SEC has prepared a complete set of 
financial statements for audit. Despite the specific issues with 
internal control explained below, SEC was able to prepare financial 
statements that were fairly stated in all material respects for fiscal 
years 2005 and 2004. A notable achievement during fiscal year 2005 was 
SEC's acceleration of its financial reporting. SEC was able to issue 
financial statements that were fairly stated in all material respects 
for fiscal year 2005 by November 15, 2005, in accordance with OMB 
timeframes. This due date was met through the tremendous dedication of 
time and effort from SEC management and staff. 

The acceleration did serve to highlight the difficulties in SEC's 
financial reporting process and the accounting and reporting for 
disgorgements that we identified in our fiscal year 2004 audit. In 
addition, SEC continues to have weaknesses in its information security 
controls. 

Because of the material weaknesses in internal control discussed below, 
in our opinion, SEC did not maintain effective internal control over 
financial reporting (including safeguarding of assets) as of September 
30, 2005, and thus did not provide reasonable assurance that losses and 
misstatements material in relation to the financial statements would be 
prevented or detected on a timely basis. However, SEC maintained in all 
material respects effective internal control over compliance with laws 
and regulations as of September 30, 2005, that provided reasonable 
assurance that noncompliance with laws and regulations that are direct 
and material in relation to the financial statements would be prevented 
or detected on a timely basis.[Footnote 1] 

Material Weaknesses: 

As a result of our fiscal year 2005 audit, we concluded that SEC 
continues to face the following key issues that we reported as part of 
our audit of SEC's fiscal year 2004 financial statements, which 
represent material weaknesses in internal controls: 

* weaknesses in controls over the financial reporting process, 
resulting in SEC not being able to prepare reliable and timely 
financial statements without extensive and time-consuming manual 
procedures; 

* weaknesses in controls over recording and reporting of 
disgorgement[Footnote 2] and penalty[Footnote 3] activity pertaining to 
those who violate securities laws, resulting in increased risk of 
incomplete or inaccurate disgorgement and penalty data; and: 

* weaknesses in information security controls, resulting in increased 
risk of unauthorized individuals being allowed to access, alter, or 
abuse proprietary SEC programs and electronic data and assets. 

We have reported on these material weaknesses in our prior audit and 
have provided SEC recommendations to address these issues.[Footnote 4] 
SEC has made some progress in resolving these matters; however, these 
matters remain as material weaknesses as of September 30, 2005. These 
material weaknesses were considered in determining the nature, timing, 
and extent of audit tests applied in our audits of SEC's fiscal year 
2005 and 2004 financial statements, and our opinion on internal control 
does not affect our financial audit opinion on the financial 
statements. The details surrounding these weaknesses are being reported 
separately to SEC management, along with recommendations for corrective 
actions. Less significant matters involving SEC's system of internal 
controls and its operations will also be reported to SEC separately. 

Financial Statement Preparation Process: 

In response to the findings of our fiscal year 2004 audit, SEC has 
taken some steps to address control weaknesses over preparing financial 
statements and related disclosures. For example, in August 2005, SEC 
drafted some policies and procedures for its financial statement 
preparation process. SEC also established a process to improve 
communication among other SEC divisions whose work impacts the 
financial statements, and SEC has improved its ability to produce 
subsidiary ledgers that support financial statement amounts. At the 
same time, SEC's financial reporting process continues to be manually 
intensive and time consuming, with numerous ad hoc procedures. For 
certain financial statement line items and disclosures, the detailed 
support for the balances and underlying transactions was not readily 
available, was difficult to retrieve, and did not easily facilitate an 
audit trail. In addition, SEC is still lacking policies and procedures 
for recording many of its activities, such as its process for 
determining disgorgement and penalty amounts receivable, for recording 
investment activity, and for reconciling certain account balances such 
as the fiduciary liability. Many policies and procedures that do exist 
are still in draft, are complicated and not easy to follow, or in some 
cases are outdated or not comprehensive. In addition, SEC still does 
not have an easy-to-follow process for compiling financial statement 
amounts to enable a cross-walk from the financial statements to the 
general ledger and supporting subsidiary schedules. Furthermore, 
certain balances on the financial statements do not readily agree to 
supporting detail. SEC's Office of Financial Management, the office 
charged with SEC's financial reporting and financial management, does 
not have sufficient staff with expertise in financial reporting. As a 
result, too many responsibilities have been vested with too few people, 
causing problems such as inadequate segregation of duties, inadequate 
quality assurance reviews, and difficulties managing the financial 
reporting workload. Because of these issues, SEC needed to dedicate 
considerable time and resources from its operating divisions to assist 
its Office of Financial Management in reconciling the financial 
statement amounts to its supporting general ledger balances and other 
supporting detail. SEC's financial reporting process can be 
strengthened by increased interaction with and input from the program 
operations' offices responsible for key financial data needed for 
financial reporting. 

