GAO-05-691R, Material Internal Control Issues Reported in SEC's Fiscal Year 2004 Financial Statement Audit Report


This is the accessible text file for GAO report number GAO-05-691R 
entitled 'Material Internal Control Issues Reported in SEC's Fiscal 
Year 2004 Financial Statement Audit Report' which was released on July 
27, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

July 27, 2005: 

The Honorable Cynthia A. Glassman: 
Acting Chairman: 
U.S. Securities and Exchange Commission: 

Subject: Material Internal Control Issues Reported in SEC's Fiscal Year 
2004 Financial Statement Audit Report: 

Dear Ms. Glassman: 

In May 2005, we issued our report expressing an opinion on the 
Securities and Exchange Commission's (SEC) fiscal year 2004 financial 
statements and an opinion on SEC's internal control as of September 30, 
2004.[Footnote 1] We also reported on the results of our tests of SEC's 
compliance with selected provisions of laws and regulations during 
fiscal year 2004. 

Our report on SEC's fiscal year 2004 financial statements identified 
reportable conditions in the internal controls over financial reporting 
that we considered to be material weaknesses.[Footnote 2] These 
weaknesses related to SEC's controls over (1) recording and reporting 
disgorgements[Footnote 3] and penalties[Footnote 4] pertaining to those 
who violate securities laws, (2) preparing financial statements and 
related disclosures, and (3) information security. In March 2005, we 
reported on the information security weaknesses, making six 
recommendations to address those weaknesses.[Footnote 5] The purpose of 
this report is to provide SEC with 18 recommendations to addresses the 
remaining weaknesses concerning disgorgements and penalties, and 
financial statement preparation and reporting.[Footnote 6]

As part of our audit of SEC's fiscal year 2004 financial statements, we 
evaluated SEC's internal controls and its compliance with selected 
provisions of laws and regulations. We designed our audit procedures to 
test relevant controls, including those for the proper authorization, 
execution, accounting, and reporting of transactions. We conducted our 
audit in accordance with U.S. generally accepted government auditing 
standards. SEC's written comments on a draft of this report are 
included in enclosure I. Further details on our scope and methodology 
are included in our May 2005 report on the results of our audit of the 
2004 financial statements and are reproduced in enclosure II. 

Disgorgements and Civil Penalties: 

As part of its enforcement responsibilities, SEC issues and administers 
judgments that order, among other things, disgorgements and civil 
penalties against violators of federal securities laws. The resulting 
transactions involve material amounts of collections, which amounted to 
about $945 million in fiscal year 2004, and the recording and reporting 
of fiduciary and custodial balances on the financial 
statements.[Footnote 7]

Presently, SEC records and tracks information on disgorgements and 
penalties through a case-tracking system. In August 2004, the Office of 
Financial Management assumed responsibility from the Division of 
Enforcement for entering and maintaining financial data on 
disgorgements and penalties in the case-tracking system, and making the 
necessary calculations and adjustments for preparing SEC's financial 
statements.[Footnote 8] However, the case-tracking system is not 
designed for financial reporting purposes and is not integrated with 
the general ledger. 

To compensate for limitations in the system, SEC staff performed 
extensive and time-consuming manual procedures to compile quarterly 
subsidiary ledgers to update the accounting system for disgorgement and 
penalty balances and activity. Notwithstanding the inherent 
inefficiencies of such manual processes, they also increase the risk of 
reporting inaccurate amounts and inhibit timely reporting. Despite this 
risk, SEC did not perform the requisite control procedures to 
reasonably assure the completeness and reliability of the disgorgement 
and penalty financial information in the case-tracking system. The risk 
of incomplete or inaccurate disgorgement and penalty data is further 
increased because of ineffective coordination and communication between 
various SEC divisions and offices that share responsibility for 
recording and maintaining disgorgement and penalty information. Our 
audit noted instances where, while disgorgement activity was entered 
into the case-tracking system by the Division of Enforcement and 
supporting documentation was in the files maintained by the case 
managers, the finance staff responsible for the accounting entries did 
not have the documentation necessary to make the entries into the 
general ledger, and therefore, had not made the related entries. 