Controls over the financial statement preparation process should be 
designed to provide reasonable assurance regarding the reliability of 
the balances and disclosures reported in the financial statements and 
related notes in conformity with generally accepted accounting 
principles, including the maintenance of detailed support that 
accurately and fairly reflects the transactions making up the balances 
in the financial statements and disclosures. GAO's Standards for 
Internal Control in the Federal Government[Footnote 5] provide an 
overall framework for establishing and maintaining internal control, 
including a discussion of control activities, management review, and 
documentation of processes and transactions. A financial statement 
preparation process with documented comprehensive policies and 
procedures, a clear audit trail between the financial statement 
balances and the detailed support, and quality assurance reviews, if 
properly designed and implemented, should provide SEC management with 
reasonable assurance that the balances presented in the financial 
statements and related disclosures are supported by SEC's underlying 
accounting records. We believe SEC can use the lessons learned from the 
fiscal year 2005 financial reporting and audit processes to further 
formalize and improve its process for developing and reviewing the 
figures needed to compile and prepare its year-end and interim 
financial statements. 

Disgorgements and Penalties: 

As part of its enforcement responsibilities, SEC issues and administers 
judgments ordering, among other things, disgorgements, civil monetary 
penalties, and interest against violators of federal securities laws. 
These transactions involve material amounts of collections, and the 
recording and reporting of fiduciary and custodial liability balances 
on the financial statements.[Footnote 6] As shown in SEC's Statement of 
Custodial Activity, SEC collected more than $1.6 billion from federal 
securities laws violators during fiscal year 2005. Of that total, 
approximately $302 million was distributed to harmed investors; $207 
million was transferred to the Treasury; and approximately $1.1 billion 
is being held by the SEC for future distribution to harmed investors. 
In total, SEC held approximately $1.976 billion in such funds at 
September 30, 2005, for future distribution to harmed investors. These 
amounts are recorded in the fiduciary liability, investments, and fund 
balance with Treasury line items, with additional detail provided in 
note 18 to the financial statements. SEC also has recorded fines and 
penalties receivable of approximately $1.365 billion, of which it 
estimates that approximately $96 million will be collectible. These 
amounts are included in SEC's accounts receivable and custodial 
liabilities line items, with additional detail provided in note 6 to 
the financial statements. 

Since our fiscal year 2004 audit, SEC has undertaken a comprehensive 
review of the disgorgement and penalty financial data in its database, 
which includes data on over 12,000 parties in SEC enforcement issues. 
SEC's review uncovered a significant amount of financial data 
inaccuracies which it is still in the process of correcting. 

Our audit testing for fiscal year 2005 continued to find similar 
control weaknesses and data inaccuracies to the problems we noted 
during our audit of SEC's fiscal year 2004 financial statements. 
Contributing to SEC's control weaknesses in these areas is that the 
database SEC uses to record and report disgorgements and penalties data 
has limitations and is not designed to facilitate accounting for and 
financial reporting of the data. To compensate for limitations in the 
disgorgements and penalties database, SEC staff perform extensive 
manual procedures to compile quarterly subsidiary ledgers to update the 
accounting system for disgorgement-and penalty-related balances and 
activity (including cash receipts and disbursements). As we noted in 
our fiscal year 2004 audit, while SEC has a draft policy covering 
certain aspects of accounting for disgorgements and penalties, the 
policy is not comprehensive and does not include the process and 
controls for determining the amounts to be recorded for disgorgements 
and penalty activity and for reviewing the entries. In addition, SEC 
does not have a policy that includes formal procedures to provide 
assurance that the cash collections have been properly credited to the 
appropriate cases in the appropriate amounts in the related subsidiary 
records for investments and fund balance with Treasury. Furthermore, 
SEC's policies do not include formal procedures to provide assurance 
that cash disbursements are properly tracked in the related subsidiary 
ledgers that provide information on the status of each case. 

As we have again found during the fiscal year 2005 financial statement 
audit, not having comprehensive policies and controls increases the 
risk that disgorgement and penalty transactions will not be completely, 
accurately, and consistently recorded and reported. 

Although we were able to obtain sufficient audit support for SEC's 
estimated collectible amount of $96 million, we noted significant 
errors and misstatements in the recorded gross accounts receivable 
balance of $1.365 billion and the related allowance for loss of $1.269 
billion. Specifically, we noted errors and/or inconsistent treatment in 
recording judgment and interest amounts, terminated debts, waivers, and 
recording of activity such as amounts paid by defendants. Contributing 
to these errors is the lack of a clear policy, communication, and 
coordination between the two key SEC units, both responsible for 
disgorgement and penalty activity, addressing the supporting documents 
needed to record the activity, as well as the lack of follow-up 
procedures to ensure that the activity is being recorded in a timely 
fashion and in the proper reporting period.[Footnote 7] In most cases, 
these errors were offsetting through the allowance for loss account; 
however, such errors raise concern about the controls over the 
reliability of the gross accounts receivable and related allowance 
amounts reported in note 6 to the financial statements. 

Establishing proper controls and policies and procedures over the 
recording of disgorgement and penalty activity and the related 
collections and adopting a new accounting system to capture the 
activity for financial reporting purposes are necessary to provide 
reasonable assurance that disgorgement and penalty transactions are 
recorded in a complete, accurate, and timely manner for management's 
use in decision making and tracking of operations, and to facilitate 
the preparation of financial statements and related disclosures. The 
process should also include maintaining supporting documentation that, 
in reasonable detail, supports the transactions that are recorded, and 
monitoring the data input, data modifications, and the related 
financial reporting process for reliability. Due to the importance of 
these activities to SEC's mission and the magnitude of the amounts, it 
is of critical importance that the internal control weaknesses in this 
area be addressed.[Footnote 8] 

Information Security: 

Effective information system controls are essential to providing 
reasonable assurance that financial information and financial assets 
are adequately safeguarded from inadvertent or deliberate misuse, 
fraudulent use, improper disclosure, or destruction. These controls are 
part of an entitywide computer security management program that 
includes access controls, system software, application development and 
change controls, segregation of duties, and service continuity 
controls. A comprehensive entitywide security management program must 
be established in order to ensure effective information security 
controls and to provide a systemic approach to identifying and 
addressing security weaknesses. An effective program would include 
issuing guidance and implementing procedures for assessing risks, 
establishing policies and related controls, raising awareness of 
prevailing risks and mitigating controls, evaluating the effectiveness 
of established controls, and using the results of management's 
evaluation to continuously improve controls. 

SEC relies extensively on computerized information systems to process, 
account for, and report on its financial activities and make payments. 
As part of the financial statement audit, we assessed the effectiveness 
of SEC's information system controls using GAO's Federal Information 
System Controls Audit Manual[Footnote 9] which contains guidance for 
reviewing information system controls that affect the integrity, 
confidentiality, and availability of computerized data. 