GAO's Standards for Internal Control in the Federal Government[Footnote 
9] requires that agencies establish controls to ensure that 
transactions be recorded in a complete, accurate, and timely manner. 
SEC has a draft policy, dated October 1, 2002, that covers certain 
aspects of accounting for disgorgements and penalties, but the policy 
is not comprehensive. For example, the draft policy does not define who 
is responsible for the various aspects of recording disgorgement and 
penalty data or the documentation that should be maintained to support 
the amounts recorded. Of even more importance, the draft policy does 
not identify the processes and controls that are critical for 
determining the amounts to be recorded and for reviewing the 
disgorgement and penalty financial information and related accounting 
entries for completeness and accuracy. Nor does the policy address the 
supervisory review procedures necessary to ensure consistent 
application of the procedures. We found instances where documentation 
in the case files contained hand-written annotations, without 
sufficient evidence, instructing certain activity with regard to a 
disgorgement or penalty amount. While SEC did not make entries into the 
case-tracking system on the basis of these handwritten instructions, 
their existence raises concern about the reliability and accuracy of 
the amounts recorded in the case-tracking system. 

A lack of comprehensive policies and controls increases the risk that 
disgorgement and penalty transactions will not be completely, 
accurately, and consistently recorded and reported. For example, in our 
audit of the estimated net amounts receivable from disgorgements and 
penalties, we found errors in the recorded balances for the related 
gross accounts receivable and allowance for loss. Specifically, we 
noted errors where SEC had made entries to the accounting system that 
conflicted with information in the files, and we noted inconsistent 
treatment in recording judgment and interest amounts, terminated debts, 
and collection fees imposed by the Department of the Treasury. We 
believe that these errors and inconsistencies occurred because of the 
weaknesses discussed above. While, in most cases, these errors and 
inconsistencies were offsetting, such errors raise concern about the 
controls over the reliability of the gross accounts receivable and 
related allowance amounts reported in footnote 3 to SEC's financial 
statements. 

Recommendations for Executive Action: 

We recommend that the Chairman, SEC, take the following five actions to 
improve internal controls over disgorgements and penalties: 

1. Implement a system that is integrated with the accounting system or 
that provides the necessary input to the accounting system to 
facilitate timely, accurate, and efficient recording and reporting of 
disgorgement and penalty activity. 

2. Review the disgorgement and penalty judgments and subsequent 
activities documented in each case file by defendant to determine 
whether the individual amounts recorded in the case-tracking system are 
accurate and reliable. 

3. Implement controls so that the ongoing activities involving 
disgorgements and penalties are properly, accurately, and timely 
recorded in the accounting system. 

4. Strengthen coordination, communication, and data flow among staff of 
SEC's Division of Enforcement and Office of Financial Management who 
share responsibility for recording and maintaining disgorgement and 
penalty data. 

5. Develop and implement written policies covering the procedures, 
documentation, systems, and responsible personnel involved in recording 
and reporting disgorgement and penalty financial information. The 
written procedures should also address quality control and managerial 
review responsibilities and documentation of such a review. 

Financial Statement Preparation and Reporting: 

GAO's Standards for Internal Control in the Federal Government requires 
that controls over the financial statement preparation process be 
designed to provide reasonable assurance regarding the reliability of 
the balances and disclosures reported in the financial statements and 
related notes in conformity with generally accepted accounting 
principles, including the maintenance of detailed support that 
accurately and fairly reflects the transactions making up the balances 
in the financial statements and disclosures. Established tools, 
including checklists and implementation guides, are available to assist 
in developing controls over financial statement compilation and review. 