During fiscal year 2005, SEC took steps to strengthen its information 
security program by increasing security staffing, certifying and 
accrediting several major applications, and instituting a backup data 
center. At the same time, most of the information security controls 
weaknesses identified in our fiscal year 2004 SEC audit 
persisted[Footnote 10] and we identified additional weaknesses. 
Specifically, SEC had not consistently implemented effective electronic 
access controls, including user accounts and passwords, access rights 
and permissions, network security, or audit and monitoring of security-
relevant events to limit and detect access to its critical financial 
and sensitive systems and information. As a result, SEC's financial 
assets are at risk of loss due to access control weaknesses. In 
addition, weaknesses in other information security controls, including 
physical security, segregation of computer functions, application 
change controls, and service continuity, further increase the risk to 
SEC's information systems, information, and financial assets. As a 
result, sensitive data--including payroll and financial transactions, 
personnel data, regulatory, and other mission-critical information--
remained at risk of unauthorized disclosure, modification, or loss. The 
details surrounding these weaknesses will be reported separately to SEC 
management, along with recommendations for corrective actions. 

A key reason for SEC's information security control weaknesses is that 
SEC has not fully implemented a comprehensive security management 
program. SEC has taken some actions to improve security management such 
as defining roles and responsibilities for its central security group. 
However, it still needs to take additional steps to fully implement all 
key elements of an information security management program. Such a 
program is critical to provide SEC with a solid foundation for 
resolving existing information security problems and continuously 
managing information security risks. Without effective management of 
its information security controls, SEC will not be able to provide 
reasonable assurance that financial information and financial assets 
are adequately safeguarded from misuse, fraud, improper disclosure, 
modification, or destruction. 

Compliance with Laws and Regulations: 

Our tests for compliance with selected provisions of laws and 
regulations disclosed no instances of noncompliance that would be 
reportable under U.S. generally accepted government auditing standards 
or OMB audit guidance. However, the objective of our audit was not to 
provide an opinion on overall compliance with laws and regulations. 
Accordingly, we do not express such an opinion. 

Consistency of Other Information: 

SEC's Management Discussion and Analysis, required supplementary 
information, and other accompanying information contain a wide range of 
data, some of which are not directly related to the financial 
statements. We did not audit and do not express an opinion on this 
information. However, we compared this information for consistency with 
the financial statements and discussed the methods of measurement and 
presentation with SEC officials. Based on this limited work, we found 
no material inconsistencies with the financial statements or 
nonconformance with OMB guidance. 

Objectives, Scope, and Methodology: 

SEC management is responsible for (1) preparing the financial 
statements in conformity with U.S. generally accepted accounting 
principles; (2) establishing, maintaining, and assessing internal 
control to provide reasonable assurance that the broad control 
objectives of the Federal Managers' Financial Integrity Act (FMFIA) are 
met; and (3) complying with applicable laws and regulations. 

We are responsible for obtaining reasonable assurance about whether (1) 
the financial statements are presented fairly, in all material 
respects, in conformity with U.S. generally accepted accounting 
principles; and (2) management maintained effective internal control 
that provides reasonable, but not absolute, assurance the following 
objectives are met. 

* Financial reporting: Transactions are properly recorded, processed, 
and summarized to permit the timely and reliable preparation of 
financial statements in conformity with U.S. generally accepted 
accounting principles, and assets are safeguarded against loss from 
unauthorized acquisition, use, or disposition. 

* Compliance with laws and regulations: Transactions are executed in 
accordance with (1) laws governing the use of budgetary authority, (2) 
other laws and regulations that could have a direct and material effect 
on the financial statements, and (3) any other laws, regulations, or 
governmentwide policies identified by OMB audit guidance. 