We found that SEC had neither the formalized processes or documentation 
showing the procedures, systems, analysis of accounts, and personnel 
involved in developing key balances and preparing the financial 
statements and related disclosures, nor the related quality control and 
review procedures. As a result, SEC's opening balances for its fiscal 
year 2004 financial statements contained material misstatements, some 
of which also materially affected the unadjusted fiscal year 2004 
reported operating results. Although SEC ultimately posted the 
necessary audit adjustments and produced financial statements for 
fiscal year 2004 that were fairly presented in all material respects, 
the lack of processes and documented procedures significantly delayed 
the reporting of SEC's fiscal year 2004 financial results, consumed 
significant SEC staff resources, caused audit inefficiencies, and 
resulted in higher financial statement preparation and audit costs. For 
example, SEC did not have documentation providing an explanation or a 
cross-walk between the financial statements and the source systems, 
general ledger accounts, account queries, and account analyses. SEC did 
not maintain a subsidiary ledger for certain activity, such as customer 
deposit amounts pertaining to filing fees. Accounting staff also had 
difficulty in retrieving support for certain account balances, such as 
undelivered orders amounts, and for certain property and equipment 
leases. In addition, reconciliations of subsidiary and summary account 
balances were not prepared for certain financial statement line items, 
such as for the customer deposit liability relating to filing fees and 
the associated earned filing fee revenue, the accounts receivable 
related to exchange fees and the related amount of earned exchange fee 
revenue, and the budgetary accounts related to undelivered and 
delivered orders, thus requiring SEC staff to create an audit trail 
after the fact in order to reconcile support to general ledger 
balances. There also was no consistent evidence of supervisory review 
of journal entries, including closing and adjusting journal entries 
made in connection with preparing quarterly and year-end financial 
statements. Another factor contributing to identified accounting issues 
was that comprehensive accounting policies and procedures for several 
major areas, including disgorgements and penalties, filing fees, 
exchange fees, and fixed asset capitalization, were still in draft or 
had not yet been developed. 

If properly designed and implemented, a financial statement preparation 
process with documented policies and procedures, support, and quality 
assurance reviews should reasonably assure SEC management that the 
balances presented in the financial statements and related disclosures 
are supported by SEC's underlying accounting records. The process 
should include certain components and provide a discipline that should 
greatly help SEC in preparing financial statements without having to go 
through heroic efforts as was done in fiscal year 2004. 

A fundamental problem leading to SEC's staff-intensive and time- 
consuming efforts to prepare financial statements is that SEC's general 
ledger and core financial management system are not set up to generate 
most data analysis user reports on a real-time basis. Users have to 
request reports that are generated on an ad hoc basis by a software 
application whose operations are known only to some SEC staff. Also, 
other management systems used at SEC, such as the case-tracking system 
used for disgorgements and penalties and the system used to track 
property, along with various spreadsheet applications, are not 
integrated with the core financial management system. Again, this means 
that such information is not readily available, and as we determined 
during the audit, necessitated significant manual processes to 
determine account balances. 

OMB Circular No. A-127, Financial Management Systems, requires that 
each agency establish and maintain a single integrated financial 
management system. A single integrated financial management system is a 
unified set of financial systems linked together electronically in an 
efficient and effective manner to provide agencywide financial system 
support. Integration means that the user is able to have one view into 
systems such that, at whatever level the individual is using the 
system, he or she can obtain needed information efficiently and 
effectively through electronic means. A single integrated financial 
management system does not necessarily mean having only one software 
application within each agency covering all financial management system 
needs or storing all information in the same database. Interfaces 
between systems are acceptable as long as the supporting detail to 
enable reconciliation between the systems is maintained and accessible 
to managers. Interface linkages should be electronic unless the number 
of transactions is so small that it is not cost beneficial to automate 
the interface. Reconciliations between systems, where interface 
linkages are appropriate, should be maintained to ensure data accuracy. 

To support its financial management functions, SEC relies on several 
different systems to process and track financial transactions that 
include filing fees paid by corporations and disgorgements and 
penalties assessed and collected from enforcement activities. In SEC's 
case, without an integrated financial management system to help ensure 
timely and reliable financial data, decision makers run the risk of 
delays in attaining relevant data or using inaccurate information 
inadvertently while at the same time dedicating scarce resources toward 
the basic collection of information. 

Recommendations for Executive Action: 

We recommend that the Chairman, SEC, take the following 13 actions to 
improve controls over financial statement preparation and reporting. 
The first 11 recommendations concern the minimum elements that should 
be included in policies and procedures covering the financial reporting 
process. The other 2 recommendations concern the leveraging of in-house 
resources for accounting advice and upgrading SEC's capacity to improve 
its financial reporting system. 

1. Develop written policies and procedures that provide sufficient 
guidance for the year-end closing of the general ledger as well as the 
preparation and analysis of quarterly and annual financial statements. 

2. Establish clearly defined roles and responsibilities for the staff 
involved in financial reporting and the preparation of interim and year-
end financial statements. 

3. Prepare a cross-walk between the financial statements and the source 
systems, general ledger accounts, and the various account queries and 
analyses that make up key balances in the financial statements. 

4. Maintain subsidiary records or ledgers for all significant accounts 
and disclosures so that the amounts presented in the financial 
statements and footnotes can be supported by the collective 
transactions making up the balances. 

5. Perform monthly reconciliations of subsidiary records and summary 
account balances. 

6. Consider a "formal closing" of all accounts at an interim date(s), 
which will reduce the level of accounting activity and analysis 
required at year-end. The formal closing entails ensuring that all 
transactions are recorded in the proper period through month's end. 

7. Collect common closing and adjusting entries in a formal listing, 
which is used in the general ledger closing process and in preparing 
financial statements. 

8. Require supervisory review for all entries posted to the general 
ledger and financial statements, including closing entries. A 
supervisor should review revisions to previously approved entries and 
revised financial statements and footnotes. All entries and reviews 
should be documented. 

9. Establish milestones for preparing and reviewing the financial 
statements by setting dates for critical phases such as closing the 
general ledger; preparing financial statements, footnotes, and the 
performance and accountability report; and performing specific quality 
control review procedures. 

10. Utilize established tools (i.e., checklists and implementation 
guides) available for assistance in compiling and reviewing financial 
statements. 

11. Maintain documentation supporting all information included in the 
financial statements and footnotes. This documentation should be more 
self-explanatory than what has been retained in the past. The 
documentation should be at a level of detail to enable a third party, 
such as an auditor, to use the documentation for substantiating 
reported data without extensive explanation or re-creation by the 
original preparer. 

12. Take advantage of in-house resources and expertise in establishing 
financial reporting policies, internal controls, and business 
practices, as well as in the review of financial statement and footnote 
presentation. 

13. Develop or acquire an integrated financial management system to 
provide timely and accurate recording of financial data for financial 
reporting and management decision making.

Agency Comments: 

In commenting on a draft of this report, SEC acknowledged the material 
weaknesses in internal control. SEC stated that our recommendations for 
resolving the material weakness related to disgorgements and penalties 
were consistent with the actions that it has planned, including 
completing a comprehensive review of files and data and strengthening 
and documenting policies and procedures for disgorgements and 
penalties. SEC anticipates that this weakness will be resolved in 
fiscal year 2006. Ultimately, SEC said it plans to undertake a 
multiyear project to replace the current case-tracking system with a 
system that is integrated with the accounting system in order to 
improve the timeliness and better ensure the accuracy of SEC's 
financial reporting for disgorgements and penalties. 

With regard to the material weakness related to controls over the 
preparation of financial statements, SEC stated that it intends to 
continue active and serious efforts to complete documentation of the 
procedures and management systems that were used to prepare its 
financial statements. To address this issue, SEC has increased its 
financial reporting staff; SEC financial management staff will continue 
to solicit advice from in-house experts; and management has confirmed, 
modified, or recommended for further review certain policies applied in 
preparing the fiscal year 2004 financial statements. SEC also plans to 
establish a formal senior management committee to provide for continued 
regular review and advice by key officials. 

The complete text of SEC's comments is included in enclosure I. 