We are also responsible for (1) testing compliance with selected 
provisions of laws and regulations that could have a direct and 
material effect on the financial statements and for which OMB audit 
guidance requires testing and (2) performing limited procedures with 
respect to certain other information appearing in SEC's Performance and 
Accountability Report. In order to fulfill these responsibilities, we: 

* examined, on a test basis, evidence supporting the amounts and 
disclosures in the financial statements; 

* assessed the accounting principles used and significant estimates 
made by SEC management; 

* evaluated the overall presentation of the financial statements; 

* obtained an understanding of internal control related to financial 
reporting (including safeguarding of assets) and compliance with laws 
and regulations (including execution of transactions in accordance with 
budget authority); 

* obtained an understanding of the recording, processing, and 
summarizing of performance measures as reported in Management's 
Discussion and Analysis; 

* tested relevant internal controls over financial reporting and 
compliance with laws and regulations, and evaluated the design and 
operating effectiveness of internal control; 

* considered SEC's process for evaluating and reporting on internal 
control and financial management systems under the FMFIA; and: 

* tested compliance with selected provisions of the following laws and 
their related regulations: 

* the Securities Exchange Act of 1934, as amended; 

* the Securities Act of 1933, as amended; 

* the Antideficiency Act; 

* laws governing the pay and allowance system for SEC employees; and: 

* the Prompt Payment Act. 

We did not evaluate all internal controls relevant to operating 
objectives as broadly defined by the FMFIA, such as those controls 
relevant to preparing statistical reports and ensuring efficient 
operations. We limited our internal control testing to controls over 
financial reporting and compliance. Because of inherent limitations in 
internal control, misstatements due to error or fraud, losses, or 
noncompliance may nevertheless occur and not be detected. We also 
caution that projecting our evaluation to future periods is subject to 
the risk that controls may become inadequate because of changes in 
conditions or that the degree of compliance with controls may 
deteriorate. 

We did not test compliance with all laws and regulations applicable to 
SEC. We limited our tests of compliance to those required by OMB audit 
guidance and other laws and regulations that had a direct and material 
effect on, or that we deemed applicable to, SEC's financial statements 
for the fiscal year ended September 30, 2005. We caution that 
noncompliance may occur and not be detected by these tests and that 
such testing may not be sufficient for other purposes. 

We performed our work in accordance with U.S. generally accepted 
government auditing standards and OMB audit guidance. 

SEC Comments and Our Evaluation: 

In commenting on a draft of this report, the SEC Chairman was pleased 
to receive an unqualified opinion on SEC's financial statements. The 
Chairman also acknowledged the material weaknesses in internal control 
and stated that resolving the weaknesses will be his highest 
operational priority. The Chairman stated that SEC plans to address the 
internal control weakness concerning the preparation of financial 
statements by fully documenting and integrating into agency operations 
the disciplined procedures and policies needed to complete accurate and 
timely financial statements. In addition, SEC established a formal 
financial management review committee to provide advice and to 
regularly review the agency's financial operations and policies. SEC 
plans to address the internal control weaknesses related to 
disgorgements and penalties through the replacement of the financial 
system it uses to track disgorgement and penalty data. In addition, SEC 
plans to strengthen controls over the processes for tracking the 
investment and distribution of funds to harmed investors. To address 
the internal control weaknesses concerning information technology 
security that were identified in fiscal year 2004, SEC plans to 
complete action plans that were put in place following our fiscal year 
2004 audit, including finalization of policies and operating procedures 
and procedures underlying the overall security management program. SEC 
also plans to begin defining actions and milestones for resolving 
additional weaknesses identified during this year's audit. 

The complete text of SEC's response is included in appendix I. 