This report contains recommendations to you. The head of a federal 
agency is required by 31 U.S.C. � 720 to submit a written statement to 
the Senate Committee on Homeland Security and Governmental Affairs and 
the House Committee on Government Reform of the actions taken on our 
recommendations no later than 60 days after the date of this report. A 
written statement also must be sent to the House and Senate Committees 
on Appropriations with agency's first request for appropriations made 
more than 60 days after the date of this report. 

This report is intended for use by management of SEC. We are sending 
copies of this report to the Chairmen and Ranking Members of the Senate 
Committee on Banking, Housing, and Urban Affairs; the Senate Committee 
on Homeland Security and Governmental Affairs; the House Committee on 
Financial Services; and the House Committee on Government Reform. We 
are also sending copies to the Secretary of the Treasury, the Director 
of the Office of Management and Budget, and other interested parties. 
In addition, this report will be available at no charge on GAO's Web 
site at http://www.gao.gov. 

We acknowledge and appreciate the cooperation and assistance provided 
by SEC management and staff during our audit of SEC's fiscal year 2004 
financial statements. If you have any questions about this report or 
need assistance in addressing these issues, please contact me at (202) 
512-9471 or at franzelj@gao.gov. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. 

Sincerely yours,

Signed by; 

Jeanette M. Franzel: 
Director: 
Financial Management and Assurance: 

Enclosures - 2: 

Enclosure 1: Comments from the Securities and Exchange Commission: 

UNITED STATES SECURITIES AND EXCHANGE COMMISSION: 
WASHINGTON. D.C. 20549: 

July 18, 2005: 

Ms. Jeanette M. Franzel: 
Director: 
Financial Management and Assurance: 
Government Accountability Office: 
441 G Street, NW: 
Washington, D.C. 20548: 

Dear Ms. Franzel: 

Thank you for the opportunity to review and comment on the Government 
Accountability Office's (GAO) draft report entitled "Material Internal 
Control Issues Reported in the SEC's Fiscal Year 2004 Financial 
Statement Audit Report." The report provides additional information and 
recommendations on two of the three material weakness identified in 
GAO's opinion on the fiscal 2004 financial audit, as well as in the 
Management's Discussion and Analysis section of the SEC's 2004 
Performance and Accountability Report. The two weaknesses are controls 
over recording and reporting on enforcement-related disgorgement and 
penalties and controls over financial statement preparation and 
reporting. GAO's recommendations on the third material weakness, 
information technology security, were included in a prior audit report. 
We appreciate the GAO's work in these two areas and we are pleased to 
offer the following general comments. In addition, our staffs have met 
to discuss the recommendations, at which time SEC staff provided 
additional verbal comments. 

The material weakness related to disgorgements and penalties arising 
from enforcement actions confirms findings reported over the past three 
years through the SEC's Federal Manager's Financial Integrity Act 
(FMFIA) program. The recommendations for resolving the issue are 
consistent with the planned actions that we reported to you in our 
response to the opinion on the financial audit. During FY 2005, SEC 
staff will complete a comprehensive review of files and data and will 
strengthen and document policies and procedures. It is anticipated that 
consistent application of strengthened internal controls and 
potentially some limited redesign of the program's existing financial 
information system component will be adequate to resolve the material 
weakness in FY 2006. However, replacement of the current system will 
provide more effective assurance and in FY 2006 the SEC will complete a 
requirements analysis as the first phase of the multi-year project to 
replace the system. The replacement system will be integrated with the 
accounting system to improve the timeliness and better ensure the 
accuracy of our financial reporting in this area. 

The report provides some detailed recommendations to resolve the 
material weakness related to controls over the preparation of financial 
statements. The SEC staff and the GAO audit team have met to discuss in 
detail the recommendations proposed as the minimum elements that should 
be included in policies and procedures. The SEC intends to continue 
active and serious efforts to complete documentation of the procedures 
and management systems that were used to prepare its first financial 
statements in fiscal 2004. As part of that process, the GAO 
recommendations will be implemented as described to the audit team. As 
indicated in the SEC's response to the audit opinion that GAO provided 
to the SEC in May, as part of the plan to resolve the material 
weakness, we have increased our financial reporting staff this fiscal 
year. Financial management staff will continue to solicit advice from 
staff experts within the SEC. Senior management reviewed the 2004 
statements and management processes supporting them; certain initial 
policies applied in the first year of financial reporting have been 
confirmed and others have been modified or recommended for further 
review. The agency will establish a formal senior management committee 
to provide for continued regular review and advice by key officials. 

Progress has been made in both of these areas and we believe that many 
of the audit adjustments and findings on which these two material 
weaknesses are premised will not recur as sound controls were 
implemented late in FY 2004 or in FY 2005. We remain committed to 
enhancing the financial and operational effectiveness of the SEC and 
resolving all three material weaknesses. We appreciate your support of 
these efforts and look forward to continuing our productive dialogue 
with the GAO on the issues addressed in the FY 2004 audit. 

If you have any questions relating to our response, please contact 
Margaret Carpenter, Associate Executive Director, Finance, at (202) 551-
7854. 

Sincerely,

Signed by: 

Margaret J. Carpenter: 
Associate Executive Director, Finance: 

Signed by: 
James M. McConnell: 
Executive Director: 

[End of section] 

Details on Audit Scope and Methodology: 

To fulfill our responsibilities as auditor of the financial statements 
of the Securities and Exchange Commission (SEC), we did the following: 

* examined, on a test basis, evidence supporting the amounts and 
disclosure in the financial statements;

* assessed the accounting principles used and significant estimates 
made by management;

* evaluated the overall presentation of the financial statements;

* obtained an understanding of internal controls related to financial 
reporting and compliance with laws and regulations;

* obtained an understanding of the recording, processing, and 
summarizing of performance measures as reported in Management's 
Discussion and Analysis;

* tested relevant internal controls over financial reporting and 
compliance, and evaluated the design and operating effectiveness of 
internal control;

* considered SEC's process for evaluating and reporting on internal 
control and financial management systems under the Federal Managers' 
Financial Integrity Act of 1982; and: 

* tested compliance with selected provisions of the following laws and 
regulations: the Securities Exchange Act of 1934, as amended; the 
Securities Act of 1933, as amended; the Anti-Deficiency Act; laws 
governing the pay and allowance system for SEC employees; and the 
Prompt Payment Act.

We performed our review from February 2004 through February 2005 in 
accordance with generally accepted government auditing standards. For a 
further explanation of our audit scope and methodology, see our 
financial audit report (GAO-05-244). 

(194497): 

FOOTNOTES

[1] GAO, Financial Audit: SEC's Fiscal Year 2004 Financial Statements, 
GAO-05-244 (Washington, D.C.: May 26, 2005). 

[2] A material weakness is a condition in which the design or operation 
of one or more of the internal control components does not reduce to a 
relatively low level the risk that errors, fraud, or noncompliance in 
amounts that would be material to the financial statements may occur 
and not be detected promptly by employees in the normal course of their 
duties. 

[3] A disgorgement is the repayment of illegally earned profits. 

[4] A penalty is a monetary sum that is to be paid by the registrant to 
SEC as a result of a security law violation. The monetary sum is 
usually based on amounts prescribed by statute or the amount of 
disgorgement. 

[5] GAO, Information Security: Securities and Exchange Commission Needs 
to Address Weak Controls over Financial and Sensitive Data, GAO-05-262 
(Washington, D.C.: Mar. 23, 2005). 

[6] A separate report to management on other issues identified during 
our audit that, although not material in relation to the financial 
statements, warrant management's consideration, will be issued shortly. 

[7] Fiduciary activities represent the moneys collected from federal 
securities law violators and maintained by SEC to be distributed to 
harmed investors. Custodial activities represent the moneys collected 
by SEC from violators of federal securities laws that are returned to 
the General Fund of the Treasury, as nonfederal individuals or entities 
do not have an ownership interest in these revenues. 

[8] Prior to August 2004, SEC's Division of Enforcement was responsible 
for entering disgorgement and penalty information, including financial 
information, into the case-tracking database. 

[9] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).