David M. Walker: 
Comptroller General of the United States: 

November 10, 2005: 

[End of section] 

Management Discussion Analysis: 

[See PDF for image] 

[End of figure] 

[End of section] 

Financial Statements: 

[See PDF for image] 

[End of figure] 

[End of section] 

Balance Sheets: 

[See PDF for image] 

[End of figure] 

[End of section] 

Statements of Net Cost: 

[See PDF for image] 

[End of figure] 

[End of section] 

Statements of Net Position: 

[See PDF for image] 

[End of figure] 

[End of section] 

Statements of Budgetary Resources: 

[See PDF for image] 

[End of figure] 

[End of section] 

Statements of Financing: 

[See PDF for image] 

[End of figure] 

[End of section] 

Statements of Custodial Activity: 

[See PDF for image] 

[End of figure] 

[End of section] 

Notes to the Financial Statements: 

[See PDF for image] 

[End of figure] 

[End of section] 

Required Supplemental Information: 

[See PDF for image] 

[End of figure] 

[End of section] 

Appendixes: 

Appendix I: Comments from the Securities and Exchange Commission: 

Comments from the Securities and Exchange Commission: 

OFFICE OF THE CHAIRMAN: 

UNITED STATES SECURITIES AND EXCHANGE COMMISSION: 
WASHINGTON, D.C. 20549: 

November 14, 2005: 

The Honorable David M. Walker: 
Comptroller General of the United States: 
Government Accountability Office: 
441 G Street, N.W.: 
Washington, D.C. 20548: 

Dear Mr. Walker: 

Thank you for the opportunity to respond to the draft report of the 
Government Accountability Office (GAO) entitled "Financial Audit: 
Securities and Exchange Commission's Financial Statements for Fiscal 
Years 2005 and 2004". 1 would like to personally acknowledge and 
commend the efforts and dedication by you and the GAO staff in working 
with the Securities and Exchange Commission (SEC) to meet the November 
15 deadline for reporting our audited financial statements. 

I am pleased that the audit found that the statements and notes are 
presented fairly, in all material respects, and in conformity with U.S. 
generally accepted accounting principles for federal government 
agencies, and that it found no instances of reportable noncompliance 
with laws and regulations tested. 

The opinion on internal controls cites three material weaknesses in the 
same areas where GAO found controls to be inadequate in the audit of 
the fiscal 2004 financial statements. As you know from our meetings on 
this subject, since my arrival at the SEC in August 20051 have made 
resolution of these weaknesses my highest operational priority as 
Chairman. I have redoubled the efforts of the agency and our staff to 
this end. We intend to remediate all three material weaknesses before 
the end of fiscal 2006. 

We will resolve the control weaknesses in the system for preparing 
financial statements and related disclosures by fully documenting and 
integrating into agency operations the disciplined procedures and 
policies needed to complete accurate and timely financial statements. 
As you know, I have directed accounting and financial experts on the 
professional staff of the Office of the Chief Accountant to assist the 
Office of Financial Management with the development of these measures. 
Additionally, we have established a Financial Management Review 
Committee to provide advice and to regularly review the agency's 
financial operations and policies. This committee will also help ensure 
SEC compliance with the requirements of OMB Circular-A 123 on 
Management's Responsibility for Internal Control. 

With respect to identified weaknesses in controls over information 
technology security, the audit confirmed many of the findings reported 
previously through the SEC's Federal Managers' Financial Integrity Act 
(FMFIA) and audit programs: The draft audit report specifically cites 
electronic access controls over sensitive financial data. The SEC 
intends, with respect to weaknesses in this area, to complete 
implementation of the plans that were put in place following last 
year's information security audit. We intend to finalize policies and 
operating procedures to better manage access to computer systems, and 
to control the types of changes that are introduced into the 
information technology environment. In addition, we will continue to 
define the detailed procedures underlying our overall security 
management program, to ensure that the agency is effectively 
identifying, assessing, and mitigating sources of information security 
risk on a continuous basis. As indicated in the comments on last year's 
audit, we anticipate that all weaknesses identified at that point will 
be resolved by June 2006. We will also be defining plans of action and 
milestones for resolving any additional specific weaknesses emerging 
from this year's audit. 

The final material weakness, related to documentation and reporting of 
disgorgement and penalties, also confirms findings reported previously 
through the SEC's FMFIA program. During fiscal 2005, the SEC completed 
a comprehensive review of disgorgement and penalty financial data aimed 
at correcting any erroneous data. Nonetheless, as the draft audit 
report properly recognizes, there are continuing problems. A key to 
resolving this material weakness is the replacement of the financial 
system in which the data are stored, and our plans call for completion 
of the new system during the current fiscal year. The SEC will also 
move aggressively to strengthen controls over the processes for 
tracking the investment and distribution of funds to harmed investors. 
We anticipate that strengthened internal controls and replacement of 
the program's financial management information system will be adequate 
to resolve this material weakness in fiscal 2006. 

As Chairman, I am committed to enhancing the SEC's financial and 
operational effectiveness. It is my firm belief that the SEC must lead 
by example when it comes to compliance with the internal controls 
requirements of the private and federal sectors. I appreciate your 
support of those efforts, and look forward to continuing our productive 
dialogue on the issues addressed in the fiscal 2005 audit. 

If you have any questions relating to our response, please contact 
Margaret Carpenter, Chief Financial Officer, at (202) 551-7854: 

Sincerely, 

Signed by: 

Christopher Cox: 
Chairman: 

[End of section] 

(194502): 

FOOTNOTES 

[1] Our opinion on internal control is based on criteria established 
under 31 U.S.C. § 3512 (c), (d), commonly referred to as the Federal 
Managers' Financial Integrity Act (FMFIA) and the Office of Management 
and Budget (OMB) Circular A-123, revised June 21, 1995, Management 
Accountability and Control. 

[2] A disgorgement is the repayment of illegally gained profits (or 
avoided losses) that the SEC distributes to harmed investors whenever 
feasible. 

[3] A penalty is a monetary payment from a violator of securities laws 
that SEC obtains pursuant to statutory authority. A penalty is 
fundamentally a punitive measure, although penalties occasionally can 
be used to compensate harmed investors. 

[4] GAO, Information Security: Securities and Exchange Commission Needs 
to Address Weak Controls over Financial and Sensitive Data, GAO-05-262 
(Washington, D.C.: Mar. 23, 2005); Financial Audit: Securities and 
Exchange Commission's Financial Statements for Fiscal Year 2004, GAO-05-
244 (Washington, D.C.: May 26, 2005); and Material Internal Control 
Issues Reported in SEC's Fiscal Year 2004 Financial Statement Audit 
Report, GAO-05-691R (Washington, D.C.: July 27, 2005). 

[5] GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). 

[6] Fiduciary activities represent the moneys collected from federal 
securities law violators and maintained by SEC to be distributed to 
harmed investors. Custodial activities represent the moneys collected 
by SEC from violators of federal securities laws that are returned to 
the Treasury, as nonfederal individuals or entities do not have an 
ownership interest in these revenues. 

[7] This finding is similar to a finding noted in a recent GAO review 
of SEC penalties. See GAO, SEC and CFTC Penalties: Continued Progress 
Made in Collection Efforts, but Greater SEC Management Attention is 
Needed, GAO-05-670 (Washington, D.C.: Aug. 31, 2005). 

[8] Material weaknesses and system nonconformance issues concerning 
data integrity and financial reporting for disgorgements and penalties 
have been reported in SEC's FMFIA reports since fiscal year 2002. 

[9] GAO, Federal Information System Controls Audit Manual, Volume I--
Financial Statements Audits, GAO/AIMD-12.19.6 (Washington, D.C.: 
January 1999). 

[10] Based on our review of SEC's information system general controls 
for fiscal year 2004, we made 58 recommendations. SEC implemented 9 of 
the recommendations as of the completion of our review. See GAO, 
Information Security: Securities and Exchange Commission Needs to 
Address Weak Controls Over Financial and Sensitive Data, GAO-05-262 
(Washington, D.C.: March 23, 2005). 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: